feat(deps): upgrade upstream dependencies#1989
Conversation
- rolldown: e0d0b1b -> v1.1.3 (e77f7c7) - oxfmt: 0.56.0 -> 0.57.0 - oxlint: 1.71.0 -> 1.72.0 - @oxc-project/runtime: 0.137.0 -> 0.138.0 - @oxc-project/types: 0.137.0 -> 0.138.0 - oxc-minify: 0.137.0 -> 0.138.0 - oxc-parser: 0.137.0 -> 0.138.0 - oxc-transform: 0.137.0 -> 0.138.0 - @napi-rs/wasm-runtime: ^1.1.5 -> ^1.1.6 - rolldown-plugin-dts: ^0.25.2 -> ^0.26.0 Code changes: - Regenerated NAPI bindings: added onAdditionalAssets to BindingDevOptions, dropped BindingViteBuildImportAnalysisPluginV2Config and isEnableV2 (packages/cli/binding/index.d.cts) - Bumped bundledVersions.rolldown 1.1.2 -> 1.1.3 (packages/core/package.json) - Added vitepress-plugin-feedback-tracker@0.2.0-alpha.1 to minimumReleaseAgeExclude (pnpm-workspace.yaml)
✅ Deploy Preview for viteplus-preview canceled.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
CI failure root-cause analysis (updated)
1. CLI snap test (1/3) + CLI E2E (Linux x64 musl): FIXED (781ca2b)Both failed on a one-byte diff in 2. bun-vite-template E2E (ubuntu + windows): worked around (d250225)
3. dify E2E: FIXED (b365d0e)Two layers here. First it hit Root cause: dify sets Fix: export the gate-disabling var only for non-dify projects (the var must be fully unset, not empty, for dify; dify relies on its key-removal patch instead). Reproduced the whole dify E2E locally: with the var set it crashes; with the fix, migrate + install, 4. Security Analysis: FIXED (243bcd0)Not a deny.toml / serde_yml issue. The actual failure is 5. vinext E2E: worked around (e411edf), needs upstream rolldown fixNot a flake or timeout. The suite finished Root cause: vinext's Reproduced minimally (rolldown 1.1.2 links fine; 1.1.3 throws): filed rolldown/rolldown#10020 with a minimal repro. Introduced by rolldown PR rolldown/rolldown#9934 ("preserve used re-exports under preserveModules", in 1.1.3), which emits each preserved module's full declared interface. This is a rolldown bug, not a vinext bug: vinext's latest Status
Relevant upstream links
|
anyhow 1.0.102 has an unsoundness in Error::downcast_mut() (RUSTSEC-2026-0190), which fails the Security Analysis cargo-deny advisories check. Fixed in 1.0.103.
oxfmt 0.57.0 (oxc-css-parser, oxc-project/oxc#23920) rejects mantine's postcss-simple-vars syntax in CSS Modules. Allow vp fmt to fail until postcss-simple-vars is supported.
E2E intentionally installs just-published toolchain packages (e.g. @oxlint/migrate during vp migrate). Set pnpm_config_minimum_release_age=0 so a same-day publish does not fail with ERR_PNPM_NO_MATURE_MATCHING_VERSION (seen on the dify migrate).
rolldown 1.1.3 emits undeclared named exports for default-imported JSON modules under preserveModules (rolldown/rolldown#10020), breaking vinext's ecosystem fixture dev servers. Allow vp run test to fail until rolldown ships a fix.
The dify project uses resolutionMode: time-based and patch-project.ts removes its minimumReleaseAge key to keep pnpm's resolution policy inactive. Defining pnpm_config_minimum_release_age (even as 0 or empty) re-activates that policy, and vp's bundled pnpm has no handleResolutionPolicyViolations callback, so the local file: tgz overrides crash it with ERR_PNPM_RESOLUTION_POLICY_VIOLATIONS_UNHANDLED. Export the gate-disabling var only for non-dify projects, which still need it to avoid ERR_PNPM_NO_MATURE_MATCHING_VERSION on same-day publishes.
The tracking issue for the oxfmt postcss-simple-vars regression is oxc-project/oxc#23969 (a maintainer is planning the fix); previously the comment linked oxc#23920, the parser-switch PR that caused it. Watch #23969 to drop the `vp fmt || true`.
dify was stuck between two failures: with pnpm_config_minimum_release_age set, vp migrate's auto-install crashed (ERR_PNPM_RESOLUTION_POLICY_VIOLATIONS_UNHANDLED, from resolutionMode: time-based + local file: tgz overrides); with it unset, vp migrate's @oxlint/migrate dlx failed on a same-day publish (ERR_PNPM_NO_MATURE_MATCHING_VERSION). Resolve both: patch-project.ts sets the gate var only on dify's vp migrate subprocess (so the dlx installs the fresh toolchain package) and tolerates the auto-install crash, since migrate still emits the config and import rewrites. The workflow's follow-up vp install runs without the var, so dify's resolution policy stays inactive and the real install succeeds. Verified locally end to end: migrate + install, type-check, build, and the targeted tests all pass.
Collapse the if/else (which copied the full execSync invocation into both branches) into a single call: set the dify-only gate var conditionally, run migrate once, and gate only the try/catch on dify (rethrowing for other projects). Behavior unchanged.
…w conditional The gate only matters for vp migrate's @oxlint/migrate dlx, which runs inside patch-project.ts, so set it on the migrate subprocess env for all projects and remove the workflow's dify name-check. dify still tolerates the resulting auto-install crash; the follow-up vp install runs without the gate so dify's time-based resolution policy stays inactive. Also add the curly braces the lint config requires on the dify rethrow.
…-age gate Moving the gate handling fully into the script (per review) dropped the disabled gate from the workflow's standalone vp install, so viteplus-ws-repro failed its lockfile supply-chain check (ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION) on the freshly published bumped deps. Run vp install from patch-project.ts instead, disabling the gate for every project except dify (whose time-based policy would crash vp's bundled pnpm; its workspace key is already removed so the policy stays inactive without the var). The workflow step is now a single script invocation. Verified locally: viteplus-ws-repro and dify both install cleanly.
Release vite-plus v0.2.2: the Vite+ Beta release. **Vite+ is now in Beta**: stable and ready for production adoption, fully open source under MIT. Read the announcement to see what Vite+ is about and where it is headed: [Announcing Vite+ Beta](https://voidzero.dev/posts/announcing-vite-plus-beta). On top of the Beta milestone, this release brings cross-version upgrades via `vp migrate`, an official Docker toolchain image on GHCR, zero-config runner-aware `vp build` caching, and PGP-verified managed Node.js downloads. ### Highlights - **`vp migrate` upgrades existing Vite+ projects across versions**: previous release notes told users not to run `vp migrate` for upgrades. It now runs from the global CLI when the local one is older, re-pins `vite-plus` and the `vite` -> `@voidzero-dev/vite-plus-core` alias across dependencies, overrides/resolutions, and catalogs in every workspace package, aligns `vitest` / `@vitest/*` by actual usage, and defaults to a version-only upgrade (pass `--full` to also run the first-time setup bucket: hooks, editor, agent files, lint migration) ([#1891](#1891)), by @fengmk2 - **Official Vite+ Docker toolchain image**: `ghcr.io/voidzero-dev/vite-plus` bundles `vp` plus a native build toolchain on `debian:bookworm-slim` (amd64/arm64, non-root). Since `vp` provisions the exact Node.js from `.node-version`, one image builds any project, and a documented multi-stage build copies the resolved Node.js into a small vp-free runtime stage ([#1944](#1944)), by @fengmk2 - **Zero-config `vp build` caching via runner-aware Vite**: Vite reports its inputs, outputs, and tracked env reads to the `vp` runner over the new `@voidzero-dev/vite-task-client` IPC ([vite#22453](vitejs/vite#22453)), so `vp build` caches correctly with no hand-written cache config: outputs are tracked and restored automatically, and a changed `VITE_*` env var invalidates the cache and is named in the cache-miss message ([#1774](#1774)), by @wan9chi - **PGP-verified Node.js downloads**: installing a managed Node.js now verifies the release's clearsigned `SHASUMS256.txt.asc` against the vendored Node.js release keyring (pure Rust, no `gpg` required) before trusting any checksum, so a tampered archive is rejected before install; unsigned sources (musl builds, custom mirrors) fall back to checksum-only verification ([#1848](#1848)), by @fengmk2 ### Features - `vp check`: a `check` block in `vite.config.ts` (`check.fmt` / `check.lint`) can make plain `vp check` skip formatting or linting by default, mirroring `--no-fmt` / `--no-lint`; standalone `vp fmt` / `vp lint` and git hooks are unaffected, and a `note:` line keeps the config-based skip discoverable ([#1981](#1981)), by @fengmk2 - `vp env list-remote`: highlight installed versions (color, or a `*` prefix when piped) and label the project-resolved `current` and global `default` versions; `--json` gains `installed` / `current` / `default` fields ([#1907](#1907)), by @semimikoh - `vpr` ships as a `vite-plus` package bin, so the `vp run` shorthand works on clean installs without global PATH shims (Vercel build image, generic CI runners) ([#1988](#1988)), by @kvnwolf - Vite Task: `dependsOn` can select tasks from dependency packages, e.g. `dependsOn: [{ "task": "build", "from": "dependencies" }]` ([vite-task#479](voidzero-dev/vite-task#479)), by @wan9chi - Vite Task: a task's `env` / `untrackedEnv` glob patterns support `!` negation (e.g. `["VITE_*", "!VITE_SECRET"]`) ([vite-task#425](voidzero-dev/vite-task#425)), and an env-caused cache miss now names the variable inline, e.g. `cache miss: env 'NODE_ENV' changed` ([vite-task#438](voidzero-dev/vite-task#438)), by @wan9chi - Upgrade upstream dependencies: vite `8.0.16 -> 8.1.2`, rolldown `1.1.1 -> 1.1.4`, oxlint `1.70.0 -> 1.72.0`, oxfmt `0.55.0 -> 0.57.0`, oxlint-tsgolint `0.23.0 -> 0.24.0`, and the oxc toolchain `0.136.0 -> 0.138.0` ([#1924](#1924), [#1989](#1989), [#2000](#2000), [#2009](#2009)), by @voidzero-guard[bot] ### Fixes & Enhancements - Windows: `vp run` no longer hangs CI when a `node_modules/.bin` `.cmd` shim is routed through PowerShell; the npm/pnpm/yarn `.ps1` wrappers read stdin and block forever on a non-TTY pipe, so the PowerShell rewrite is now skipped when stdin is not an interactive terminal ([vite-task#491](voidzero-dev/vite-task#491), via [#1973](#1973)), by @fengmk2 - Vite Task: the task cache is stored in a per-schema-version directory (e.g. `node_modules/.vite/task-cache/v13/`), so switching between branches that pin different Vite+ versions no longer fails with `Unrecognized database version` ([vite-task#433](voidzero-dev/vite-task#433)), by @fengmk2 - Vite Task: env values in cache fingerprints are stored only as SHA-256 digests and env cache-miss details report names without values ([vite-task#455](voidzero-dev/vite-task#455)); prefix env assignments like `PATH=... command` now affect executable lookup during planning ([vite-task#440](voidzero-dev/vite-task#440)); `package.json` / `pnpm-workspace.yaml` files with a UTF-8 BOM parse correctly ([vite-task#424](voidzero-dev/vite-task#424)), by @wan9chi - `vp upgrade`: run the pinned pnpm with a managed Node.js LTS directly instead of re-entering `vp install`, so an incompatible session/project/system runtime can no longer make pnpm skip optional native binaries and leave the upgraded CLI broken ([#1900](#1900)), by @liangmiQwQ - Global package installs: each install writes to an immutable `packages/<name>#<uuid>` prefix that is activated via metadata after npm succeeds, so an