feat(deps): upgrade upstream dependencies#1646
Merged
Merged
Conversation
- rolldown: ac5c710 -> v1.0.2 (f2757ed)
- vite: 66f3194 -> v8.0.13 (a46f11a)
- vitest: 4.1.6 -> 4.1.7
- oxfmt: 0.48.0 -> 0.51.0
- oxlint: 1.63.0 -> 1.66.0
- oxlint-tsgolint: 0.22.1 -> 0.23.0
- @oxc-project/runtime: 0.129.0 -> 0.132.0
- @oxc-project/types: 0.129.0 -> 0.132.0
- oxc-minify: 0.129.0 -> 0.132.0
- oxc-parser: 0.129.0 -> 0.132.0
- oxc-transform: 0.129.0 -> 0.132.0
- @vitejs/devtools: 0.1.21 -> 0.1.24
Code changes:
- Bump oxc Rust crates 0.128.0 -> 0.132.0 and minor deps (dashmap, jsonschema, mimalloc-safe, pnp) in Cargo.toml.
- Bump Rust toolchain to nightly-2026-03-15 in rust-toolchain.toml.
- Drop `@rolldown/pluginutils` workspace build/override; consume it as a transitive dep of rolldown (.github/actions/build-upstream/action.yml, package.json, pnpm-workspace.yaml).
- Repoint pluginutils path to `rolldown/packages/rolldown/node_modules/@rolldown/pluginutils` in packages/core/build.ts and packages/tools/src/sync-remote-deps.ts.
- Switch `./rolldown/pluginutils` exports to direct `.mjs` entries in packages/core/package.json; bump bundledVersions for vite/rolldown.
- Sync catalog versions for transitive deps (remeda, rolldown-plugin-dts, rollup, semver, tsx, valibot, vitepress-plugin-graphviz, ws) in pnpm-workspace.yaml.
- Refresh snapshots for new oxlint `--debug` flag and updated parser error format (packages/cli/snap-tests/{bin-oxlint-wrapper,command-helper,build-vite-env,synthetic-build-cache-disabled}/snap.txt, packages/cli/snap-tests-global/command-staged-broken-config/snap.txt).
- Silence `unicorn/consistent-function-scoping` for inline helpers in packages/cli/src/create/__tests__/org-tarball.spec.ts and packages/prompts/src/{group-multi-select,progress-bar,select-key}.ts.
✅ Deploy Preview for viteplus-preview canceled.
|
Fix clippy errors surfaced by the nightly-2026-03-15 toolchain upgrade: - collapsible_match in vite_install package_manager - unnecessary_sort_by in vite_js_runtime and vite_setup - unnecessary_trailing_comma in cli help test
…orkspace The bundled cargo-deny check inside oxc-project/security-action runs `cargo metadata`, which fails because the workspace Cargo.toml references `./rolldown/crates/*` paths that only exist after cloning the rolldown repo. Pre-clone via the existing `./.github/actions/clone` and clear `origin` so the action's nested taiki-e/checkout-action can re-add it without conflict.
Rolldown crates use `#![expect(clippy::print_stderr)]` at the crate root, but vite-plus's workspace sets `print_stderr = "allow"`. When rolldown crates are built as path dependencies of our workspace, our lint level wins and the expects never fire, triggering `unfulfilled_lint_expectations`. Allow the rust lint so upstream-only expects don't break our build.
