chore(deps): update vite+ to v0.2.1 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite-plus (source)	0.1.24 → 0.2.1

---

Release Notes

voidzero-dev/vite-plus (vite-plus)

v0.2.1: vite-plus v0.2.1

Restores support for older Node.js (back to 20.19.0) and makes vp exec --fail-if-no-match fail correctly on unmatched filters.

Fixes & Enhancements

• Stop blocking older Node.js versions: v0.2.0 blocked commands when the resolved Node.js version fell outside the declared range. This reverts that enforcement and widens engines.node to ^20.19.0 || ^22.18.0 || >=24.11.0, matching Vite's own ^20.19.0 floor, so older Node that works in practice (e.g. Node 20 in rolldown CI) is no longer rejected (#​1865), by @​fengmk2
• vp exec --fail-if-no-match: exit non-zero when one or more --filter expressions match no workspace packages. Strict mode previously only warned and returned success, so typoed filters looked successful in CI even though no package command ran (#​1859), by @​jong-kyung

Bundled Versions

Tool	Version	Source
vite	8.0.16	f94df87
rolldown	1.1.1	d7f919c
tsdown	0.22.3	npm
vitest	4.1.9	npm
oxlint	1.70.0	npm
oxlint-tsgolint	0.23.0	npm
oxfmt	0.55.0	npm

Upgrade

vp upgrade

Upgrading from 0.1.x to 0.2.1 Prompt

You are upgrading a project that uses Vite+ (the `vp` CLI) from v0.1.x to v0.2.1.

v0.2.1 has one breaking change vs v0.1.x: it consumes upstream Vitest directly. The `@voidzero-dev/vite-plus-test` wrapper package is removed; `vitest` now comes in transitively through `vite-plus`.

Do not run `vp migrate` for this upgrade; it is not reliable enough yet. Make the changes yourself by editing the project's files, then verify by running the tools.

How to run vp: if a global `vp` is available, use it. Otherwise this project only ships the local CLI from the `vite-plus` package, so run vp as the project-local binary (for example via the package manager's exec: pnpm exec, npx, yarn, or bunx). After any install, re-resolve vp so you always run the version currently in the project.

Do the following:

1. Set the `vite-plus` dependency to the exact version `0.2.1` and reinstall, so the new toolchain is installed and the lockfile moves off 0.1.x. In a monorepo, do this for every workspace package that depends on `vite-plus`. Changing the spec to `0.2.1` is what moves the lockfile off the old resolution; a reinstall that leaves the spec unchanged would keep the old version.

2. Remove the `@voidzero-dev/vite-plus-test` wrapper from the project. Search everywhere it could appear: package.json, the lockfile, any workspace or catalog config (such as pnpm-workspace.yaml or .yarnrc.yml), and the source files. Then:

   - Decide whether the project itself depends on vitest. It does only if a source or test file imports directly from `vitest` or `@vitest/...`, or a `@vitest/*` package is listed in its dependencies (for example a coverage provider). Imports from `vite-plus/test` do NOT count.
   - If the project has no such vitest usage (the common case), remove the vitest configuration entirely. In package.json, delete the `vitest` entry from `dependencies` / `devDependencies` in whatever form it takes (a `@voidzero-dev/vite-plus-test` alias, a `catalog:` reference, or a plain version). Also remove the `vitest` entry from every dependency-resolution mechanism in the project: both `overrides` and `resolutions`, pnpm `overrides`/`catalog` (in package.json or pnpm-workspace.yaml), and any catalog entry. If `vitest` appears in more than one of these, remove all of them. Do not add a pinned `vitest`; it arrives transitively through `vite-plus` and the test command still works.
   - If the project does use vitest directly, pin upstream vitest to the version bundled with vite-plus (4.1.9 for v0.2.1), and upgrade every vitest ecosystem package the project depends on so the whole tree resolves to a single vitest. Set each `@vitest/*` package the project lists (for example `@vitest/coverage-v8`, `@vitest/ui`, `@vitest/browser`) to that same version (4.1.9), since those are pinned to an exact vitest version. Also update any other vitest integration package (such as `vitest-browser-*`) to a release compatible with that vitest version. Leaving an ecosystem package on an older version pulls in a second copy of vitest, which Vitest rejects at runtime.
   - Also delete any dependency-resolution config that existed only to accommodate the wrapper or the old vitest, for example pnpm `peerDependencyRules` entries (`allowedVersions` / `ignoreMissing`) referencing `vitest`, `@vitest/*`, or `@voidzero-dev/vite-plus-test`, and the equivalent peer-tweak config in other package managers (such as yarn `packageExtensions`). Leave rules that are unrelated to vitest or the wrapper untouched.

3. Keep the `vite` -> Vite+ core override (it is still required) and set it to the matching exact version: map `vite` to `npm:@​voidzero-dev/vite-plus-core@0.2.1` in whatever override, resolution, or catalog form the project already uses. `@voidzero-dev/vite-plus-core` is released in lockstep with `vite-plus`.

4. Leave imports from `vite-plus/test` (and `vite-plus/test/*`) unchanged; that is the stable public API. Only if a file imports directly from `@voidzero-dev/vite-plus-test`, repoint it to `vite-plus/test`.

5. Reinstall so the lockfile reflects your edits, then verify: confirm that no reference to `@voidzero-dev/vite-plus-test` remains anywhere outside node_modules, confirm the dependency tree resolves to a single `vitest` version (no duplicate copies), run the project's tests and confirm they pass (you will see Vitest's native banner), and run the Vite+ check workflow and confirm it passes.

Constraints:
- Do not run `vp migrate`.
- Do not bypass git hooks. If a pre-existing failure blocks you, report it rather than forcing through.
- Make the smallest set of edits that reaches the end state above; do not reformat unrelated files.
- When done, give me a short summary: old vs new `vite-plus` version, the files you changed, and the test/check results.

Full Changelog: voidzero-dev/vite-plus@v0.2.0...v0.2.1

Published Packages

• @voidzero-dev/vite-plus-core@0.2.1
• vite-plus@0.2.1

Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Or download and run vp-setup.exe from the assets below.

v0.2.0: vite-plus v0.2.0

Compare Source

Vite+ now consumes upstream Vitest directly (no wrapper), raises the minimum supported Node.js version to 22.18.0, and ships corepack and devEngines support.

Highlights

• vp test now runs upstream Vitest directly (breaking): Vite+ used to ship @voidzero-dev/vite-plus-test, a rebundled copy of Vitest that lagged upstream releases. That package is removed; vp test now runs the real upstream vitest, which is installed automatically as a dependency of vite-plus (you no longer add vitest or @vitest/* yourself, and vite still resolves to @voidzero-dev/vite-plus-core via package-manager overrides). Your import ... from 'vite-plus/test' code keeps working unchanged and vp migrate updates existing projects (#​1588), by @​Brooooooklyn
• Minimum supported Node.js version raised to ^22.18.0 || >=24.11.0 (breaking): Node 20 reached end-of-life and the bundled tsdown already required ^22.18.0, so the published engines range now matches what vp pack can actually deliver; vp exec / vp run / vp dlx reject projects resolving an older Node with the existing incompatibility error (#​1813), by @​fengmk2
• Corepack now works under Vite+: corepack now set up by default, so corepack enable and the pnpm/yarn launchers just work, even on Node 25+ which no longer ships it. (#​1808), by @​fengmk2
• devEngines support for runtime and package-manager selection: Vite+ reads devEngines.runtime (ranked above engines.node) and devEngines.packageManager; auto-pin and vp migrate write devEngines.packageManager, vp env pin / unpin target devEngines.runtime, and vp env doctor reports conflicts instead of silently resolving them (#​1760), by @​fengmk2

