chore(deps): bump vite-plus to PR #1633 (pkg-pr-new)#19
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies to use specific commit hashes from pkg.pr.new for vite-plus and vitest to ensure lockfile stability and proper deduplication. It also adds a minimum-release-age configuration to pnpm-workspace.yaml. The reviewer recommends using specific commit hashes instead of PR numbers for all vite-plus related dependencies to avoid duplicate entries in the lockfile and suggests moving the minimum-release-age configuration to a .npmrc file to ensure the setting is correctly applied across different package managers.
| "virtua": "0.48.8", | ||
| "vite-plugin-pwa": "1.3.0", | ||
| "vite-plus": "0.1.20", | ||
| "vite-plus": "https://pkg.pr.new/voidzero-dev/vite-plus@1633", |
There was a problem hiding this comment.
Using the PR number (@1633) in the pkg-pr-new URL can lead to duplicate package entries in the lockfile. This occurs because internal workspace dependencies within the vite-plus PR build are typically resolved using the specific commit hash. To ensure proper deduplication and lockfile stability, consider using the specific commit hash (428629ad4076431fdbeb332ba7c91935e32f92f6) instead of the PR number.
| "vite-plus": "https://pkg.pr.new/voidzero-dev/vite-plus@1633", | |
| "vite-plus": "https://pkg.pr.new/voidzero-dev/vite-plus@428629ad4076431fdbeb332ba7c91935e32f92f6", |
| "typescript": "6.0.2", | ||
| "unplugin-vue-markdown": "30.0.0", | ||
| "vitest": "npm:@voidzero-dev/vite-plus-test@0.1.20", | ||
| "vitest": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-test@1633", |
There was a problem hiding this comment.
Similar to the vite-plus dependency, using the commit hash here will help pnpm deduplicate this package with the internal dependencies of other vite-plus components that are already pointing to the commit-specific build in the lockfile.
| "vitest": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-test@1633", | |
| "vitest": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-test@428629ad4076431fdbeb332ba7c91935e32f92f6", |
| vite: https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@1633 | ||
| vitest: https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-test@1633 |
There was a problem hiding this comment.
Consider using the specific commit hash for these overrides to maintain consistency with the internal dependency resolution of the vite-plus PR builds and avoid duplicate entries in the lockfile.
vite: https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@428629ad4076431fdbeb332ba7c91935e32f92f6
vitest: https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-test@428629ad4076431fdbeb332ba7c91935e32f92f6| minimumReleaseAge: 4320 | ||
| minimumReleaseAgeExclude: | ||
| - vite-plus | ||
| - '@voidzero-dev/*' |
There was a problem hiding this comment.
The minimum-release-age setting is a pnpm-specific feature typically configured in .npmrc. While pnpm 9+ supports some configuration in pnpm-workspace.yaml, other tools like npm and bun (mentioned in the PR description) will not recognize this file for configuration. To ensure this security setting is applied across all package managers, it should be moved to a .npmrc file using the standard kebab-case format: minimum-release-age=4320.
e18e dependency analysisNo dependency warnings found. |
1 participant
Summary
Bump
vite-plusand related@voidzero-dev/*packages to the pkg-pr-new prerelease for vite-plus PR #1633.Updated where applicable:
vite-plus→https://pkg.pr.new/voidzero-dev/vite-plus@1633vitealias →@voidzero-dev/vite-plus-corepkg-pr-new URLvitestalias →@voidzero-dev/vite-plus-testpkg-pr-new URLoverrides/resolutions/pnpm.overrides/pnpm-workspace.yamlcatalogsAlso configured
minimum-release-agewith vite-plus /@voidzero-dev/*excluded for pnpm / bun / npm.Test plan