interrupted reinstall can no longer leave the active package unavailable ([#1906](#1906)), and stale interrupted-install directories are swept with file-lock protection for concurrent installs ([#1945](#1945)), by @liangmiQwQ - `lazyPlugins()`: skip plugin factories only while config metadata is being resolved instead of keying off `VP_COMMAND`, so builds spawned under `vp run` / `vp exec` keep the user's plugins and `vp format` no longer loads them ([#1939](#1939)), by @fengmk2 - `vp migrate` (pnpm): add a direct `vite` devDep aliased to the core override wherever `vite-plus` is depended on, so vitest's `vite` peer binds to `@voidzero-dev/vite-plus-core` instead of pulling in a second upstream vite that broke the `vp test` cache ([#1933](#1933)), by @fengmk2 - `vp pack`: bundle `@tsdown/exe` and `@tsdown/css` into core so `--exe` and CSS bundling work without a resolvable top-level `tsdown`; the native `lightningcss` becomes an optional peer loaded lazily with an actionable error ([#1919](#1919)), by @fengmk2 - `vp env`: invalidate stale shim resolve cache entries when the project's Node.js version source changes ([#1951](#1951)), by @jong-kyung - Node shim: when the project declares npm via `packageManager` / `devEngines.packageManager`, child processes spawned from `node` resolve the managed npm instead of the Node-bundled one ([#1938](#1938)); `vp env which` reports bins linked by an intercepted `npm install -g` (e.g. `tsc`) instead of "not found" ([#1968](#1968)); bins with uppercase names (e.g. `vitePlus`) dispatch correctly ([#1963](#1963)), by @liangmiQwQ - `vp-setup`: pass the configured npm registry to the inner pnpm install so setup works behind custom registries ([#1795](#1795)), by @daflyinbed - Native binding: declare the platform packages' true ABI floor `engines.node >=20.0.0` so engine-strict package managers (pnpm) no longer skip the optional native dependency and fail with `Cannot find native binding` when a consumer's Node floor lands in a product-policy gap ([#1993](#1993)), by @fengmk2 - `vp create`: run `git init` without creating an initial commit, so commitlint-configured templates no longer reject the hardcoded message and template placeholders are not baked into history ([#2008](#2008)), by @forehalo - `vp staged --debug`: inline the bundled lint-staged version so debug logging no longer crashes reading a `package.json` that does not exist in the bundle ([#1925](#1925)), by @rokuosan - Installer: retry downloads truncated mid-body in `HttpClient::get_bytes` (the platform-tarball path for `vp upgrade` and the standalone installer) ([#1940](#1940)), and clean up the temp dir when a package-manager install fails instead of leaking `.tmpXXXX` directories ([#1949](#1949)), by @shulaoda - Windows/msys: normalize backslashes in the `env.fish` fallback path ([#1954](#1954)), by @Aalivexy - `install.ps1`: detect the missing VC++ runtime (`0xC0000135`) and print VC++ Redistributable guidance instead of a generic failure; interactive `irm | iex` installs keep the shell open ([#1962](#1962)), by @cheezone - `vp migrate`: preserve comments, key order, and trailing commas in existing `.vscode` / `.zed` JSONC configs by patching the original text instead of re-serializing it ([#1956](#1956)), by @fengmk2 - Migration: link the git hook warning to the migration guide ([#1902](#1902)), by @naokihaba - `vp info` / `vp view`: use package-manager-native commands (`pnpm view`, `bun info`, `yarn npm info`) instead of routing every lookup through `npm view` ([#1895](#1895)), by @jong-kyung - Correct overused `ErrorConfig` error types across the codebase ([#1934](#1934)), by @liangmiQwQ ### Refactor - `vite_install`: centralize Yarn v1/berry branching with `is_yarn_berry` ([#1897](#1897)), by @jong-kyung ### Docs - Document Vite Task automatic tracking (fs tracking and cache-reporting tools), reusing the task cache with GitHub Actions cache, and `dependsOn: [{ task, from: "dependencies" }]` ([#1992](#1992)), by @wan9chi - Rewrite the "Upgrading Vite+" guide: preview builds install through the registry bridge as ordinary `0.0.0-commit.<sha>` npm versions, and `vp migrate` is the recommended way to upgrade a project or move it onto a preview build ([#1965](#1965)), by @fengmk2 - Describe how to switch back to the release version from nightly ([#1887](#1887)), by @situ2001 - Clarify Git hook tool migration ([#1901](#1901)), by @naokihaba - Add a global installation explanation ([#1915](#1915)), update the `vp env` help output ([#1969](#1969)), and add liangmiQwQ as a team member ([#1911](#1911)), by @liangmiQwQ - Fix package manager command examples ([#1937](#1937)) and the `dependsOn` guide link ([#1883](#1883)), by @jong-kyung - Remove Fathom analytics from the uninstall docs ([#1946](#1946)), by @mdong1909 - Center the README logo and fix its size ([#1878](#1878)), by @hyf0 ### Chore - Prevent Vite beta upgrades in the upstream-deps script ([#1879](#1879)), stabilize flaky network-dependent tests ([#1923](#1923)), and bump the ecosystem-ci bun-vite-template to the oxlint jsx-a11y fix ([#1898](#1898)), by @fengmk2 - Pin snap-test install fixtures to a published `vite-plus` version so release-branch CI can pass before the new version is published ([#2017](#2017)), by @fengmk2 - Update the deprecated `VITE_PLUS_` env var prefixes to `VP_` in the RFCs ([#1984](#1984)), by @liangmiQwQ - CI: skip full CI for docs-only PRs ([#1991](#1991)) and for the docs deploy config ([#2015](#2015)), by @wan9chi - Update GitHub Actions ([#1904](#1904), [#1977](#1977)), claude-code-action to v1.0.158 ([#1979](#1979)), and pnpm to v10.34.4 ([#1996](#1996)), by @renovate[bot] - Update oxc-project/security-action to v1.0.8 ([#1918](#1918)), by @fengmk2 - Refresh trusted stack stats on the docs homepage ([#1913](#1913), [#1982](#1982)), by @voidzero-guard[bot] ### Bundled Versions | Tool | Version | Source | | --- | --- | --- | | vite | `8.1.2` | [`ba31193`](vitejs/vite@ba31193) | | rolldown | `1.1.4` | [`6cbd233`](rolldown/rolldown@6cbd233) | | tsdown | `0.22.3` | [npm](https://npmx.dev/package/tsdown/v/0.22.3) | | vitest | `4.1.9` | [npm](https://npmx.dev/package/vitest/v/4.1.9) | | oxlint | `1.72.0` | [npm](https://npmx.dev/package/oxlint/v/1.72.0) | | oxlint-tsgolint | `0.24.0` | [npm](https://npmx.dev/package/oxlint-tsgolint/v/0.24.0) | | oxfmt | `0.57.0` | [npm](https://npmx.dev/package/oxfmt/v/0.57.0) | ### Upgrade ```bash vp upgrade ``` New to Vite+? Start with the [Beta announcement](https://voidzero.dev/posts/announcing-vite-plus-beta), then create a project with `vp create` or bring an existing one over with `vp migrate`. ### New Contributors Welcome to our new contributors @rokuosan, @Aalivexy, @cheezone, @daflyinbed, @forehalo, @kvnwolf! 🎉 **Full Changelog**: v0.2.1...v0.2.2 --- Merging this PR will trigger the release workflow. --------- Co-authored-by: voidzero-guard[bot] <278573678+voidzero-guard[bot]@users.noreply.github.com> Co-authored-by: MK <fengmk2@gmail.com>
Summary
v1.1.3(e0d0b1b->e77f7c7) and the oxc toolchain (oxlint1.71.0 -> 1.72.0,oxfmt0.56.0 -> 0.57.0,oxc-*/@oxc-project/*0.137.0 -> 0.138.0).@napi-rs/wasm-runtimeandrolldown-plugin-dts.Dependency updates
rolldowne0d0b1bv1.1.3 (e77f7c7)oxfmt0.56.00.57.0oxlint1.71.01.72.0@oxc-project/runtime0.137.00.138.0@oxc-project/types0.137.00.138.0oxc-minify0.137.00.138.0oxc-parser0.137.00.138.0oxc-transform0.137.00.138.0@napi-rs/wasm-runtime^1.1.5^1.1.6rolldown-plugin-dts^0.25.2^0.26.0Code changes
packages/cli/binding/index.d.cts): addedonAdditionalAssetstoBindingDevOptions; removedBindingViteBuildImportAnalysisPluginV2Configand theisEnableV2field.bundledVersions.rolldown1.1.2 -> 1.1.3 (packages/core/package.json).vitepress-plugin-feedback-tracker@0.2.0-alpha.1tominimumReleaseAgeExclude(pnpm-workspace.yaml).Cargo.lock,pnpm-lock.yaml,packages/tools/.upstream-versions.json).Build status
sync-remote-and-build: successbuild-upstream: success