You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vite+ is now in Beta: stable and ready for production adoption, fully open source under MIT. Read the announcement to see what Vite+ is about and where it is headed: Announcing Vite+ Beta.
On top of the Beta milestone, this release brings cross-version upgrades via vp migrate, an official Docker toolchain image on GHCR, zero-config runner-aware vp build caching, and PGP-verified managed Node.js downloads.
Highlights
vp migrate upgrades existing Vite+ projects across versions: previous release notes told users not to run vp migrate for upgrades. It now runs from the global CLI when the local one is older, re-pins vite-plus and the vite -> @voidzero-dev/vite-plus-core alias across dependencies, overrides/resolutions, and catalogs in every workspace package, aligns vitest / @vitest/* by actual usage, and defaults to a version-only upgrade (pass --full to also run the first-time setup bucket: hooks, editor, agent files, lint migration) (#1891), by @fengmk2
Official Vite+ Docker toolchain image: ghcr.io/voidzero-dev/vite-plus bundles vp plus a native build toolchain on debian:bookworm-slim (amd64/arm64, non-root). Since vp provisions the exact Node.js from .node-version, one image builds any project, and a documented multi-stage build copies the resolved Node.js into a small vp-free runtime stage (#1944), by @fengmk2
Zero-config vp build caching via runner-aware Vite: Vite reports its inputs, outputs, and tracked env reads to the vp runner over the new @voidzero-dev/vite-task-client IPC (vite#22453), so vp build caches correctly with no hand-written cache config: outputs are tracked and restored automatically, and a changed VITE_* env var invalidates the cache and is named in the cache-miss message (#1774), by @wan9chi
PGP-verified Node.js downloads: installing a managed Node.js now verifies the release's clearsigned SHASUMS256.txt.asc against the vendored Node.js release keyring (pure Rust, no gpg required) before trusting any checksum, so a tampered archive is rejected before install; unsigned sources (musl builds, custom mirrors) fall back to checksum-only verification (#1848), by @fengmk2
Features
vp check: a check block in vite.config.ts (check.fmt / check.lint) can make plain vp check skip formatting or linting by default, mirroring --no-fmt / --no-lint; standalone vp fmt / vp lint and git hooks are unaffected, and a note: line keeps the config-based skip discoverable (#1981), by @fengmk2
vp env list-remote: highlight installed versions (color, or a * prefix when piped) and label the project-resolved current and global default versions; --json gains installed / current / default fields (#1907), by @semimikoh
vpr ships as a vite-plus package bin, so the vp run shorthand works on clean installs without global PATH shims (Vercel build image, generic CI runners) (#1988), by @kvnwolf
Vite Task: dependsOn can select tasks from dependency packages, e.g. dependsOn: [{ "task": "build", "from": "dependencies" }] (vite-task#479), by @wan9chi
Vite Task: a task's env / untrackedEnv glob patterns support ! negation (e.g. ["VITE_*", "!VITE_SECRET"]) (vite-task#425), and an env-caused cache miss now names the variable inline, e.g. cache miss: env 'NODE_ENV' changed (vite-task#438), by @wan9chi
Upgrade upstream dependencies: vite 8.0.16 -> 8.1.2, rolldown 1.1.1 -> 1.1.4, oxlint 1.70.0 -> 1.72.0, oxfmt 0.55.0 -> 0.57.0, oxlint-tsgolint 0.23.0 -> 0.24.0, and the oxc toolchain 0.136.0 -> 0.138.0 (#1924, #1989, #2000, #2009), by @voidzero-guard[bot]
Fixes & Enhancements
Windows: vp run no longer hangs CI when a node_modules/.bin.cmd shim is routed through PowerShell; the npm/pnpm/yarn .ps1 wrappers read stdin and block forever on a non-TTY pipe, so the PowerShell rewrite is now skipped when stdin is not an interactive terminal (vite-task#491, via #1973), by @fengmk2
Vite Task: the task cache is stored in a per-schema-version directory (e.g. node_modules/.vite/task-cache/v13/), so switching between branches that pin different Vite+ versions no longer fails with Unrecognized database version (vite-task#433), by @fengmk2
Vite Task: env values in cache fingerprints are stored only as SHA-256 digests and env cache-miss details report names without values (vite-task#455); prefix env assignments like PATH=... command now affect executable lookup during planning (vite-task#440); package.json / pnpm-workspace.yaml files with a UTF-8 BOM parse correctly (vite-task#424), by @wan9chi
vp upgrade: run the pinned pnpm with a managed Node.js LTS directly instead of re-entering vp install, so an incompatible session/project/system runtime can no longer make pnpm skip optional native binaries and leave the upgraded CLI broken (#1900), by @liangmiQwQ
Global package installs: each install writes to an immutable packages/<name>#<uuid> prefix that is activated via metadata after npm succeeds, so an interrupted reinstall can no longer leave the active package unavailable (#1906), and stale interrupted-install directories are swept with file-lock protection for concurrent installs (#1945), by @liangmiQwQ
