Skip to content

release: v0.1.22: Security Patch, Parallel Global Install & Scaffold Polish#1637

Merged
fengmk2 merged 6 commits into
mainfrom
release/v0.1.22
May 19, 2026
Merged

release: v0.1.22: Security Patch, Parallel Global Install & Scaffold Polish#1637
fengmk2 merged 6 commits into
mainfrom
release/v0.1.22

Conversation

@voidzero-guard
Copy link
Copy Markdown
Contributor

@voidzero-guard voidzero-guard Bot commented May 19, 2026
edited by fengmk2
Loading

Release vite-plus v0.1.22.

A critical Vitest browser-mode security fix, parallel vp add -g installs, a built-in oxlint rule to prefer vite-plus imports, and a new --git switch for vp create.

Highlights

  • Security: bundled vitest bumped to 4.1.6 to address GHSA-2h32-95rg-cppp (Critical, CVSS 9.6), an XSS to RCE chain via the otelCarrier query parameter in Vitest browser mode (#1633)
  • Parallel global install: vp add/install/update -g now installs packages concurrently with a progress bar and a --concurrency flag (default 5) (#1597)
  • Prefer vite-plus imports: new bundled oxlint rule rewrites vite/vitest imports to vite-plus, enabled by default in generated and migrated lint configs (#1408)
  • Git init on scaffold: vp create learns --git/--no-git (interactive prompt; auto-commits "Initial commit from Vite+") (#1484)

Features

  • Spawn npm for global installation in parallel with a progress bar and a --concurrency option (#1597), by @liangmiQwQ
  • Add bundled oxlint rule to prefer vite-plus imports over vite/vitest (#1408), by @Han5991
  • vp create: initialize a git repository and create an initial commit on scaffold (#1484), by @ryohidaka
  • vp create: rename underscore-prefixed files (_gitignore, _npmrc, _yarnrc.yml) to dotfiles for @org/create bundled templates (#1574), by @jong-kyung
  • Add VP_PR_VERSION env var to install unreleased PR builds via pkg.pr.new (#1578), by @fengmk2

Fixes & Enhancements

  • Skip merging standalone .oxfmtrc/.oxlintrc config when the fmt:/lint: key is already declared in vite.config.ts (fixes duplicate-block regression in vp create fate) (#1601), by @fengmk2
  • Suppress the VITE+ - The Unified Toolchain for the Web banner for vp lint --lsp, vp fmt --lsp, and vp fmt --stdin-filepath so stdout stays a pure LSP / formatter stream (#1619), by @fengmk2
  • vp create: detect output directory when running in the current directory (#1606), by @jong-kyung
  • vp update -g: skip installs when the recorded global package version already matches the npm-resolved version, and tolerate string/array outputs from npm view ... version --json (#1596), by @leno23
  • vp create: preserve single-segment project path in updateWorkspaceConfig (#1582), by @jong-kyung
  • vp env use: keep the change session-scoped on Windows (#1577), by @fengmk2
  • vp rebuild: accept positional package names (#1564), by @fengmk2
  • Adopt the new vite-task error formatter; errors now print as error: <top-level> plus * <source> chain lines, with bold-red highlight on a TTY (vite-task#390), by @branchseer
  • vite-task: forward LOCALAPPDATA so Node's compile cache stays outside the workspace on Windows (vite-task#389), by @branchseer
  • Bump vite-task to c945cc0 (#1628), by @branchseer

Refactor

Docs

  • Add vitepress-plugin-llms to the docs site so the published docs include LLM-friendly outputs (/llms.txt) (#1625), by @jong-kyung
  • Refresh home stats for oxlint, vite, and vitest (#1512), by @nozomee
  • Mention vp env doctor in agent instructions (#1603), by @leno23

