chore(deps): bump vite-plus to pkg-pr-new pr-1588#6
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the workspace dependencies and configuration in pnpm-workspace.yaml. The review identified two issues: first, several .npmrc configuration options (such as blockExoticSubdeps and minimumReleaseAge) were incorrectly added to pnpm-workspace.yaml where they will be silently ignored, and should instead be moved to a .npmrc file. Second, there is an inconsistency in dependency pinning, where some overrides are pinned to a specific commit hash while others point to a PR number, which could lead to out-of-sync dependencies.
| blockExoticSubdeps: false | ||
| minimumReleaseAge: 60 | ||
| minimumReleaseAgeExclude: | ||
| - vite-plus | ||
| - '@voidzero-dev/*' | ||
| - '@oxc-project/*' | ||
| - '@oxlint/*' | ||
| - oxlint | ||
| - oxfmt | ||
| - oxlint-tsgolint | ||
| - vitest | ||
| - '@vitest/*' |
There was a problem hiding this comment.
The configuration options blockExoticSubdeps, minimumReleaseAge, and minimumReleaseAgeExclude are .npmrc settings and are not supported in pnpm-workspace.yaml. As a result, pnpm will silently ignore these settings, and the intended security/policy restrictions will not be applied.\n\nThese settings should be moved to your .npmrc file instead, using the standard .npmrc format:\n\nini\nblock-exotic-subdeps=false\nminimum-release-age=60\nminimum-release-age-exclude[]=vite-plus\nminimum-release-age-exclude[]=@voidzero-dev/*\nminimum-release-age-exclude[]=@oxc-project/*\nminimum-release-age-exclude[]=@oxlint/*\nminimum-release-age-exclude[]=oxlint\nminimum-release-age-exclude[]=oxfmt\nminimum-release-age-exclude[]=oxlint-tsgolint\nminimum-release-age-exclude[]=vitest\nminimum-release-age-exclude[]=@vitest/*\n
| '@voidzero-dev/vite-plus-core': https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@5577b0154f33d1480a3c96347e94fa5d2094de2e | ||
| '@voidzero-dev/vite-plus-prompts': https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-prompts@5577b0154f33d1480a3c96347e94fa5d2094de2e |
There was a problem hiding this comment.
The overrides for @voidzero-dev/vite-plus-core and @voidzero-dev/vite-plus-prompts are pinned to a specific commit hash (5577b0154f33d1480a3c96347e94fa5d2094de2e), whereas vite-plus in the catalog (line 5) is pointing to the PR number (1588).\n\nThis inconsistency can lead to out-of-sync dependencies if new commits are pushed to PR 1588, as vite-plus will resolve to the latest commit while the overrides remain pinned to the older commit.\n\nTo ensure consistency, consider using the PR number 1588 for all of them, or pinning all of them to the same commit hash.
'@voidzero-dev/vite-plus-core': https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@1588\n '@voidzero-dev/vite-plus-prompts': https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-prompts@15881 participant
Summary
Bump vite-plus to pkg-pr-new build for PR #1588 (replace @voidzero-dev/vite-plus-test with upstream vitest@4.1.5).
Test plan