chore(deps): bump vite-plus to PR #1633 (pkg-pr-new)#5
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request transitions several core dependencies, including vite, vite-plus, and vitest, from npm registry versions to preview builds hosted on pkg.pr.new. It also updates various oxc and oxlint related packages and introduces unrun as an optional dependency. Feedback focused on the risk of non-reproducible builds caused by using PR-based URLs instead of pinned commit hashes. The reviewer suggested utilizing the Yarn catalog: protocol to improve maintainability and ensure dependency stability.
| "prettier": "^3.8.3", | ||
| "typescript": "^6.0.3", | ||
| "vite-plus": "^0.1.18", | ||
| "vite-plus": "https://pkg.pr.new/voidzero-dev/vite-plus@1633", |
There was a problem hiding this comment.
Critical Issue: Non-Reproducible Builds
The current yarn.lock file contains unresolved pkg.pr.new URLs with PR numbers (e.g., @1633) instead of being pinned to specific commit hashes. This can lead to non-reproducible builds, as the dependency can change if new commits are pushed to the PR branch.
To fix this and improve maintainability, it's recommended to use the catalog: protocol for dependencies defined in your .yarnrc.yml catalog. This is the idiomatic approach for Yarn Berry and can help ensure dependencies are correctly resolved and pinned.
| "vite-plus": "https://pkg.pr.new/voidzero-dev/vite-plus@1633", | |
| "vite-plus": "catalog:vite-plus", |
| "vite": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@1633", | ||
| "vitest": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-test@1633" |
There was a problem hiding this comment.
High Severity: Non-Reproducible Builds in Resolutions
The resolutions field also uses URLs with PR numbers, which can lead to non-reproducible builds for the same reason mentioned in the comment on vite-plus. Since you are using Yarn Berry and have a catalog defined in .yarnrc.yml, you can leverage it here as well.
Using the catalog: protocol avoids duplicating URLs and should help in correctly pinning the vitest dependency to a commit hash in yarn.lock.
| "vite": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-core@1633", | |
| "vitest": "https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-test@1633" | |
| "vite": "catalog:vite", | |
| "vitest": "catalog:vitest" |
1 participant
Summary
Bump
vite-plusand related@voidzero-dev/*packages to the pkg-pr-new prerelease for vite-plus PR #1633.Updated where applicable:
vite-plus→https://pkg.pr.new/voidzero-dev/vite-plus@1633vitealias →@voidzero-dev/vite-plus-corepkg-pr-new URLvitestalias →@voidzero-dev/vite-plus-testpkg-pr-new URLoverrides/resolutions/pnpm.overrides/pnpm-workspace.yamlcatalogsAlso configured
minimum-release-agewith vite-plus /@voidzero-dev/*excluded for pnpm / bun / npm.Test plan