Chore

  • Consolidate the upstream build chain into a single pnpm build script (justfile recipe now just calls pnpm build) (#1626), by @fengmk2
  • Fix bootstrap-cli on Windows (#1583), by @fengmk2
  • Refresh trusted stack stats (#1573, #1616), by @voidzero-guard[bot]
  • Update GitHub Actions (#1611, #1612), by @renovate[bot]
  • Address zizmor findings in composite actions and the release workflow; drop unused actions-cool/issues-helper (#1630), by @Boshen
  • Switch plain checkouts to taiki-e/checkout-action (#1620), by @Boshen
  • Switch release to a version-bump PR + push trigger flow (#1575), by @Boshen
  • Gate release publish on environment approval with a Discord notice (#1571), by @Boshen
  • Enable cargo clippy with -D warnings (#1579), by @Boshen
  • Drop unused setup-node from the version-check job (#1600), by @fengmk2
  • Add Void deploy workflows for the docs site (#1590), by @fengmk2
  • Add --help case to config snap tests for npm10/yarn1/yarn4 (#1585), by @jong-kyung
  • Add --help case to publish snap tests for npm10/yarn1/yarn4 (#1584), by @jong-kyung
  • Verify .gitignore and .yarnrc.yml in the new-vite-monorepo snap (#1576), by @jong-kyung
  • vite-task: bump pnpm to 11.1.2 (vite-task#383), by @branchseer
  • vite-task: update lint-staged to v17 (vite-task#385), by @renovate[bot]

Bundled Versions

Tool Version Source
vite 8.0.11 66f3194
rolldown 1.0.0 ac5c710
tsdown 0.22.0 npm
vitest 4.1.6 npm
oxlint 1.63.0 npm
oxlint-tsgolint 0.22.1 npm
oxfmt 0.48.0 npm

New Contributors

Welcome to all new contributors! 🎉

@nozomee, @ryohidaka, @leno23

Full Changelog: v0.1.21...v0.1.22

Merging this PR will trigger the release workflow.

@netlify
Copy link
Copy Markdown

netlify Bot commented May 19, 2026
edited
Loading

Deploy Preview for viteplus-preview canceled.

Name Link
🔨 Latest commit 373a1a6
🔍 Latest deploy log https://app.netlify.com/projects/viteplus-preview/deploys/6a0c92661d12a70008c6c5b1

@fengmk2 fengmk2 requested a review from Boshen May 19, 2026 15:38
@fengmk2 fengmk2 changed the title release: v0.1.22 release: v0.1.22 — Security Patch, Parallel Global Install & Scaffold Polish May 19, 2026
@fengmk2 fengmk2 changed the title release: v0.1.22 — Security Patch, Parallel Global Install & Scaffold Polish release: v0.1.22: Security Patch, Parallel Global Install & Scaffold Polish May 19, 2026
@fengmk2
chore(release): sync binding/index.cjs version to 0.1.22
5cda47d 
NAPI bakes the package.json version into binding/index.cjs version
checks. The prepare_release workflow bumps package.json but does not
regenerate this file, so the CI build's regeneration step produces a
diff that the post-build no-unexpected-changes guard rejects.
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 19, 2026
edited
Loading

