Skip to content

feat(deps): upgrade upstream dependencies#2199

Open
voidzero-guard[bot] wants to merge 1 commit into
mainfrom
deps/upstream-update
Open

feat(deps): upgrade upstream dependencies#2199
voidzero-guard[bot] wants to merge 1 commit into
mainfrom
deps/upstream-update

Conversation

@voidzero-guard

Copy link
Copy Markdown
Contributor

Summary

  • Automated upgrade of upstream dependencies, headlined by rolldown v1.2.0 and vite v8.1.5.
  • Bumps the tsdown toolchain (0.22.7 -> 0.22.9) and the oxc stack (0.139.0 -> 0.140.0, oxc_resolver 11.23.0 -> 11.24.2, oxfmt 0.59.0, oxlint-tsgolint 0.25.0).
  • Required code adjustments: reworked tsdown CSS-plugin wiring in packages/core/build.ts, regenerated NAPI bindings for rolldown v1.2.0, and refreshed clap help snapshots.
  • oxlint is intentionally held at 1.73.0: @oxlint/migrate@1.74.0 is not published yet and bumping ahead of it would break vp migrate.

Dependency updates

Package From To
rolldown f09947a v1.2.0 (03e1e34)
vite a477454 v8.1.5 (5e7fe12)
tsdown 0.22.7 0.22.9
@tsdown/css 0.22.7 0.22.9
@tsdown/exe 0.22.7 0.22.9
oxfmt 0.58.0 0.59.0
oxlint-tsgolint 0.24.0 0.25.0
@oxc-project/runtime 0.139.0 0.140.0
@oxc-project/types 0.139.0 0.140.0
oxc-minify 0.139.0 0.140.0
oxc-parser 0.139.0 0.140.0
oxc-transform 0.139.0 0.140.0
oxc (Rust crates) 0.139.0 0.140.0
oxc_resolver 11.23.0 11.24.2
@vitejs/devtools 0.4.0 0.4.1
@napi-rs/cli 3.7.2 3.7.3
rolldown-plugin-dts 0.26.0 0.27.0
itertools 0.14.0 0.15.0
phf 0.13.0 0.14.0
sugar_path 2.0.1 3
Held / unchanged dependencies
  • oxlint: held at 1.73.0 (baseline proposed 1.74.0; @oxlint/migrate@1.74.0 not yet published — bumping breaks vp migrate)
  • vitest and all @vitest/*: 4.1.10
  • lightningcss: ^1.32.0
  • @oxc-node/cli: 0.1.0
  • @oxc-node/core: 0.1.0
  • VITEST_VERSION constant: 4.1.10
  • README vitest pins: 4.1.10

Code changes

  • packages/core/build.ts: reworked the tsdown CSS-plugin wiring so it also detects the bundled @tsdown/css chunk. Newer tsdown emits const { CssPlugin } = await import("@tsdown/css"), which rolldown bundles/dedups into a hashed local chunk rather than leaving a bare specifier to rewrite; added a regex match and updated the miss-detection error message.
  • packages/cli/binding/index.d.cts: regenerated NAPI bindings for rolldown v1.2.0 — new registerClient/notifyPayloadDelivered dev-engine methods (replacing invalidate/registerModules), BindingLazyChunkOutput, HMR envelope changedIds/seq fields, a BindingRebuildStrategy enum change, and removal of BindingHmrBoundaryOutput and preliminarySourcemapFilename.
  • crates/vite_cli_snapshots/.../cli_helper_message.md, command_owner_pnpm10.md, command_owner_pnpm11.md, command_pm_stage_pnpm11.md: refreshed clap help snapshots for the new alias rendering (list, lslist [alias: ls]).
  • pnpm-workspace.yaml: removed the postcss-modules override and postcss-modules@9.0.0 patch entry (vite no longer patches it), added a @jridgewell/trace-mapping catalog entry, and pinned oxlint to 1.73.0 with an explanatory comment.

Build status

  • sync-remote-and-build: failure
  • build-upstream: failure

- rolldown: f09947a -> v1.2.0 (03e1e34)
- vite: a477454 -> v8.1.5 (5e7fe12)
- tsdown: 0.22.7 -> 0.22.9
- @tsdown/css: 0.22.7 -> 0.22.9
- @tsdown/exe: 0.22.7 -> 0.22.9
- oxfmt: 0.58.0 -> 0.59.0
- oxlint-tsgolint: 0.24.0 -> 0.25.0
- @oxc-project/runtime: 0.139.0 -> 0.140.0
- @oxc-project/types: 0.139.0 -> 0.140.0
- oxc-minify: 0.139.0 -> 0.140.0
- oxc-parser: 0.139.0 -> 0.140.0
- oxc-transform: 0.139.0 -> 0.140.0
- oxc (Rust crates): 0.139.0 -> 0.140.0
- oxc_resolver: 11.23.0 -> 11.24.2
- @vitejs/devtools: 0.4.0 -> 0.4.1
- @napi-rs/cli: 3.7.2 -> 3.7.3
- rolldown-plugin-dts: 0.26.0 -> 0.27.0
- itertools: 0.14.0 -> 0.15.0
- phf: 0.13.0 -> 0.14.0
- sugar_path: 2.0.1 -> 3

Note: oxlint held at 1.73.0 (not bumped to 1.74.0); `@oxlint/migrate@1.74.0`
is not published yet and bumping ahead of it would break `vp migrate`.