Features

• vp pm approve-builds: forward to npm's new approve-scripts / deny-scripts (npm >= 11.16.0) instead of the previous no-op, matching pnpm approve-builds / bun pm trust; mixed approve+deny is rejected with actionable guidance and npm's advisory-only caveat is surfaced (#​1733), by @​fengmk2
• vp create: support local monorepo templates declared in create.templates in vite.config.ts; vp create vite:generator scaffolds a Bingo generator and auto-registers it in the picker, replacing the old package.json-keyword inference (#​1777), by @​fengmk2
• vp create: detect direct dependencies whose build scripts the package manager gated (e.g. native builds like better-sqlite3) and act on them; prompt to approve each (default off) interactively, point at vp pm approve-builds non-interactively, or build them with --approve-builds (#​1828), by @​fengmk2
• vp config: add --no-hooks and --no-agent opt-outs to skip git-hook installation and coding-agent instruction updates (#​1842), by @​leno23
• vp list -g: sort the global package list output so entries appear in a stable order (#​1748), by @​liangmiQwQ
• Upgrade upstream dependencies: rolldown 1.0.3 -> 1.1.1, tsdown 0.22.1 -> 0.22.3, oxlint 1.67.0 -> 1.70.0, oxfmt 0.52.0 -> 0.55.0, vitest 4.1.8 -> 4.1.9, and the oxc toolchain 0.133.0 -> 0.136.0 (#​1749, #​1767, #​1812, #​1834, #​1855), by @​voidzero-guard[bot]

Fixes & Enhancements

• Security: resolve open Rust Dependabot advisories by bumping transitive openssl 0.10.76 -> 0.10.80 (openssl-sys 0.9.112 -> 0.9.116), fixing five high-severity rust-openssl issues (buffer overflows in key derivation, AES key wrap, and digest finalization; an unchecked PSK/cookie trampoline length leaking adjacent memory; and OCSP-responder undefined behavior: GHSA-pqf5-4pqq-29f5, GHSA-8c75-8mhr-p7r9, GHSA-ghm9-cr32-g9qj, GHSA-hppc-g8h3-xhp3, GHSA-xp3w-r5p5-63rr), and drop the unmaintained, unsound libyml (GHSA-gfxp-f68g-8x78, high) by removing dead serde_yml code (#​1742), by @​fengmk2
• Security (docs site): update mermaid 11.13.0 -> 11.15.0 to fix improper classDef sanitization in state diagrams that allowed HTML injection (CVE-2026-41149 / GHSA-ghcm-xqfw-q4vr, medium severity; <script> tags are stripped so it does not reach XSS) (#​1745), by @​renovate[bot]
• vp check --fix / vp staged: create/migrate now wrap inline Vite plugins: [...] arrays with lazyPlugins(...) so plugin factories aren't eagerly executed (and don't hang on open handles) during lint/format/check config loading (#​1752), by @​jong-kyung
• vp migrate: complete pending migration work for projects that already have vite-plus installed (scripts, imports, tsconfig types, ESLint/Prettier, legacy hooks, package-manager settings) instead of treating vite-plus as migration-complete; fully migrated projects stay idempotent (#​1821), by @​jong-kyung
• vp create / vp migrate: detect shorthand fmt, / lint, config keys so a duplicate inline block is no longer injected (#​1843), by @​fengmk2
• IDE oxlint/oxfmt wrappers: set VP_COMMAND so lazyPlugins() skips framework plugins during LSP config reads, preventing a stray .svelte-kit (and similar) directory at the monorepo root (#​1764), by @​jong-kyung
• vp lint / vp run -r lint on Windows: keep the absolute tsgolint path for workspace lint runs instead of downgrading it to a wrong cwd-relative path (#​1758), by @​semimikoh
• oxlint wrapper: set the tsgolint path so type-aware lint resolves it (#​1811), by @​jong-kyung
• vp install -g: use a unique backup directory and treat stale-backup cleanup as best-effort so a locked Windows binary no longer fails an otherwise successful reinstall (#​1753), by @​fengmk2
• vp install -g: remove stale managed binary shims when a reinstalled package drops a bin from its package.json#bin (#​1765), by @​liangmiQwQ
• vp create --git: surface git's actual stdout/stderr when the initial commit fails instead of always blaming user.name / user.email (#​1819), by @​fengmk2
• vp create vite:generator: reject --git / --no-git, since adding a generator to an existing monorepo does not initialize git (#​1788), by @​jong-kyung
• Global CLI: harden find_system_tool against a self-exec loop (skip the running executable's own bin directory) and fix two vite_global_cli tests that could hang (#​1820), by @​fengmk2
• CLI help: unify alias display (#​1832), show supported run options (#​1797), show --fail-if-no-match in exec help (#​1798), add the implode documentation link (#​1796), and handle nested-command typo help (#​1803), by @​jong-kyung