Member
|
@codex review |
fengmk2
approved these changes
May 21, 2026
|
Codex Review: Didn't find any major issues. What shall we delve into next? ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Member
|
security analysis ci follow up here #1635 (comment) |
Merged
fengmk2
added a commit
that referenced
this pull request
May 29, 2026
Release vite-plus v0.1.23. Enterprise-ready HTTP (proxy + custom CA), task command shorthands in `vite.config.ts`, a smoother `vp create`/`vp migrate`, and the oxc/vite/rolldown bundled stack moves forward. ### Highlights - **Proxy and custom-CA aware HTTP**: a new process-wide `vite_shared::shared_http_client()` honors `HTTPS_PROXY` / `HTTP_PROXY` / `NO_PROXY`, picks up macOS System Settings / Windows registry proxies, loads custom CAs from `SSL_CERT_FILE` and `NODE_EXTRA_CA_CERTS`, and exposes a `VP_INSECURE_TLS` diagnostic switch; makes `vp` work through Socket Firewall Free and other TLS-intercepting proxies ([#1686](#1686)), by @fengmk2 - **Task command shorthands**: `run.tasks` entries in `vite.config.ts` now accept a bare string (`"build": "cmd"`) or array (`"build": ["cmd1", "cmd2"]`) instead of always requiring `{ command: ... }`; arrays reuse the existing `&&` planning path so cache, `dependsOn`, and task options stay consistent ([vite-task#391](voidzero-dev/vite-task#391)), by @jong-kyung - **Managed `vp outdated -g`**: routes through Vite+'s managed global package metadata instead of delegating to the underlying `npm outdated -g` store, so all installed global packages are reported consistently ([#1659](#1659)), by @liangmiQwQ ### Features - `vp pm approve-builds`: new unified subcommand that mirrors `pnpm approve-builds` one-to-one, adapts to `bun pm trust`, and warns-and-noops on npm/yarn ([#1662](#1662)), by @fengmk2 - `vp create`: opt-in GitHub Copilot setup; selecting `--agent copilot` now generates a `.github/workflows/copilot-setup-steps.yml` so the Copilot Coding Agent can set up Vite+ and run `vp` in the new project out of the box ([#1683](#1683)), by @jong-kyung - `vp migrate`: prompt to remove `baseUrl` from `tsconfig.json` before applying type-aware lint defaults (runs `@andrewbranch/ts5to6 --fixBaseUrl .` under the hood; auto-applied in non-interactive mode) ([#1692](#1692)), by @TheAlexLichter - Respect `packageManager` in package-manager shims (`npm`/`npx`, `pnpm`/`pnpx`, `yarn`/`yarnpkg`, `bun`/`bunx`); add non-mutating `packageManager` resolution metadata for `vp env current` and `vp env which` ([#1654](#1654)), by @fengmk2 - vite-task: `--filter` no-match now exits `0` by default; add `--fail-if-no-match` to opt back in ([vite-task#393](voidzero-dev/vite-task#393)), by @kazupon ### Fixes & Enhancements - `vp create`: keep generated `.vscode/settings.json` trackable when the VS Code editor option is selected (avoid templates' `.vscode/*` `.gitignore` masking it) ([#1700](#1700)), by @jong-kyung - `vp create vite:monorepo`: normalize sub-package `vite-plus` to `catalog:` even when only `vite-plus` (not `vite`/`vitest`/...) is present, and drop the `vite`/`vitest` aliases generated by the upstream library template ([#1697](#1697)), by @fengmk2 - `vp add/install -g <path>`: resolve the real package name from `package.json` instead of using the path string, so local-path installs don't create broken directories ([#1685](#1685)), by @liangmiQwQ - `vp test --coverage` and other direct built-in commands now expose the workspace's `package.json#packageManager` to child processes so tools like Vitest coverage can spawn the configured PM ([#1696](#1696)), by @jong-kyung - `vp migrate`: clean up the whole ESLint ecosystem (plugins, configs, parser/resolver, type-utils) rather than just `eslint`; skip the migration entirely when `@nuxt/eslint` is detected ([#1682](#1682)), by @fengmk2 - `vp create`: write `fmt.configPath` (not `configPath`) for Zed oxfmt settings to match the official Zed OXC extension layout ([#1687](#1687)), by @chungweileong94 - `vp migrate`: parse `tsconfig.json` as JSONC so files with comments don't break `baseUrl` detection/removal ([#1688](#1688)), by @TheAlexLichter - `vp env setup`: Unix env shims now point at the active `vp` executable instead of always assuming `VP_HOME/current/bin/vp`, so Homebrew-style installs work ([#1631](#1631)), by @leohara - `vp outdated -g` / `vp why -g`: don't require a local `package.json`; global commands run regardless of cwd ([#1622](#1622)), by @liangmiQwQ - `vp create`: default the "Initialize a git repository?" prompt to yes ([#1650](#1650)), by @fengmk2 - `vp` hooks: include the managed Node bin in `PATH` so `./node_modules/.bin/vp` can find `node` from a VS Code commit on macOS ([#1647](#1647)), by @TheAlexLichter - `vpx` on Windows now invokes the package's `.cmd` shim instead of the Unix binary ([#1652](#1652)), by @tobynguyen27 - vite-task: bump cache database schema to version 13 (forces a one-time rebuild of the local task cache) ([vite-task#402](voidzero-dev/vite-task#402)), by @branchseer - Bump vite-task to `d02b257` and `5833b374`; also bumps the repo's Rust nightly toolchain to `nightly-2026-05-24` and ships the regenerated `run` config types and docs for the new task command shorthand ([#1689](#1689), [#1695](#1695)), by @branchseer ### Refactor - Replace `VP_SHELL_NU`/`VP_SHELL_PWSH` with a single `VP_SHELL` override; add explicit shell parsing for `bash`, `zsh`, `fish`, `nu`, `pwsh`, and `cmd`, and harden auto-detection against nested shells ([#1658](#1658)), by @nekomoyi - vite-task: replace `allocator-api2` with `bumpalo` collections ([vite-task#400](voidzero-dev/vite-task#400)), by @branchseer - vite-task: drop the unused `and_item_index` field from `ExecutionItemDisplay` ([vite-task#394](voidzero-dev/vite-task#394)), by @branchseer ### Docs - Add the root `AGENTS.md` as the primary AI-agent guide for the vite-plus repository; convert `CLAUDE.md` into a compatibility pointer ([#1670](#1670)), by @jong-kyung - Align the agent validation table to match `AGENTS.md` ([#1673](#1673)), by @jong-kyung - Update the task output caching guide so the documented behavior matches what vite-task actually does ([#1639](#1639)), by @ericclemmons - Correct the bundled-source location in `packages/core/BUNDLING.md` ([#1660](#1660)), by @shulaoda ### Chore - Clarify `--help` text for `vp env default`/`pin`/`use`/`exec` with `Examples:` blocks ([#1664](#1664)), by @Boshen - Refresh trusted stack stats on the docs homepage ([#1680](#1680)), by @voidzero-guard[bot] - Drop the standalone `pnpm --filter @rolldown/pluginutils build` step now that `@rolldown/pluginutils` is published from its own package ([#1655](#1655)), by @shulaoda - Preserve single-quote style when `sync-remote` rewrites `pnpm-workspace.yaml` ([#1672](#1672)), by @lyzno1 - Enable `vite_pm_cli` lib tests by removing a stale `test = false` flag ([#1661](#1661)), by @shulaoda - CI: switch macOS runners back to `namespace-profile-mac-default` ([#1701](#1701)), by @fengmk2 - CI: fix release-day flakes in the upgrade test and snap test when the dev `package.json` version equals npm latest ([#1645](#1645)), by @fengmk2 - CI: replace `zizmor` and `cargo-deny` workflows with `oxc-project/security-action` ([#1635](#1635)), by @Boshen - CI: warm-up monorepo cache test under npm ([#1649](#1649)), by @fengmk2 - CI: attach per-target `vp` binary archives (`.tar.gz`/`.zip`) to GitHub Releases alongside the existing `vp-setup-*.exe` installers ([#1665](#1665)), by @Boshen - CI: declare Playwright via `repo.json` in ecosystem tests and bump consumers to `>=1.60` to dodge the Node 24.16.0 hang ([#1668](#1668)), by @fengmk2 - Update