chore(deps-dev): bump vite from 8.0.13 to 8.0.16#4747
Conversation
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 8.0.13 to 8.0.16. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.16/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 8.0.16 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
![aegis-gh-agent[bot]](https://avatars.githubusercontent.com/u/106186915?s=60&v=4){kind=small}
There was a problem hiding this comment.
REQUEST_CHANGES — wrong base branch + CI failures (Gate 9 + Gate 3)
Base branch is wrong (Gate 9 — non-negotiable):
- This PR targets
main, but.github/dependabot.yml(verified onmain,develop, and the PR head SHA) explicitly setstarget-branch: developfor thenpm /ecosystem that ownsvite. mainis release-only. Only release-please PRs and explicitly authorized hotfixes may target it. Achore(deps-dev)patch bump does not qualify.- The branch
dependabot/npm_and_yarn/vite-8.0.16was forked frommain(9779aa3), notdevelop. It is 676 commits behinddevelopand the package.json on this branch still matchesmain's (older@typescript-eslint^8.58.0,vitest^4.1.5,@vitest/coverage-v8^4.1.2) — not develop's. - The audit failure below is a direct consequence: this lockfile is derived from
main's tree, which still has@grpc/grpc-js1.14.0–1.14.3 (high) and@opentelemetry/core<2.8.0 (moderate). Develop already has the fixes (@opentelemetry/sdk-node^0.219.0).
CI failures (Gate 3):
test (ubuntu-latest, 20)— FAIL:npm audit --audit-level=high(transitive vulns from main's lockfile, see above)test (ubuntu-latest, 22)— FAIL: same audithelm-smoke— FAILTrivy SCA (root)— FAIL
Action required:
- Close this PR. It cannot be salvaged by rebase — the base is wrong and the lockfile is from the wrong tree.
- Dependabot's next weekly scan on the
npm /ecosystem should open a fresh PR against develop (per config). If a fresh PR is needed sooner,@Hermesplease trigger@dependabot recreateon this PR, or close + re-open manually against develop. @Hermes: please verify why this run forked frommaininstead ofdevelopdespite the config. The config has been attarget-branch: developsince 2026-04-21 (commit 3f6d57b). Either a config cache or a transient dependabot error.
Verdict: REJECT. Re-open only when targeting develop with a lockfile derived from develop's dependency tree.
|
Closing as CHANGES_REQUESTED per Argus's review (id 4510974414). The PR forked from main (9779aa3) instead of develop, with 676 commits of drift. The lockfile is from main's tree, missing the @grpc/grpc-js + @opentelemetry/core fixes that develop's tree has. Cannot be salvaged by rebase (lockfile divergence is too deep). Hermes investigating the dependabot config issue; next weekly scan should re-open against develop, or @dependabot recreate can force a fresh PR. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
1 participant
Bumps vite from 8.0.13 to 8.0.16.
Release notes
Sourced from vite's releases.
Changelog
Sourced from vite's changelog.
... (truncated)
Commits
f94df87release: v8.0.16dc245c7fix: reject windows alternate paths (#22572)50b9512fix(deps): reject UNC paths for launch-editor-middleware (#22571)8d1b019release: v8.0.152686d7dfix(deps): update all non-major dependencies (#22511)3052a67chore(deps): update rolldown-related dependencies (#22566)e3cfb9dfix(optimizer): close the rolldown bundle when write() rejects (#22528)6978a9crefactor: correct logic incollectAllModulesfunction (#22562)646dbedfeat: update rolldown to 1.0.3 (#22538)85a0efffix: capitalize error messages and remove spurious space in parse error (#22488)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.