chore(deps): bump vite-plus to pkg-pr-new pr-1588#12
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates dependency configurations in .npmrc and multiple package.json files to use preview builds of vite-plus and related packages. The review feedback highlights a risk of version drift and mismatch because some dependencies and overrides are pinned to a specific commit SHA while others are pinned to the PR number @1588. It is recommended to consistently pin all of these dependencies to the same commit SHA to ensure reproducible builds.
| "@voidzero-dev/vite-plus-core": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@5577b0154f33d1480a3c96347e94fa5d2094de2e", | ||
| "@voidzero-dev/vite-plus-prompts": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-prompts@5577b0154f33d1480a3c96347e94fa5d2094de2e", | ||
| "js-yaml": "^4.1.1", | ||
| "vite": "npm:@voidzero-dev/vite-plus-core@^0.1.20", | ||
| "vitest": "npm:@voidzero-dev/vite-plus-test@^0.1.20" | ||
| "vite": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@1588" |
There was a problem hiding this comment.
There is a version mismatch and drift risk here. The overrides for @voidzero-dev/vite-plus-core and @voidzero-dev/vite-plus-prompts are pinned to a specific commit SHA (5577b0154f33d1480a3c96347e94fa5d2094de2e), but the override for vite (which is an alias for @voidzero-dev/vite-plus-core) is pinned to the PR number @1588.
If new commits are pushed to PR 1588, the vite override will resolve to the latest commit, while the other core overrides will remain pinned to the older SHA. This can lead to duplicate or mismatched versions of the core packages in the dependency tree.
To ensure consistency and reproducible builds, please pin the vite override to the same SHA, and also add vite-plus to the overrides pinned to the same SHA.
"@voidzero-dev/vite-plus-core": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@5577b0154f33d1480a3c96347e94fa5d2094de2e",
"@voidzero-dev/vite-plus-prompts": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-prompts@5577b0154f33d1480a3c96347e94fa5d2094de2e",
"js-yaml": "^4.1.1",
"vite": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@5577b0154f33d1480a3c96347e94fa5d2094de2e",
"vite-plus": "https://pkg.pr.new/voidzero-dev/vite-plus@5577b0154f33d1480a3c96347e94fa5d2094de2e"| "vite": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@1588", | ||
| "vite-plus": "https://pkg.pr.new/voidzero-dev/vite-plus@1588", |
There was a problem hiding this comment.
To prevent version drift between the direct devDependencies and the overrides, consider pinning these to the same commit SHA (5577b0154f33d1480a3c96347e94fa5d2094de2e) instead of the PR number @1588.
| "vite": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@1588", | |
| "vite-plus": "https://pkg.pr.new/voidzero-dev/vite-plus@1588", | |
| "vite": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@5577b0154f33d1480a3c96347e94fa5d2094de2e", | |
| "vite-plus": "https://pkg.pr.new/voidzero-dev/vite-plus@5577b0154f33d1480a3c96347e94fa5d2094de2e", |
1 participant
Summary
Bump vite-plus to pkg-pr-new build for PR #1588 (replace @voidzero-dev/vite-plus-test wrapper with upstream vitest@4.1.5).
Updated where applicable:
Test plan