lazyPlugins(): skip plugin factories only while config metadata is being resolved instead of keying off VP_COMMAND, so builds spawned under vp run / vp exec keep the user's plugins and vp format no longer loads them (#1939), by @fengmk2
vp migrate (pnpm): add a direct vite devDep aliased to the core override wherever vite-plus is depended on, so vitest's vite peer binds to @voidzero-dev/vite-plus-core instead of pulling in a second upstream vite that broke the vp test cache (#1933), by @fengmk2
vp pack: bundle @tsdown/exe and @tsdown/css into core so --exe and CSS bundling work without a resolvable top-level tsdown; the native lightningcss becomes an optional peer loaded lazily with an actionable error (#1919), by @fengmk2
vp env: invalidate stale shim resolve cache entries when the project's Node.js version source changes (#1951), by @jong-kyung
Node shim: when the project declares npm via packageManager / devEngines.packageManager, child processes spawned from node resolve the managed npm instead of the Node-bundled one (#1938); vp env which reports bins linked by an intercepted npm install -g (e.g. tsc) instead of "not found" (#1968); bins with uppercase names (e.g. vitePlus) dispatch correctly (#1963), by @liangmiQwQ
vp-setup: pass the configured npm registry to the inner pnpm install so setup works behind custom registries (#1795), by @daflyinbed
Native binding: declare the platform packages' true ABI floor engines.node >=20.0.0 so engine-strict package managers (pnpm) no longer skip the optional native dependency and fail with Cannot find native binding when a consumer's Node floor lands in a product-policy gap (#1993), by @fengmk2
vp create: run git init without creating an initial commit, so commitlint-configured templates no longer reject the hardcoded message and template placeholders are not baked into history (#2008), by @forehalo
vp staged --debug: inline the bundled lint-staged version so debug logging no longer crashes reading a package.json that does not exist in the bundle (#1925), by @rokuosan
Installer: retry downloads truncated mid-body in HttpClient::get_bytes (the platform-tarball path for vp upgrade and the standalone installer) (#1940), and clean up the temp dir when a package-manager install fails instead of leaking .tmpXXXX directories (#1949), by @shulaoda
Windows/msys: normalize backslashes in the env.fish fallback path (#1954), by @Aalivexy
install.ps1: detect the missing VC++ runtime (0xC0000135) and print VC++ Redistributable guidance instead of a generic failure; interactive irm | iex installs keep the shell open (#1962), by @cheezone
vp migrate: preserve comments, key order, and trailing commas in existing .vscode / .zed JSONC configs by patching the original text instead of re-serializing it (#1956), by @fengmk2
Migration: link the git hook warning to the migration guide (#1902), by @naokihaba
vp info / vp view: use package-manager-native commands (pnpm view, bun info, yarn npm info) instead of routing every lookup through npm view (#1895), by @jong-kyung
Correct overused ErrorConfig error types across the codebase (#1934), by @liangmiQwQ
Refactor
vite_install: centralize Yarn v1/berry branching with is_yarn_berry (#1897), by @jong-kyung
Docs
Document Vite Task automatic tracking (fs tracking and cache-reporting tools), reusing the task cache with GitHub Actions cache, and dependsOn: [{ task, from: "dependencies" }] (#1992), by @wan9chi
Rewrite the "Upgrading Vite+" guide: preview builds install through the registry bridge as ordinary 0.0.0-commit.<sha> npm versions, and vp migrate is the recommended way to upgrade a project or move it onto a preview build (#1965), by @fengmk2
Describe how to switch back to the release version from nightly (#1887), by @situ2001
Add a global installation explanation (#1915), update the vp env help output (#1969), and add liangmiQwQ as a team member (#1911), by @liangmiQwQ
Fix package manager command examples (#1937) and the dependsOn guide link (#1883), by @jong-kyung
Remove Fathom analytics from the uninstall docs (#1946), by @mdong1909
Center the README logo and fix its size (#1878), by @hyf0
Chore
Prevent Vite beta upgrades in the upstream-deps script (#1879), stabilize flaky network-dependent tests (#1923), and bump the ecosystem-ci bun-vite-template to the oxlint jsx-a11y fix (#1898), by @fengmk2
Pin snap-test install fixtures to a published vite-plus version so release-branch CI can pass before the new version is published (#2017), by @fengmk2
Update the deprecated VITE_PLUS_ env var prefixes to VP_ in the RFCs (#1984), by @liangmiQwQ
CI: skip full CI for docs-only PRs (#1991) and for the docs deploy config (#2015), by @wan9chi
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/oxfmt@0.57.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Obfuscated code: npm oxfmt is 90.0% likely obfuscated
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/oxfmt@0.57.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.2.1→0.2.2Release Notes
voidzero-dev/vite-plus (vite-plus)
v0.2.2: vite-plus v0.2.2: Vite+ BetaCompare Source
Vite+ is now in Beta: stable and ready for production adoption, fully open source under MIT. Read the announcement to see what Vite+ is about and where it is headed: Announcing Vite+ Beta.
On top of the Beta milestone, this release brings cross-version upgrades via
vp migrate, an official Docker toolchain image on GHCR, zero-config runner-awarevp buildcaching, and PGP-verified managed Node.js downloads.Highlights
vp migrateupgrades existing Vite+ projects across versions: previous release notes told users not to runvp migratefor upgrades. It now runs from the global CLI when the local one is older, re-pinsvite-plusand thevite->@voidzero-dev/vite-plus-corealias across dependencies, overrides/resolutions, and catalogs in every workspace package, alignsvitest/@vitest/*by actual usage, and defaults to a version-only upgrade (pass--fullto also run the first-time setup bucket: hooks, editor, agent files, lint migration) (#1891), by @fengmk2ghcr.io/voidzero-dev/vite-plusbundlesvpplus a native build toolchain ondebian:bookworm-slim(amd64/arm64, non-root). Sincevpprovisions the exact Node.js from.node-version, one image builds any project, and a documented multi-stage build copies the resolved Node.js into a small vp-free runtime stage (#1944), by @fengmk2vp buildcaching via runner-aware Vite: Vite reports its inputs, outputs, and tracked env reads to thevprunner over the new@voidzero-dev/vite-task-clientIPC (vite#22453), sovp buildcaches correctly with no hand-written cache config: outputs are tracked and restored automatically, and a changedVITE_*env var invalidates the cache and is named in the cache-miss message (#1774), by @wan9chiSHASUMS256.txt.ascagainst the vendored Node.js release keyring (pure Rust, nogpgrequired) before trusting any checksum, so a tampered archive is rejected before install; unsigned sources (musl builds, custom mirrors) fall back to checksum-only verification (#1848), by @fengmk2Features
vp check: acheckblock invite.config.ts(check.fmt/check.lint) can make plainvp checkskip formatting or linting by default, mirroring--no-fmt/--no-lint; standalonevp fmt/vp lintand git hooks are unaffected, and anote:line keeps the config-based skip discoverable (#1981), by @fengmk2vp env list-remote: highlight installed versions (color, or a*prefix when piped) and label the project-resolvedcurrentand globaldefaultversions;--jsongainsinstalled/current/defaultfields (#1907), by @semimikohvprships as avite-pluspackage bin, so thevp runshorthand works on clean installs without global PATH shims (Vercel build image, generic CI runners) (#1988), by @kvnwolfdependsOncan select tasks from dependency packages, e.g.dependsOn: [{ "task": "build", "from": "dependencies" }](vite-task#479), by @wan9chienv/untrackedEnvglob patterns support!negation (e.g.["VITE_*", "!VITE_SECRET"]) (vite-task#425), and an env-caused cache miss now names the variable inline, e.g.cache miss: env 'NODE_ENV' changed(vite-task#438), by @wan9chi8.0.16 -> 8.1.2, rolldown1.1.1 -> 1.1.4, oxlint1.70.0 -> 1.72.0, oxfmt0.55.0 -> 0.57.0, oxlint-tsgolint0.23.0 -> 0.24.0, and the oxc toolchain0.136.0 -> 0.138.0(#1924, #1989, #2000, #2009), by @voidzero-guard[bot]Fixes & Enhancements
vp runno longer hangs CI when anode_modules/.bin.cmdshim is routed through PowerShell; the npm/pnpm/yarn.ps1wrappers read stdin and block forever on a non-TTY pipe, so the PowerShell rewrite is now skipped when stdin is not an interactive terminal (vite-task#491, via #1973), by @fengmk2node_modules/.vite/task-cache/v13/), so switching between branches that pin different Vite+ versions no longer fails withUnrecognized database version(vite-task#433), by @fengmk2PATH=... commandnow affect executable lookup during planning (vite-task#440);package.json/pnpm-workspace.yamlfiles with a UTF-8 BOM parse correctly (vite-task#424), by @wan9chivp upgrade: run the pinned pnpm with a managed Node.js LTS directly instead of re-enteringvp install, so an incompatible session/project/system runtime can no longer make pnpm skip optional native binaries and leave the upgraded CLI broken (#1900), by @liangmiQwQpackages/<name>#<uuid>prefix that is activated via metadata after npm succeeds, so an interrupted reinstall can no longer leave the active package unavailable (#1906), and stale interrupted-install directories are swept with file-lock protection for concurrent installs (#1945), by @liangmiQwQlazyPlugins(): skip plugin factories only while config metadata is being resolved instead of keying offVP_COMMAND, so builds spawned undervp run/vp execkeep the user's plugins andvp formatno longer loads them (#1939), by @fengmk2vp migrate(pnpm): add a directvitedevDep aliased to the core override wherevervite-plusis depended on, so vitest'svitepeer binds to@voidzero-dev/vite-plus-coreinstead of pulling in a second upstream vite that broke thevp testcache (#1933), by @fengmk2vp pack: bundle@tsdown/exeand@tsdown/cssinto core so--exeand CSS bundling work without a resolvable top-leveltsdown; the nativelightningcssbecomes an optional peer loaded lazily with an actionable error (#1919), by @fengmk2vp env: invalidate stale shim resolve cache entries when the project's Node.js version source changes (#1951), by @jong-kyungpackageManager/devEngines.packageManager, child processes spawned fromnoderesolve the managed npm instead of the Node-bundled one (#1938);vp env whichreports bins linked by an interceptednpm install -g(e.g.tsc) instead of "not found" (#1968); bins with uppercase names (e.g.vitePlus) dispatch correctly (#1963), by @liangmiQwQvp-setup: pass the configured npm registry to the inner pnpm install so setup works behind custom registries (#1795), by @daflyinbedengines.node >=20.0.0so engine-strict package managers (pnpm) no longer skip the optional native dependency and fail withCannot find native bindingwhen a consumer's Node floor lands in a product-policy gap (#1993), by @fengmk2vp create: rungit initwithout creating an initial commit, so commitlint-configured templates no longer reject the hardcoded message and template placeholders are not baked into history (#2008), by @forehalovp staged --debug: inline the bundled lint-staged version so debug logging no longer crashes reading apackage.jsonthat does not exist in the bundle (#1925), by @rokuosanHttpClient::get_bytes(the platform-tarball path forvp upgradeand the standalone installer) (#1940), and clean up the temp dir when a package-manager install fails instead of leaking.tmpXXXXdirectories (#1949), by @shulaodaenv.fishfallback path (#1954), by @Aalivexyinstall.ps1: detect the missing VC++ runtime (0xC0000135) and print VC++ Redistributable guidance instead of a generic failure; interactiveirm | iexinstalls keep the shell open (#1962), by @cheezonevp migrate: preserve comments, key order, and trailing commas in existing.vscode/.zedJSONC configs by patching the original text instead of re-serializing it (#1956), by @fengmk2vp info/vp view: use package-manager-native commands (pnpm view,bun info,yarn npm info) instead of routing every lookup throughnpm view(#1895), by @jong-kyungErrorConfigerror types across the codebase (#1934), by @liangmiQwQRefactor
vite_install: centralize Yarn v1/berry branching withis_yarn_berry(#1897), by @jong-kyungDocs
dependsOn: [{ task, from: "dependencies" }](#1992), by @wan9chi0.0.0-commit.<sha>npm versions, andvp migrateis the recommended way to upgrade a project or move it onto a preview build (#1965), by @fengmk2vp envhelp output (#1969), and add liangmiQwQ as a team member (#1911), by @liangmiQwQdependsOnguide link (#1883), by @jong-kyungChore
vite-plusversion so release-branch CI can pass before the new version is published (#2017), by @fengmk2VITE_PLUS_env var prefixes toVP_in the RFCs (#1984), by @liangmiQwQBundled Versions
8.1.2ba311931.1.46cbd2330.22.34.1.91.72.00.24.00.57.0Upgrade
New to Vite+? Start with the Beta announcement, then create a project with
vp createor bring an existing one over withvp migrate.New Contributors
Welcome to our new contributors @rokuosan, @Aalivexy, @cheezone, @daflyinbed, @forehalo, @kvnwolf! 🎉
Full Changelog: voidzero-dev/vite-plus@v0.2.1...v0.2.2
Published Packages
@voidzero-dev/vite-plus-core@0.2.2vite-plus@0.2.2Installation
macOS/Linux:
curl -fsSL https://vite.plus | bashWindows:
Or download and run
vp-setup.exefrom the assets below.Docker:
docker run --rm -it -v "$PWD:/app" -w /app ghcr.io/voidzero-dev/vite-plus:0.2.2 vp buildRun any
vpcommand without installing it; see the Docker guide for more.Configuration
📅 Schedule: (in timezone Asia/Shanghai)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.