Code changes:
- packages/core/build.ts: rework tsdown CSS-plugin wiring to also detect the
  bundled `@tsdown/css` chunk (newer tsdown emits
  `const { CssPlugin } = await import(...)` that rolldown bundles/dedups into a
  hashed chunk instead of a bare specifier).
- packages/cli/binding/index.d.cts: regenerated NAPI bindings for rolldown
  v1.2.0 (new registerClient/notifyPayloadDelivered dev-engine methods,
  BindingLazyChunkOutput, HMR envelope changedIds/seq fields, BindingRebuildStrategy
  enum change, removed BindingHmrBoundaryOutput and preliminarySourcemapFilename).
- crates/vite_cli_snapshots/.../cli_helper_message.md,
  command_owner_pnpm10.md, command_owner_pnpm11.md, command_pm_stage_pnpm11.md:
  updated clap help snapshots for the new alias rendering (`list, ls` ->
  `list [alias: ls]`).
- pnpm-workspace.yaml: removed the postcss-modules override and patch entry
  (vite no longer patches postcss-modules), added `@jridgewell/trace-mapping`
  catalog entry, and pinned oxlint to 1.73.0 with an explanatory comment.
@netlify

netlify Bot commented Jul 18, 2026

Copy link
Copy Markdown

Deploy Preview for viteplus-preview canceled.

Name Link
🔨 Latest commit e33c633
🔍 Latest deploy log https://app.netlify.com/projects/viteplus-preview/deploys/6a5ae1381744b400092ec06c

@socket-security

Copy link
Copy Markdown

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: cargo openssl is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?cargo/reqwest@0.13.4cargo/openssl@0.10.81

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/openssl@0.10.81. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: cargo tokio is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: bench/Cargo.tomlcargo/tokio@1.53.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/tokio@1.53.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: cargo zerocopy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?cargo/pgp@0.19.0cargo/brush-parser@0.4.0cargo/criterion@0.7.0cargo/brush-parser@0.3.0cargo/zerocopy@0.8.54

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/zerocopy@0.8.54. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@github-actions

Copy link
Copy Markdown
Contributor

Native binary sizes (e33c633)

Final release artifacts built by the canonical build-upstream and build-windows-cli actions.

Artifact Format Base PR Change
vp (Linux x64) Binary 10.32 MiB 10.30 MiB -16.01 KiB (-0.15%)
vp (Linux x64) gzip -9 4.42 MiB 4.42 MiB +4.82 KiB (+0.11%)
NAPI (Linux x64) Binary 33.46 MiB 33.22 MiB -248.13 KiB (-0.72%)
NAPI (Linux x64) gzip -9 12.80 MiB 12.75 MiB -54.23 KiB (-0.41%)
vp (macOS ARM64) Binary 7.65 MiB 7.64 MiB -16.08 KiB (-0.21%)
vp (macOS ARM64) gzip -9 3.83 MiB 3.83 MiB +429 B (+0.01%)
NAPI (macOS ARM64) Binary 40.73 MiB 40.61 MiB -129.38 KiB (-0.31%)
NAPI (macOS ARM64) gzip -9 17.03 MiB 16.98 MiB -46.03 KiB (-0.26%)
vp (Windows x64) Binary 8.37 MiB 8.35 MiB -16.50 KiB (-0.19%)
vp (Windows x64) gzip -9 3.64 MiB 3.64 MiB -849 B (-0.02%)
NAPI (Windows x64) Binary 27.78 MiB 27.62 MiB -163.00 KiB (-0.57%)
NAPI (Windows x64) gzip -9 10.74 MiB 10.72 MiB -26.76 KiB (-0.24%)
Trampoline (Windows x64) Binary 203.00 KiB 203.00 KiB 0 B (0.00%)
Trampoline (Windows x64) gzip -9 97.91 KiB 97.91 KiB +1 B (+0.00%)
Installer (Windows x64) Binary 4.46 MiB 4.44 MiB -15.50 KiB (-0.34%)
Installer (Windows x64) gzip -9 2.08 MiB 2.08 MiB -1.89 KiB (-0.09%)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants