chore(deps): bump vite-plus to v0.1.24#2
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies, including @voidzero-dev/vite-plus-core and vite-plus, to use specific preview tarball URLs, while also updating oxfmt and oxc-project packages. Additionally, it restructures the pnpm workspace configuration by moving onlyBuiltDependencies from package.json to pnpm-workspace.yaml. Feedback on these changes highlights critical supply-chain security concerns in pnpm-workspace.yaml, specifically advising against reducing the global minimumReleaseAge to 60 minutes and disabling blockExoticSubdeps, as both modifications expose the repository to potential dependency-based vulnerabilities.
| - "packages/*" | ||
|
|
||
| minimumReleaseAge: 7200 | ||
| minimumReleaseAge: 60 |
There was a problem hiding this comment.
Reducing the global minimumReleaseAge to 60 minutes (1 hour) severely weakens the supply-chain security of the repository for all other dependencies. Since you have already excluded the vite-plus stack and related packages using minimumReleaseAgeExclude, please keep the global minimumReleaseAge at its previous secure value of 7200 minutes (5 days).
minimumReleaseAge: 7200| minimumReleaseAge: 60 | ||
| trustPolicy: no-downgrade | ||
| blockExoticSubdeps: true | ||
| blockExoticSubdeps: false |
There was a problem hiding this comment.
Changing blockExoticSubdeps to false allows transitive dependencies to be resolved from non-registry sources (like git, file, or tarball URLs), which is a known supply-chain attack vector. Since direct exotic dependencies (like the pkg.pr.new tarballs used here) are still allowed with blockExoticSubdeps: true, please keep this setting enabled for security.
blockExoticSubdeps: true
|
React Doctor found 3 files changed in this pull request, but none matched the files covered by its enabled checks. Scope: 3 files changed on Generated by React Doctor. Questions? Contact founders@million.dev. |
commit: |
fengmk2
changed the title
1 participant
Summary
Bump
vite-plusand related packages to the pkg.pr.new prerelease build for v0.1.24.Updated where applicable:
vite-plus-> pkg.pr.new prereleasevite/vitestaliases and overrides ->@voidzero-dev/vite-plus-core/@voidzero-dev/vite-plus-testprerelease@voidzero-dev/vite-plus-*direct deps,overrides/resolutions/pnpm.overrides/ catalogsminimum-release-agewith vite-plus stack excluded (pnpm / npm / bun / yarn as applicable)pnpm.*package.json fields intopnpm-workspace.yamlwhere presentTest plan