Open in StackBlitz

vite-plus

npm i https://pkg.pr.new/voidzero-dev/vite-plus@1637

@voidzero-dev/vite-plus-core

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@1637

@voidzero-dev/vite-plus-prompts

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-prompts@1637

@voidzero-dev/vite-plus-test

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-test@1637

@voidzero-dev/vite-plus-cli-darwin-arm64

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-cli-darwin-arm64@1637

@voidzero-dev/vite-plus-cli-darwin-x64

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-cli-darwin-x64@1637

@voidzero-dev/vite-plus-cli-linux-arm64-gnu

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-cli-linux-arm64-gnu@1637

@voidzero-dev/vite-plus-cli-linux-arm64-musl

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-cli-linux-arm64-musl@1637

@voidzero-dev/vite-plus-cli-linux-x64-gnu

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-cli-linux-x64-gnu@1637

@voidzero-dev/vite-plus-cli-linux-x64-musl

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-cli-linux-x64-musl@1637

@voidzero-dev/vite-plus-cli-win32-arm64-msvc

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-cli-win32-arm64-msvc@1637

@voidzero-dev/vite-plus-cli-win32-x64-msvc

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-cli-win32-x64-msvc@1637

@voidzero-dev/vite-plus-darwin-arm64

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-darwin-arm64@1637

@voidzero-dev/vite-plus-darwin-x64

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-darwin-x64@1637

@voidzero-dev/vite-plus-linux-arm64-gnu

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-linux-arm64-gnu@1637

@voidzero-dev/vite-plus-linux-arm64-musl

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-linux-arm64-musl@1637

@voidzero-dev/vite-plus-linux-x64-gnu

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-linux-x64-gnu@1637

@voidzero-dev/vite-plus-linux-x64-musl

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-linux-x64-musl@1637

@voidzero-dev/vite-plus-win32-arm64-msvc

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-win32-arm64-msvc@1637

@voidzero-dev/vite-plus-win32-x64-msvc

npm i https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-win32-x64-msvc@1637

commit: 5cda47d

@fengmk2 fengmk2 added test: e2e Auto run e2e tests test: install-e2e run vite install e2e test test: create-e2e Run `vp create` e2e tests labels May 19, 2026
fengmk2 added 4 commits May 20, 2026 00:29
@fengmk2
ci: resolve packed tgz paths dynamically instead of hardcoding 0.0.0
28a8501 
The e2e-test and test-vp-create workflows referenced
tmp/tgz/vite-plus-0.0.0.tgz (and the voidzero-dev-vite-plus-{core,test}
variants) by literal name. On main this works because package.json has
version 0.0.0, but on release branches (e.g. release/v0.1.22) the
prepare_release workflow bumps the version, so pnpm pack emits
vite-plus-0.1.22.tgz and the install step fails with
"tgz file not found".

Resolve each tgz via shell glob and lift VP_VERSION / VP_OVERRIDE_PACKAGES
into a step that writes the file: URLs to GITHUB_ENV. Also read the
expected installed version from packages/cli/package.json so the
"Verify local tgz packages installed" check stays in sync.
@fengmk2
ci: simplify verify step and anchor tgz globs
d0609c1 
- Drop the shell-var → env-var → process.env round-trip in the
  "Verify local tgz packages installed" step; the node script can
  require() the cli package.json directly.
- Anchor tgz globs to -[0-9]*.tgz so the vite-plus-*.tgz pattern
  cannot accidentally match a future sibling package without a
  version suffix.
- Quote $GITHUB_WORKSPACE expansions.
@fengmk2
ci(ecosystem): read vite-plus version from package.json instead of ha…
9a45e62 
…rdcoding 0.0.0

Both ecosystem-ci helpers hardcoded 0.0.0 in the tgz paths and the
expected installed version. On a release branch (e.g. release/v0.1.22)
those paths and that version mismatch the freshly packed artifacts, so
the second `vp install` in the ecosystem job fails with ENOENT on
vite-plus-0.0.0.tgz.

Resolve the version once from packages/cli/package.json in each script.
@fengmk2
refactor(ecosystem-ci): use JSON import attribute for cli package.json
373a1a6 
Replaces the readFile + JSON.parse + fileURLToPath path-resolution
dance with `import cliPkg from '../packages/cli/package.json' with
{ type: 'json' }`, matching the existing `repo.json` import pattern
in the same file. Drops three unused imports across both files and
removes the top-level await in patch-project.ts.
@fengmk2 fengmk2 mentioned this pull request May 19, 2026
Open
@fengmk2
Copy link
Copy Markdown
Member

fengmk2 commented May 19, 2026

ci fails follow here #1638

@fengmk2 fengmk2 merged commit 12368da into main May 19, 2026
153 of 156 checks passed
@fengmk2 fengmk2 deleted the release/v0.1.22 branch May 19, 2026 17:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Boshen Boshen Boshen approved these changes

Assignees

@fengmk2 fengmk2

Labels

pkg.pr.new test: create-e2e Run `vp create` e2e tests test: e2e Auto run e2e tests test: install-e2e run vite install e2e test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fengmk2 @Boshen