Skip to content

Bump vite-plus from 0.1.24 to 0.2.0#22

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/vite-plus-0.2.0
Closed

Bump vite-plus from 0.1.24 to 0.2.0#22
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/vite-plus-0.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 24, 2026

Copy link
Copy Markdown
Contributor

Bumps vite-plus from 0.1.24 to 0.2.0.

Release notes

Sourced from vite-plus's releases.

vite-plus v0.2.0

Vite+ now consumes upstream Vitest directly (no wrapper), raises the minimum supported Node.js version to 22.18.0, and ships corepack and devEngines support.

Highlights

  • vp test now runs upstream Vitest directly (breaking): Vite+ used to ship @voidzero-dev/vite-plus-test, a rebundled copy of Vitest that lagged upstream releases. That package is removed; vp test now runs the real upstream vitest, which is installed automatically as a dependency of vite-plus (you no longer add vitest or @vitest/* yourself, and vite still resolves to @voidzero-dev/vite-plus-core via package-manager overrides). Your import ... from 'vite-plus/test' code keeps working unchanged and vp migrate updates existing projects (#1588), by @​Brooooooklyn
  • Minimum supported Node.js version raised to ^22.18.0 || >=24.11.0 (breaking): Node 20 reached end-of-life and the bundled tsdown already required ^22.18.0, so the published engines range now matches what vp pack can actually deliver; vp exec / vp run / vp dlx reject projects resolving an older Node with the existing incompatibility error (#1813), by @​fengmk2
  • Corepack now works under Vite+: corepack now set up by default, so corepack enable and the pnpm/yarn launchers just work, even on Node 25+ which no longer ships it. (#1808), by @​fengmk2
  • devEngines support for runtime and package-manager selection: Vite+ reads devEngines.runtime (ranked above engines.node) and devEngines.packageManager; auto-pin and vp migrate write devEngines.packageManager, vp env pin / unpin target devEngines.runtime, and vp env doctor reports conflicts instead of silently resolving them (#1760), by @​fengmk2

Features

  • vp pm approve-builds: forward to npm's new approve-scripts / deny-scripts (npm >= 11.16.0) instead of the previous no-op, matching pnpm approve-builds / bun pm trust; mixed approve+deny is rejected with actionable guidance and npm's advisory-only caveat is surfaced (#1733), by @​fengmk2
  • vp create: support local monorepo templates declared in create.templates in vite.config.ts; vp create vite:generator scaffolds a Bingo generator and auto-registers it in the picker, replacing the old package.json-keyword inference (#1777), by @​fengmk2
  • vp create: detect direct dependencies whose build scripts the package manager gated (e.g. native builds like better-sqlite3) and act on them; prompt to approve each (default off) interactively, point at vp pm approve-builds non-interactively, or build them with --approve-builds (#1828), by @​fengmk2
  • vp config: add --no-hooks and --no-agent opt-outs to skip git-hook installation and coding-agent instruction updates (#1842), by @​leno23
  • vp list -g: sort the global package list output so entries appear in a stable order (#1748), by @​liangmiQwQ
  • Upgrade upstream dependencies: rolldown 1.0.3 -> 1.1.1, tsdown 0.22.1 -> 0.22.3, oxlint 1.67.0 -> 1.70.0, oxfmt 0.52.0 -> 0.55.0, vitest 4.1.8 -> 4.1.9, and the oxc toolchain 0.133.0 -> 0.136.0 (#1749, #1767, #1812, #1834, #1855), by @​voidzero-guard[bot]

Fixes & Enhancements

  • Security: resolve open Rust Dependabot advisories by bumping transitive openssl 0.10.76 -> 0.10.80 (openssl-sys 0.9.112 -> 0.9.116), fixing five high-severity rust-openssl issues (buffer overflows in key derivation, AES key wrap, and digest finalization; an unchecked PSK/cookie trampoline length leaking adjacent memory; and OCSP-responder undefined behavior: GHSA-pqf5-4pqq-29f5, GHSA-8c75-8mhr-p7r9, GHSA-ghm9-cr32-g9qj, GHSA-hppc-g8h3-xhp3, GHSA-xp3w-r5p5-63rr), and drop the unmaintained, unsound libyml (GHSA-gfxp-f68g-8x78, high) by removing dead serde_yml code (#1742), by @​fengmk2
  • Security (docs site): update mermaid 11.13.0 -> 11.15.0 to fix improper classDef sanitization in state diagrams that allowed HTML injection (CVE-2026-41149 / GHSA-ghcm-xqfw-q4vr, medium severity; <script> tags are stripped so it does not reach XSS) (#1745), by @​renovate[bot]
  • vp check --fix / vp staged: create/migrate now wrap inline Vite plugins: [...] arrays with lazyPlugins(...) so plugin factories aren't eagerly executed (and don't hang on open handles) during lint/format/check config loading (#1752), by @​jong-kyung
  • vp migrate: complete pending migration work for projects that already have vite-plus installed (scripts, imports, tsconfig types, ESLint/Prettier, legacy hooks, package-manager settings) instead of treating vite-plus as migration-complete; fully migrated projects stay idempotent (#1821), by @​jong-kyung
  • vp create / vp migrate: detect shorthand fmt, / lint, config keys so a duplicate inline block is no longer injected (#1843), by @​fengmk2
  • IDE oxlint/oxfmt wrappers: set VP_COMMAND so lazyPlugins() skips framework plugins during LSP config reads, preventing a stray .svelte-kit (and similar) directory at the monorepo root (#1764), by @​jong-kyung
  • vp lint / vp run -r lint on Windows: keep the absolute tsgolint path for workspace lint runs instead of downgrading it to a wrong cwd-relative path (#1758), by @​semimikoh
  • oxlint wrapper: set the tsgolint path so type-aware lint resolves it (#1811), by @​jong-kyung
  • vp install -g: use a unique backup directory and treat stale-backup cleanup as best-effort so a locked Windows binary no longer fails an otherwise successful reinstall (#1753), by @​fengmk2
  • vp install -g: remove stale managed binary shims when a reinstalled package drops a bin from its package.json#bin (#1765), by @​liangmiQwQ
  • vp create --git: surface git's actual stdout/stderr when the initial commit fails instead of always blaming user.name / user.email (#1819), by @​fengmk2
  • vp create vite:generator: reject --git / --no-git, since adding a generator to an existing monorepo does not initialize git (#1788), by @​jong-kyung
  • Global CLI: harden find_system_tool against a self-exec loop (skip the running executable's own bin directory) and fix two vite_global_cli tests that could hang (#1820), by @​fengmk2
  • CLI help: unify alias display (#1832), show supported run options (#1797), show --fail-if-no-match in exec help (#1798), add the implode documentation link (#1796), and handle nested-command typo help (#1803), by @​jong-kyung

Docs

Refactor

  • Remove the CLI tips system; the shortcuts it printed on vp install are already covered by the help system and added unnecessary complexity (#1799), by @​cpojer

Chore

... (truncated)

Commits
  • 6f97f09 release: v0.2.0 (#1856)
  • 6b036e8 feat: allow vp config opt-outs (#1842)
  • 740319f docs: sync command lists with help output (#1850)
  • 9b1ade6 fix(create): preserve shorthand fmt/lint config keys (#1843)
  • 342fd2f refactor!: replace @​voidzero-dev/vite-plus-test with upstream vitest (#1588)
  • d764e09 feat(deps): upgrade upstream dependencies (#1834)
  • b8b73de feat(create): approve dependency build scripts blocked by the package manager...
  • ff7a4fd fix(cli): unify help alias display (#1832)
  • 79a2ef5 fix(migrate): complete vp migrate for existing Vite+ projects (#1821)
  • b48e0a0 feat(env): add corepack to the default shims tool list (#1808)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [vite-plus](https://github.com/voidzero-dev/vite-plus/tree/HEAD/packages/cli) from 0.1.24 to 0.2.0.
- [Release notes](https://github.com/voidzero-dev/vite-plus/releases)
- [Commits](https://github.com/voidzero-dev/vite-plus/commits/v0.2.0/packages/cli)

---
updated-dependencies:
- dependency-name: vite-plus
  dependency-version: 0.2.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 24, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #25.

@dependabot dependabot Bot closed this Jun 25, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/vite-plus-0.2.0 branch June 25, 2026 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants