chore(deps): bump vite-plus to PR #1633 (pkg-pr-new)#4
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the pnpm-workspace.yaml file to use specific PR preview packages from pkg.pr.new for vite, vitest, and vite-plus, while also excluding these packages from the minimum release age requirement. A security concern was raised regarding the global disabling of blockExoticSubdeps, with a recommendation to use allowedExoticSubdeps to explicitly permit only the trusted preview sources instead.
| esbuild: true | ||
| keytar: false | ||
| blockExoticSubdeps: true | ||
| blockExoticSubdeps: false |
There was a problem hiding this comment.
Disabling blockExoticSubdeps globally is a security risk as it allows any dependency in the tree to pull in code from non-registry sources (like arbitrary URLs). It is recommended to keep this enabled and use allowedExoticSubdeps to explicitly permit only the trusted PR packages from pkg.pr.new.
blockExoticSubdeps: true
allowedExoticSubdeps:
- vite-plus
- '@voidzero-dev/*'1 participant
Summary
Bump
vite-plusand related@voidzero-dev/*packages to the pkg-pr-new prerelease for vite-plus PR #1633.Updated where applicable:
vite-plus→https://pkg.pr.new/voidzero-dev/vite-plus@1633vitealias →@voidzero-dev/vite-plus-corepkg-pr-new URLvitestalias →@voidzero-dev/vite-plus-testpkg-pr-new URLoverrides/resolutions/pnpm.overrides/pnpm-workspace.yamlcatalogsAlso configured
minimum-release-agewith vite-plus /@voidzero-dev/*excluded for pnpm / bun / npm.Test plan