Skip to content

chore(deps): update dependency vite-plus to v0.2.2#36

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/vite+
Open

chore(deps): update dependency vite-plus to v0.2.2#36
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/vite+

Conversation

@renovate

@renovate renovate Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite-plus (source) 0.2.10.2.2 age adoption passing confidence

Release Notes

voidzero-dev/vite-plus (vite-plus)

v0.2.2: vite-plus v0.2.2: Vite+ Beta

Compare Source

Vite+ is now in Beta: stable and ready for production adoption, fully open source under MIT. Read the announcement to see what Vite+ is about and where it is headed: Announcing Vite+ Beta.

On top of the Beta milestone, this release brings cross-version upgrades via vp migrate, an official Docker toolchain image on GHCR, zero-config runner-aware vp build caching, and PGP-verified managed Node.js downloads.

Highlights
  • vp migrate upgrades existing Vite+ projects across versions: previous release notes told users not to run vp migrate for upgrades. It now runs from the global CLI when the local one is older, re-pins vite-plus and the vite -> @voidzero-dev/vite-plus-core alias across dependencies, overrides/resolutions, and catalogs in every workspace package, aligns vitest / @vitest/* by actual usage, and defaults to a version-only upgrade (pass --full to also run the first-time setup bucket: hooks, editor, agent files, lint migration) (#​1891), by @​fengmk2
  • Official Vite+ Docker toolchain image: ghcr.io/voidzero-dev/vite-plus bundles vp plus a native build toolchain on debian:bookworm-slim (amd64/arm64, non-root). Since vp provisions the exact Node.js from .node-version, one image builds any project, and a documented multi-stage build copies the resolved Node.js into a small vp-free runtime stage (#​1944), by @​fengmk2
  • Zero-config vp build caching via runner-aware Vite: Vite reports its inputs, outputs, and tracked env reads to the vp runner over the new @voidzero-dev/vite-task-client IPC (vite#22453), so vp build caches correctly with no hand-written cache config: outputs are tracked and restored automatically, and a changed VITE_* env var invalidates the cache and is named in the cache-miss message (#​1774), by @​wan9chi
  • PGP-verified Node.js downloads: installing a managed Node.js now verifies the release's clearsigned SHASUMS256.txt.asc against the vendored Node.js release keyring (pure Rust, no gpg required) before trusting any checksum, so a tampered archive is rejected before install; unsigned sources (musl builds, custom mirrors) fall back to checksum-only verification (#​1848), by @​fengmk2
Features
  • vp check: a check block in vite.config.ts (check.fmt / check.lint) can make plain vp check skip formatting or linting by default, mirroring --no-fmt / --no-lint; standalone vp fmt / vp lint and git hooks are unaffected, and a note: line keeps the config-based skip discoverable (#​1981), by @​fengmk2
  • vp env list-remote: highlight installed versions (color, or a * prefix when piped) and label the project-resolved current and global default versions; --json gains installed / current / default fields (#​1907), by @​semimikoh
  • vpr ships as a vite-plus package bin, so the vp run shorthand works on clean installs without global PATH shims (Vercel build image, generic CI runners) (#​1988), by @​kvnwolf
  • Vite Task: dependsOn can select tasks from dependency packages, e.g. dependsOn: [{ "task": "build", "from": "dependencies" }] (vite-task#479), by @​wan9chi
  • Vite Task: a task's env / untrackedEnv glob patterns support ! negation (e.g. ["VITE_*", "!VITE_SECRET"]) (vite-task#425), and an env-caused cache miss now names the variable inline, e.g. cache miss: env 'NODE_ENV' changed (vite-task#438), by @​wan9chi
  • Upgrade upstream dependencies: vite 8.0.16 -> 8.1.2, rolldown 1.1.1 -> 1.1.4, oxlint 1.70.0 -> 1.72.0, oxfmt 0.55.0 -> 0.57.0, oxlint-tsgolint 0.23.0 -> 0.24.0, and the oxc toolchain 0.136.0 -> 0.138.0 (#​1924, #​1989, #​2000, #​2009), by @​voidzero-guard[bot]
Fixes & Enhancements
  • Windows: vp run no longer hangs CI when a node_modules/.bin .cmd shim is routed through PowerShell; the npm/pnpm/yarn .ps1 wrappers read stdin and block forever on a non-TTY pipe, so the PowerShell rewrite is now skipped when stdin is not an interactive terminal (vite-task#491, via #​1973), by @​fengmk2
  • Vite Task: the task cache is stored in a per-schema-version directory (e.g. node_modules/.vite/task-cache/v13/), so switching between branches that pin different Vite+ versions no longer fails with Unrecognized database version (vite-task#433), by @​fengmk2
  • Vite Task: env values in cache fingerprints are stored only as SHA-256 digests and env cache-miss details report names without values (vite-task#455); prefix env assignments like PATH=... command now affect executable lookup during planning (vite-task#440); package.json / pnpm-workspace.yaml files with a UTF-8 BOM parse correctly (vite-task#424), by @​wan9chi
  • vp upgrade: run the pinned pnpm with a managed Node.js LTS directly instead of re-entering vp install, so an incompatible session/project/system runtime can no longer make pnpm skip optional native binaries and leave the upgraded CLI broken (#​1900), by @​liangmiQwQ
  • Global package installs: each install writes to an immutable packages/<name>#<uuid> prefix that is activated via metadata after npm succeeds, so an interrupted reinstall can no longer leave the active package unavailable (#​1906), and stale interrupted-install directories are swept with file-lock protection for concurrent installs (#​1945), by @​liangmiQwQ
