chore(deps): update github actions (major)#1612
Merged
Merged
Conversation
✅ Deploy Preview for viteplus-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
renovate
Bot
force-pushed
the
renovate/major-github-actions
branch
from
6bd786a to
113e0e9
Compare
Member
|
@claude[agent] keep |
Agent-Logs-Url: https://github.com/voidzero-dev/vite-plus/sessions/3c71ac81-b84a-40c0-a795-270f2d2fa329 Co-authored-by: Brooooooklyn <3468483+Brooooooklyn@users.noreply.github.com>
Contributor
Done in d9ad904 |
Brooooooklyn
approved these changes
May 18, 2026
Contributor
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
fengmk2
approved these changes
May 18, 2026
fengmk2
added a commit
that referenced
this pull request
May 19, 2026
Release vite-plus v0.1.22: Security Patch, Parallel Global Install & Scaffold Polish A critical Vitest browser-mode security fix, parallel `vp add -g` installs, a built-in oxlint rule to prefer `vite-plus` imports, and a new `--git` switch for `vp create`. ### Highlights - **Security**: bundled `vitest` bumped to `4.1.6` to address [GHSA-2h32-95rg-cppp](GHSA-2h32-95rg-cppp) (Critical, CVSS 9.6), an XSS to RCE chain via the `otelCarrier` query parameter in Vitest browser mode ([#1633](#1633)) - **Parallel global install**: `vp add/install/update -g` now installs packages concurrently with a progress bar and a `--concurrency` flag (default 5) ([#1597](#1597)) - **Prefer vite-plus imports**: new bundled oxlint rule rewrites `vite`/`vitest` imports to `vite-plus`, enabled by default in generated and migrated `lint` configs ([#1408](#1408)) - **Git init on scaffold**: `vp create` learns `--git`/`--no-git` (interactive prompt; auto-commits "Initial commit from Vite+") ([#1484](#1484)) ### Features - Spawn npm for global installation in parallel with a progress bar and a `--concurrency` option ([#1597](#1597)), by @liangmiQwQ - Add bundled oxlint rule to prefer `vite-plus` imports over `vite`/`vitest` ([#1408](#1408)), by @Han5991 - `vp create`: initialize a git repository and create an initial commit on scaffold ([#1484](#1484)), by @ryohidaka - `vp create`: rename underscore-prefixed files (`_gitignore`, `_npmrc`, `_yarnrc.yml`) to dotfiles for `@org/create` bundled templates ([#1574](#1574)), by @jong-kyung - Add `VP_PR_VERSION` env var to install unreleased PR builds via pkg.pr.new ([#1578](#1578)), by @fengmk2 ### Fixes & Enhancements - Skip merging standalone `.oxfmtrc`/`.oxlintrc` config when the `fmt:`/`lint:` key is already declared in `vite.config.ts` (fixes duplicate-block regression in `vp create fate`) ([#1601](#1601)), by @fengmk2 - Suppress the `VITE+ - The Unified Toolchain for the Web` banner for `vp lint --lsp`, `vp fmt --lsp`, and `vp fmt --stdin-filepath` so stdout stays a pure LSP / formatter stream ([#1619](#1619)), by @fengmk2 - `vp create`: detect output directory when running in the current directory ([#1606](#1606)), by @jong-kyung - `vp update -g`: skip installs when the recorded global package version already matches the npm-resolved version, and tolerate string/array outputs from `npm view ... version --json` ([#1596](#1596)), by @leno23 - `vp create`: preserve single-segment project path in `updateWorkspaceConfig` ([#1582](#1582)), by @jong-kyung - `vp env use`: keep the change session-scoped on Windows ([#1577](#1577)), by @fengmk2 - `vp rebuild`: accept positional package names ([#1564](#1564)), by @fengmk2 - Adopt the new vite-task error formatter; errors now print as `error: <top-level>` plus `* <source>` chain lines, with bold-red highlight on a TTY ([vite-task#390](voidzero-dev/vite-task#390)), by @branchseer - vite-task: forward `LOCALAPPDATA` so Node's compile cache stays outside the workspace on Windows ([vite-task#389](voidzero-dev/vite-task#389)), by @branchseer - Bump vite-task to `c945cc0` ([#1628](#1628)), by @branchseer ### Refactor - Revert `vp pm plugin` command (per discussion in #1038) ([#1623](#1623)), by @jong-kyung ### Docs - Add `vitepress-plugin-llms` to the docs site so the published docs include LLM-friendly outputs (`/llms.txt`) ([#1625](#1625)), by @jong-kyung - Refresh home stats for oxlint, vite, and vitest ([#1512](#1512)), by @nozomee - Mention `vp env doctor` in agent instructions ([#1603](#1603)), by @leno23 ### Chore - Consolidate the upstream build chain into a single `pnpm build` script (justfile recipe now just calls `pnpm build`) ([#1626](#1626)), by @fengmk2 - Fix bootstrap-cli on Windows ([#1583](#1583)), by @fengmk2 - Refresh trusted stack stats ([#1573](#1573), [#1616](#1616)), by @voidzero-guard[bot] - Update GitHub Actions ([#1611](#1611), [#1612](#1612)), by @renovate[bot] - Address zizmor findings in composite actions and the release workflow; drop unused `actions-cool/issues-helper` ([#1630](#1630)), by @Boshen - Switch plain checkouts to `taiki-e/checkout-action` ([#1620](#1620)), by @Boshen - Switch release to a version-bump PR + push trigger flow ([#1575](#1575)), by @Boshen - Gate release publish on environment approval with a Discord notice ([#1571](#1571)), by @Boshen - Enable `cargo clippy` with `-D warnings` ([#1579](#1579)), by @Boshen - Drop unused `setup-node` from the version-check job ([#1600](#1600)), by @fengmk2 - Add Void deploy workflows for the docs site ([#1590](#1590)), by @fengmk2 - Add `--help` case to config snap tests for npm10/yarn1/yarn4 ([#1585](#1585)), by @jong-kyung - Add `--help` case to publish snap tests for npm10/yarn1/yarn4 ([#1584](#1584)), by @jong-kyung - Verify `.gitignore` and `.yarnrc.yml` in the new-vite-monorepo snap ([#1576](#1576)), by @jong-kyung - vite-task: bump pnpm to `11.1.2` ([vite-task#383](voidzero-dev/vite-task#383)), by @branchseer - vite-task: update lint-staged to v17 ([vite-task#385](voidzero-dev/vite-task#385)), by @renovate[bot] ### Bundled Versions | Tool | Version | Source | | --- | --- | --- | | vite | `8.0.11` | [`66f3194`](vitejs/vite@66f3194) | | rolldown | `1.0.0` | [`ac5c710`](rolldown/rolldown@ac5c710) | | tsdown | `0.22.0` | [npm](https://npmx.dev/package/tsdown/v/0.22.0) | | vitest | `4.1.6` | [npm](https://npmx.dev/package/vitest/v/4.1.6) | | oxlint | `1.63.0` | [npm](https://npmx.dev/package/oxlint/v/1.63.0) | | oxlint-tsgolint | `0.22.1` | [npm](https://npmx.dev/package/oxlint-tsgolint/v/0.22.1) | | oxfmt | `0.48.0` | [npm](https://npmx.dev/package/oxfmt/v/0.48.0) | ### New Contributors Welcome to all new contributors! 🎉 @nozomee, @ryohidaka, @leno23 **Full Changelog**: v0.1.21...v0.1.22 --- Merging this PR will trigger the release workflow. --------- Co-authored-by: voidzero-guard[bot] <278573678+voidzero-guard[bot]@users.noreply.github.com> Co-authored-by: MK <fengmk2@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v4.3.0→v8.0.122-alpine3.21→25-alpine3.21v5.0.0→v6.0.8v4.4.0→v6.0.8Release Notes
actions/download-artifact (actions/download-artifact)
v8.0.1Compare Source
What's Changed
Full Changelog: actions/download-artifact@v8...v8.0.1
v8.0.0Compare Source
v8 - What's new
Direct downloads
To support direct uploads in
actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks theContent-Typeheader ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the newskip-decompressparameter tofalse.Enforced checks (breaking)
A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the
digest-mismatchparameter. To be secure by default, we are now defaulting the behavior toerrorwhich will fail the workflow run.ESM
To support new versions of the @actions/* packages, we've upgraded the package to ESM.
What's Changed
errorby @danwkennedy in #461Full Changelog: actions/download-artifact@v7...v8.0.0
v7.0.0Compare Source
v7 - What's new
Node.js 24
This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.
What's Changed
New Contributors
Full Changelog: actions/download-artifact@v6.0.0...v7.0.0
v6.0.0Compare Source
What's Changed
BREAKING CHANGE: this update supports Node
v24.x. This is not a breaking change per-se but we're treating it as such.@actions/artifacttov4.0.0v6.0.0by @danwkennedy in #438New Contributors
Full Changelog: actions/download-artifact@v5...v6.0.0
v5.0.0Compare Source
What's Changed
v5.0.0
🚨 Breaking Change
This release fixes an inconsistency in path behavior for single artifact downloads by ID. If you're downloading single artifacts by ID, the output path may change.
What Changed
Previously, single artifact downloads behaved differently depending on how you specified the artifact:
name: my-artifact→ extracted topath/(direct)artifact-ids: 12345→ extracted topath/my-artifact/(nested)Now both methods are consistent:
name: my-artifact→ extracted topath/(unchanged)artifact-ids: 12345→ extracted topath/(fixed - now direct)Migration Guide
✅ No Action Needed If:
merge-multiple: trueas a workaroundYou download single artifacts by ID and your workflows expect the nested directory structure.
Before v5 (nested structure):
To maintain old behavior (if needed):
New Contributors
Full Changelog: actions/download-artifact@v4...v5.0.0
nodejs/node (node)
v25Moved to doc/changelogs/CHANGELOG_V012.md#0.12.8.
v24Moved to doc/changelogs/CHANGELOG_IOJS.md#2.1.0.
v23Moved to doc/changelogs/CHANGELOG_V6.md#6.1.0.
pnpm/action-setup (pnpm/action-setup)
v6.0.8Compare Source
v6.0.7Compare Source
v6.0.6Compare Source
What's Changed
Full Changelog: pnpm/action-setup@v6.0.5...v6.0.6
v6.0.5Compare Source
What's Changed
Full Changelog: pnpm/action-setup@v6.0.4...v6.0.5
v6.0.4Compare Source
What's Changed
New Contributors
Full Changelog: pnpm/action-setup@v6.0.3...v6.0.4
v6.0.3Compare Source
Updated pnpm to v11.0.0-rc.5
Full Changelog: pnpm/action-setup@v6.0.2...v6.0.3
v6.0.2Compare Source
What's Changed
New Contributors
Full Changelog: pnpm/action-setup@v6.0.1...v6.0.2
v6.0.1Compare Source
Update pnpm to v11.0.0-rc.2.
pnpm-lock.yamlwill not be saved with two documents unless thepackageManageris set viadevEngines.packageManager. Related issue: #228v6.0.0Compare Source
Configuration
📅 Schedule: (in timezone Asia/Shanghai)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.