Docs

• Document vp create opt-out options (#​1790), by @​jong-kyung
• Document vp upgrade options (#​1847), by @​jong-kyung
• Align the config overview with the sidebar (#​1846), by @​jong-kyung
• Sync the documented command lists with the help output (#​1850), by @​jong-kyung
• Clarify lazy plugin side effects (#​1841), by @​leno23
• Add JongKyung's X profile (#​1844) and update Christoph's X profile (#​1845) on the team page, by @​jong-kyung

Refactor

• Remove the CLI tips system; the shortcuts it printed on vp install are already covered by the help system and added unnecessary complexity (#​1799), by @​cpojer

Chore

• Re-enable Renovate dependency updates with a targeted ignore-list (#​1744), by @​fengmk2
• Keep generated NAPI bindings during upgrade-deps (#​1759), by @​fengmk2
• Remove the vite_glob dependency from vite-plus (#​1763), by @​wan9chi
• Keep sync-remote from churning pnpm-workspace.yaml (dedupe minimumReleaseAgeExclude, preserve comments) (#​1787), by @​fengmk2
• Make unix just test runnable (#​1755), by @​situ2001
• CI: reuse just lint and just test as the single source of truth (#​1809), pin cargo-zigbuild to a git rev to fix the aarch64-musl link failure (#​1815), and keep upgrade-deps green when rolldown bumps oxc (#​1833), by @​fengmk2
• Update Rust to nightly-2026-06-10 (#​1725), typos to v1.47.1 / v1.47.2 (#​1772, #​1775), GitHub Actions (#​1778, #​1829), and npm packages (#​1779), by @​renovate[bot]
• Bump oxc-project/setup-node to v1.3.1 (#​1792), by @​Boshen
• Refresh trusted stack stats on the docs homepage (#​1786, #​1837), by @​voidzero-guard[bot]

Bundled Versions

Tool	Version	Source
vite	8.0.16	f94df87
rolldown	1.1.1	d7f919c
tsdown	0.22.3	npm
vitest	4.1.9	npm
oxlint	1.70.0	npm
oxlint-tsgolint	0.23.0	npm
oxfmt	0.55.0	npm

Upgrading from 0.1.24 to 0.2.0

This release has two breaking changes. For most projects the upgrade is vp upgrade, bump the project's vite-plus, then vp migrate.

1. Update the CLI

vp upgrade

2. Node.js 20 is no longer supported

The minimum supported Node.js version is now ^22.18.0 || >=24.11.0 (Node 20 reached end-of-life). If you are still on Node 20:

• Check your version: node --version (or vp env doctor)
• Move to a supported release: vp env pin 22.18.0 (or a newer LTS), or update your .node-version / devEngines.runtime

vp exec / vp run / vp dlx now refuse to run against a project that resolves Node < 22.18.0.

3. Vitest is now upstream (the wrapper is gone)

@voidzero-dev/vite-plus-test has been removed; Vite+ consumes upstream vitest directly. Bump vite-plus first, then migrate:

vp update vite-plus --latest    # project's vite-plus -> 0.2.0 (ignores the old range, updates the lockfile); monorepo: add -r
vp migrate                      # local vite-plus is now 0.2.0, so the new migration runs

vp update --latest re-resolves vite-plus to the newest release regardless of the old semver range, so the lockfile cannot pin you back to 0.1.24. The project's local vite-plus is then 0.2.0, and since the global vp delegates migrate to the project's local install, vp migrate runs the new migration.

• Your import { vi, ... } from 'vite-plus/test' code is unchanged. vp migrate rewrites any leftover vitest / @vitest/* imports and normalizes stale vitest: npm:@​voidzero-dev/vite-plus-test@* aliases.
• You no longer add vitest or @vitest/* yourself; they arrive transitively through vite-plus.

New Contributors

Welcome to our new contributor @​situ2001! 🎉

Full Changelog: voidzero-dev/vite-plus@v0.1.24...v0.2.0

Published Packages

• @voidzero-dev/vite-plus-core@0.2.0
• vite-plus@0.2.0

Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Or download and run vp-setup.exe from the assets below.

View the full commit: 6f97f09

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	vite-plus@​0.2.1

View full report