GitHub Actions ([#1640](#1640), [#1675](#1675), [#1678](#1678), [#1679](#1679), [#1691](#1691)), by @renovate[bot] - Upgrade upstream dependencies: vite `8.0.11 → 8.0.14`, rolldown `1.0.0 → 1.0.3`, vitest `4.1.6 → 4.1.7`, oxlint `1.63.0 → 1.67.0`, oxfmt `0.48.0 → 0.52.0`, oxlint-tsgolint `0.22.1 → 0.23.0`, `@oxc-project/*` and oxc Rust crates `0.129.0 → 0.133.0` ([#1646](#1646), [#1653](#1653), [#1693](#1693), [#1699](#1699)), by @voidzero-guard[bot] ### Bundled Versions | Tool | Version | Source | | --- | --- | --- | | vite | `8.0.14` | [`c917f1e`](vitejs/vite@c917f1e) | | rolldown | `1.0.3` | [`a287faa`](rolldown/rolldown@a287faa) | | tsdown | `0.22.0` | [npm](https://npmx.dev/package/tsdown/v/0.22.0) | | vitest | `4.1.7` | [npm](https://npmx.dev/package/vitest/v/4.1.7) | | oxlint | `1.67.0` | [npm](https://npmx.dev/package/oxlint/v/1.67.0) | | oxlint-tsgolint | `0.23.0` | [npm](https://npmx.dev/package/oxlint-tsgolint/v/0.23.0) | | oxfmt | `0.52.0` | [npm](https://npmx.dev/package/oxfmt/v/0.52.0) | ### New Contributors Welcome to all new contributors! 🎉 @ericclemmons, @tobynguyen27, @shulaoda, @leohara, @chungweileong94 **Full Changelog**: v0.1.22...v0.1.23 Merging this PR will trigger the release workflow. --------- Co-authored-by: voidzero-guard[bot] <278573678+voidzero-guard[bot]@users.noreply.github.com> Co-authored-by: MK <fengmk2@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
v1.0.2and vite tov8.0.13, plus vitest4.1.7and the oxc/oxlint/oxfmt toolchain.0.128.0 -> 0.132.0and pin Rust toolchain tonightly-2026-03-15.@rolldown/pluginutilsbuild and consume it as a transitive dep of rolldown, repointing the licensing/build paths and updating@voidzero-dev/vite-plus-coreexports.unicorn/consistent-function-scopinglint hits.Dependency updates
rolldownac5c710v1.0.2 (f2757ed)vite66f3194v8.0.13 (a46f11a)vitest4.1.64.1.7oxfmt0.48.00.51.0oxlint1.63.01.66.0oxlint-tsgolint0.22.10.23.0@oxc-project/runtime0.129.00.132.0@oxc-project/types0.129.00.132.0oxc-minify0.129.00.132.0oxc-parser0.129.00.132.0oxc-transform0.129.00.132.0@vitejs/devtools0.1.210.1.24Unchanged dependencies
tsdown:0.22.0@oxc-node/cli:0.1.0@oxc-node/core:0.1.0Code changes
Cargo.toml: bump oxc workspace crates0.128.0 -> 0.132.0; bumpdashmap,jsonschema,mimalloc-safe, andpnpminor versions.rust-toolchain.toml: bump nightly channel tonightly-2026-03-15..github/actions/build-upstream/action.yml,package.json: drop the standalonepnpm --filter @rolldown/pluginutils buildstep.pnpm-workspace.yaml: add@rolldown/pluginutilsto the catalog, remove itsworkspace:override, bumpvitest-devoverride to^4.1.7, and sync transitive deps (remeda,rolldown-plugin-dts,rollup,semver,tsx,valibot,vitepress-plugin-graphviz,ws).packages/core/build.ts,packages/tools/src/sync-remote-deps.ts: repoint pluginutils sources torolldown/packages/rolldown/node_modules/@rolldown/pluginutilsand its colocatedLICENSE.packages/core/package.json: collapse./rolldown/pluginutils[/filter]exports to direct.mjsentries; bump@vitejs/devtoolsandbundledVersions(vite/rolldown).packages/test/package.json: bump@vitest/*packages andvitest-devto4.1.7.packages/cli/snap-tests/{bin-oxlint-wrapper,command-helper}/snap.txt: include new oxlint--debug=OPTIONShelp entry.packages/cli/snap-tests/{build-vite-env,synthetic-build-cache-disabled}/snap.txt: refresh built asset hash.packages/cli/snap-tests-global/command-staged-broken-config/snap.txt: update parser error prefix ([PARSE_ERROR] Unexpected token).packages/cli/src/create/__tests__/org-tarball.spec.ts,packages/prompts/src/{group-multi-select,progress-bar,select-key}.ts: addunicorn/consistent-function-scopingeslint-disable lines for intentionally inlined helpers.packages/tools/.upstream-versions.json: pinned upstream hashes for rolldown/vite.Build status
sync-remote-and-build: failurebuild-upstream: failure