chore(deps): bump vite-plus to v0.2.0#9
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates package dependencies in the pnpm lockfile and workspace configuration, replacing several @voidzero-dev packages with specific build URLs and pinning vitest to version 4.1.9. It also introduces a minimumReleaseAge policy in pnpm-workspace.yaml. Feedback on these changes highlights that the 'catalog:' specifier should still be used in the overrides section to prevent duplicating version strings. Additionally, since minimumReleaseAge is measured in seconds, the current value of 60 only blocks packages for one minute and should be increased to a more secure duration like 24 hours (86400).
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| vite: 'https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@1856' | ||
| vitest: '4.1.9' |
There was a problem hiding this comment.
You can continue using the 'catalog:' specifier for vite and vitest in the overrides section. This avoids duplicating the version/URL strings and ensures they stay in sync with the catalog definitions automatically when updated in the future.
vite: 'catalog:'
vitest: 'catalog:'| allowedVersions: | ||
| vite: '*' | ||
| vitest: '*' | ||
| minimumReleaseAge: 60 |
There was a problem hiding this comment.
In pnpm, the minimumReleaseAge setting is specified in seconds, not minutes or days. Setting it to 60 only blocks packages published within the last 1 minute, which provides very little protection against supply chain or typosquatting attacks.
Consider increasing this value to a more secure duration, such as:
86400(24 hours)172800(48 hours)604800(7 days)
minimumReleaseAge: 864001 participant
Summary
Bump
vite-plusand related packages to the pkg.pr.new prerelease build for v0.2.0.Updated where applicable:
vite-plus-> pkg.pr.new buildvite(alias/override ->@voidzero-dev/vite-plus-core)vitestpinned to bundled4.1.9(the@voidzero-dev/vite-plus-testwrapper was removed upstream; vitest is now plain upstream)minimumReleaseAgeenabled with vite-plus packages excluded (pnpm/bun/npm as applicable)Also added a
pull_requesttrigger (branches: main) to.github/workflows/test.ymlso CI runs on this PR.Test plan