Pin transitive vp NPM dependencies via lockfile during install and upgrade

[jaytee]

Description

The vp install process (run both during initial installation and on every upgrade) resolves transitive NPM dependencies without a lockfile present to pin packages to specific versions, creating a supply chain risk.

When the wrapper package.json file is generated it does pin vite-plus to a specific version, but that doesn't prevent potentially newly compromised malicious transitive dependencies being pulled in.

vite-plus/packages/cli/install.sh

Lines 627 to 641 in 3a1b440

	# Generate wrapper package.json that declares vite-plus as a dependency.
	# pnpm will install vite-plus and all transitive deps via `vp install`.
	# The packageManager field pins pnpm to a known-good version, ensuring
	# consistent behavior regardless of the user's global pnpm version.
	cat > "$VERSION_DIR/package.json" <<WRAPPER_EOF
	{
	"name": "vp-global",
	"version": "$VP_VERSION",
	"private": true,
	"packageManager": "pnpm@10.33.0",
	"dependencies": {
	"vite-plus": "$VP_VERSION"
	}
	}
	WRAPPER_EOF

Suggested solution

It would be great if a lockfile could be generated at release, or have the existing pnpm-lock.yaml included in the published vite-plus package and have the install script flag the install with --frozen-lockfile, so that only a specific known set of dependencies would be pulled in during install/upgrade.

This would also help to make things more resilient to breakages stemming from changes in transitive dependencies that happen between releases of vp.

Alternative

No response

Additional context

No response

Validations

• Read the Contributing Guidelines.
• Confirm this request is for Vite+ itself and not for Vite, Vitest, tsdown, Rolldown, or Oxc.
• Check that there isn't already an issue requesting the same feature.

[fengmk2]

For now, let’s not consider this. If we run into this issue later, we can revisit and see if there’s a more suitable approach.