chore(deps): bump vite-plus to PR #1633 (pkg-pr-new)#3
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the vite-plus dependency and its internal components to use prerelease builds via pkg.pr.new URLs. It also modifies pnpm-workspace.yaml to allow exotic sub-dependencies and introduces a 24-hour minimum release age requirement for most dependencies. Review feedback suggests verifying if vite and vitest should also be updated to prerelease builds, warns that disabling blockExoticSubdeps increases the risk of supply chain attacks, and recommends reducing the minimumReleaseAge to 60 minutes to avoid blocking legitimate updates.
| "vite-plugin-electron": "0.29.1", | ||
| "vite-plugin-electron-renderer": "0.14.7", | ||
| "vite-plus": "0.1.21", | ||
| "vite-plus": "https://pkg.pr.new/voidzero-dev/vite-plus@1633", |
There was a problem hiding this comment.
The pull request summary mentions that the vite and vitest aliases were updated to pkg-pr-new URLs, but they remain as version strings (8.0.13 and 4.1.6) in the devDependencies. If the intention was to use the prerelease builds for these packages as well, they should be updated to their respective URLs or handled via overrides.
| '@primer/primitives': false | ||
| electron: true | ||
| electron-winstaller: true | ||
| blockExoticSubdeps: false |
There was a problem hiding this comment.
Setting blockExoticSubdeps to false allows transitive dependencies to be resolved from arbitrary URLs. This significantly increases the attack surface for supply chain attacks by bypassing registry integrity checks for sub-dependencies. While this is necessary for testing pkg-pr-new builds, it should be avoided in production-bound branches.
| electron: true | ||
| electron-winstaller: true | ||
| blockExoticSubdeps: false | ||
| minimumReleaseAge: 1440 |
There was a problem hiding this comment.
The minimumReleaseAge is set to 1440 minutes (24 hours). This is extremely restrictive and will block any legitimate dependency updates or critical security hotfixes for a full day after their release. A shorter duration, such as 60 minutes, is usually sufficient to mitigate automated malware bursts while maintaining development velocity.
minimumReleaseAge: 60
1 participant
Summary
Bump
vite-plusand related@voidzero-dev/*packages to the pkg-pr-new prerelease for vite-plus PR #1633.Updated where applicable:
vite-plus→https://pkg.pr.new/voidzero-dev/vite-plus@1633vitealias →@voidzero-dev/vite-plus-corepkg-pr-new URLvitestalias →@voidzero-dev/vite-plus-testpkg-pr-new URLoverrides/resolutions/pnpm.overrides/pnpm-workspace.yamlcatalogsAlso configured
minimum-release-agewith vite-plus /@voidzero-dev/*excluded for pnpm / bun / npm.Test plan