  • lazyPlugins(): skip plugin factories only while config metadata is being resolved instead of keying off VP_COMMAND, so builds spawned under vp run / vp exec keep the user's plugins and vp format no longer loads them (#​1939), by @​fengmk2
  • vp migrate (pnpm): add a direct vite devDep aliased to the core override wherever vite-plus is depended on, so vitest's vite peer binds to @voidzero-dev/vite-plus-core instead of pulling in a second upstream vite that broke the vp test cache (#​1933), by @​fengmk2
  • vp pack: bundle @tsdown/exe and @tsdown/css into core so --exe and CSS bundling work without a resolvable top-level tsdown; the native lightningcss becomes an optional peer loaded lazily with an actionable error (#​1919), by @​fengmk2
  • vp env: invalidate stale shim resolve cache entries when the project's Node.js version source changes (#​1951), by @​jong-kyung
  • Node shim: when the project declares npm via packageManager / devEngines.packageManager, child processes spawned from node resolve the managed npm instead of the Node-bundled one (#​1938); vp env which reports bins linked by an intercepted npm install -g (e.g. tsc) instead of "not found" (#​1968); bins with uppercase names (e.g. vitePlus) dispatch correctly (#​1963), by @​liangmiQwQ
  • vp-setup: pass the configured npm registry to the inner pnpm install so setup works behind custom registries (#​1795), by @​daflyinbed
  • Native binding: declare the platform packages' true ABI floor engines.node >=20.0.0 so engine-strict package managers (pnpm) no longer skip the optional native dependency and fail with Cannot find native binding when a consumer's Node floor lands in a product-policy gap (#​1993), by @​fengmk2
  • vp create: run git init without creating an initial commit, so commitlint-configured templates no longer reject the hardcoded message and template placeholders are not baked into history (#​2008), by @​forehalo
  • vp staged --debug: inline the bundled lint-staged version so debug logging no longer crashes reading a package.json that does not exist in the bundle (#​1925), by @​rokuosan
  • Installer: retry downloads truncated mid-body in HttpClient::get_bytes (the platform-tarball path for vp upgrade and the standalone installer) (#​1940), and clean up the temp dir when a package-manager install fails instead of leaking .tmpXXXX directories (#​1949), by @​shulaoda
  • Windows/msys: normalize backslashes in the env.fish fallback path (#​1954), by @​Aalivexy
  • install.ps1: detect the missing VC++ runtime (0xC0000135) and print VC++ Redistributable guidance instead of a generic failure; interactive irm | iex installs keep the shell open (#​1962), by @​cheezone
  • vp migrate: preserve comments, key order, and trailing commas in existing .vscode / .zed JSONC configs by patching the original text instead of re-serializing it (#​1956), by @​fengmk2
  • Migration: link the git hook warning to the migration guide (#​1902), by @​naokihaba
  • vp info / vp view: use package-manager-native commands (pnpm view, bun info, yarn npm info) instead of routing every lookup through npm view (#​1895), by @​jong-kyung
  • Correct overused ErrorConfig error types across the codebase (#​1934), by @​liangmiQwQ
Refactor
Docs
  • Document Vite Task automatic tracking (fs tracking and cache-reporting tools), reusing the task cache with GitHub Actions cache, and dependsOn: [{ task, from: "dependencies" }] (#​1992), by @​wan9chi
  • Rewrite the "Upgrading Vite+" guide: preview builds install through the registry bridge as ordinary 0.0.0-commit.<sha> npm versions, and vp migrate is the recommended way to upgrade a project or move it onto a preview build (#​1965), by @​fengmk2
  • Describe how to switch back to the release version from nightly (#​1887), by @​situ2001
  • Clarify Git hook tool migration (#​1901), by @​naokihaba
  • Add a global installation explanation (#​1915), update the vp env help output (#​1969), and add liangmiQwQ as a team member (#​1911), by @​liangmiQwQ
  • Fix package manager command examples (#​1937) and the dependsOn guide link (#​1883), by @​jong-kyung
  • Remove Fathom analytics from the uninstall docs (#​1946), by @​mdong1909
  • Center the README logo and fix its size (#​1878), by @​hyf0
Chore
Bundled Versions
Tool Version Source
vite 8.1.2 ba31193
rolldown 1.1.4 6cbd233
tsdown 0.22.3 npm
vitest 4.1.9 npm
oxlint 1.72.0 npm
oxlint-tsgolint 0.24.0 npm
oxfmt 0.57.0 npm
Upgrade
vp upgrade

New to Vite+? Start with the Beta announcement, then create a project with vp create or bring an existing one over with vp migrate.

New Contributors

Welcome to our new contributors @​rokuosan, @​Aalivexy, @​cheezone, @​daflyinbed, @​forehalo, @​kvnwolf! 🎉

Full Changelog: voidzero-dev/vite-plus@v0.2.1...v0.2.2

Published Packages
  • @voidzero-dev/vite-plus-core@0.2.2
  • vite-plus@0.2.2
Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Or download and run vp-setup.exe from the assets below.

Docker:

docker run --rm -it -v "$PWD:/app" -w /app ghcr.io/voidzero-dev/vite-plus:0.2.2 vp build

Run any vp command without installing it; see the Docker guide for more.


Configuration

📅 Schedule: (in timezone Asia/Shanghai)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedvite-plus@​0.2.280100100100100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/vite-plus@0.2.2npm/oxfmt@0.57.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.57.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/vite-plus@0.2.2npm/oxfmt@0.57.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.57.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants