feat(install): support VP_PR_VERSION for pkg.pr.new testing#1578
Merged
Conversation
✅ Deploy Preview for viteplus-preview canceled.
|
fengmk2
force-pushed
the
install-script-pr-version
branch
from
87d4894 to
6bc2227
Compare
Add VP_PR_VERSION env var to both install.sh and install.ps1 so users can install an unreleased PR build (or any commit) via pkg.pr.new for temporary testing. Since npm releases only ship from main, pkg.pr.new is the only available testing channel for in-flight changes. When VP_PR_VERSION is set, the installer bypasses the npm registry, downloads the CLI platform tarball from pkg.pr.new, and writes the wrapper package.json with the vite-plus dependency pointing at the matching pkg.pr.new URL (the published tarball already rewrites its scoped workspace deps to pkg.pr.new URLs by commit SHA, so pnpm pulls in a coherent PR build). Usage: curl -fsSL https://vite.plus | VP_PR_VERSION=1569 bash $env:VP_PR_VERSION = "1569"; irm https://vite.plus/ps1 | iex
…ict check Move the VP_PR_VERSION/VP_LOCAL_TGZ conflict check into main()/Main so it can use the existing error() / Write-Error-Exit helpers, matching the style of the surrounding validations and producing the same red "error:" prefix. Drop a comment that restated the branch the reader was about to see; keep the non-obvious WHY about pre-rewritten transitive deps.
fengmk2
force-pushed
the
install-script-pr-version
branch
from
6bc2227 to
247c17e
Compare
Member
Author
|
@cursor review |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 247c17e. Configure here.
cpojer
approved these changes
May 15, 2026
fengmk2
added a commit
that referenced
this pull request
May 19, 2026
Release vite-plus v0.1.22: Security Patch, Parallel Global Install & Scaffold Polish A critical Vitest browser-mode security fix, parallel `vp add -g` installs, a built-in oxlint rule to prefer `vite-plus` imports, and a new `--git` switch for `vp create`. ### Highlights - **Security**: bundled `vitest` bumped to `4.1.6` to address [GHSA-2h32-95rg-cppp](GHSA-2h32-95rg-cppp) (Critical, CVSS 9.6), an XSS to RCE chain via the `otelCarrier` query parameter in Vitest browser mode ([#1633](#1633)) - **Parallel global install**: `vp add/install/update -g` now installs packages concurrently with a progress bar and a `--concurrency` flag (default 5) ([#1597](#1597)) - **Prefer vite-plus imports**: new bundled oxlint rule rewrites `vite`/`vitest` imports to `vite-plus`, enabled by default in generated and migrated `lint` configs ([#1408](#1408)) - **Git init on scaffold**: `vp create` learns `--git`/`--no-git` (interactive prompt; auto-commits "Initial commit from Vite+") ([#1484](#1484)) ### Features - Spawn npm for global installation in parallel with a progress bar and a `--concurrency` option ([#1597](#1597)), by @liangmiQwQ - Add bundled oxlint rule to prefer `vite-plus` imports over `vite`/`vitest` ([#1408](#1408)), by @Han5991 - `vp create`: initialize a git repository and create an initial commit on scaffold ([#1484](#1484)), by @ryohidaka - `vp create`: rename underscore-prefixed files (`_gitignore`, `_npmrc`, `_yarnrc.yml`) to dotfiles for `@org/create` bundled templates ([#1574](#1574)), by @jong-kyung - Add `VP_PR_VERSION` env var to install unreleased PR builds via pkg.pr.new ([#1578](#1578)), by @fengmk2 ### Fixes & Enhancements - Skip merging standalone `.oxfmtrc`/`.oxlintrc` config when the `fmt:`/`lint:` key is already declared in `vite.config.ts` (fixes duplicate-block regression in `vp create fate`) ([#1601](#1601)), by @fengmk2 - Suppress the `VITE+ - The Unified Toolchain for the Web` banner for `vp lint --lsp`, `vp fmt --lsp`, and `vp fmt --stdin-filepath` so stdout stays a pure LSP / formatter stream ([#1619](#1619)), by @fengmk2 - `vp create`: detect output directory when running in the current directory ([#1606](#1606)), by @jong-kyung - `vp update -g`: skip installs when the recorded global package version already matches the npm-resolved version, and tolerate string/array outputs from `npm view ... version --json` ([#1596](#1596)), by @leno23 - `vp create`: preserve single-segment project path in `updateWorkspaceConfig` ([#1582](#1582)), by @jong-kyung - `vp env use`: keep the change session-scoped on Windows ([#1577](#1577)), by @fengmk2 - `vp rebuild`: accept positional package names ([#1564](#1564)), by @fengmk2 - Adopt the new vite-task error formatter; errors now print as `error: <top-level>` plus `* <source>` chain lines, with bold-red highlight on a TTY ([vite-task#390](voidzero-dev/vite-task#390)), by @branchseer - vite-task: forward `LOCALAPPDATA` so Node's compile cache stays outside the workspace on Windows ([vite-task#389](voidzero-dev/vite-task#389)), by @branchseer - Bump vite-task to `c945cc0` ([#1628](#1628)), by @branchseer ### Refactor - Revert `vp pm plugin` command (per discussion in #1038) ([#1623](#1623)), by @jong-kyung ### Docs - Add `vitepress-plugin-llms` to the docs site so the published docs include LLM-friendly outputs (`/llms.txt`) ([#1625](#1625)), by @jong-kyung - Refresh home stats for oxlint, vite, and vitest ([#1512](#1512)), by @nozomee - Mention `vp env doctor` in agent instructions ([#1603](#1603)), by @leno23 ### Chore - Consolidate the upstream build chain into a single `pnpm build` script (justfile recipe now just calls `pnpm build`) ([#1626](#1626)), by @fengmk2 - Fix bootstrap-cli on Windows ([#1583](#1583)), by @fengmk2 - Refresh trusted stack stats ([#1573](#1573), [#1616](#1616)), by @voidzero-guard[bot] - Update GitHub Actions ([#1611](#1611), [#1612](#1612)), by @renovate[bot] - Address zizmor findings in composite actions and the release workflow; drop unused `actions-cool/issues-helper` ([#1630](#1630)), by @Boshen - Switch plain checkouts to `taiki-e/checkout-action` ([#1620](#1620)), by @Boshen - Switch release to a version-bump PR + push trigger flow ([#1575](#1575)), by @Boshen - Gate release publish on environment approval with a Discord notice ([#1571](#1571)), by @Boshen - Enable `cargo clippy` with `-D warnings` ([#1579](#1579)), by @Boshen - Drop unused `setup-node` from the version-check job ([#1600](#1600)), by @fengmk2 - Add Void deploy workflows for the docs site ([#1590](#1590)), by @fengmk2 - Add `--help` case to config snap tests for npm10/yarn1/yarn4 ([#1585](#1585)), by @jong-kyung - Add `--help` case to publish snap tests for npm10/yarn1/yarn4 ([#1584](#1584)), by @jong-kyung - Verify `.gitignore` and `.yarnrc.yml` in the new-vite-monorepo snap ([#1576](#1576)), by @jong-kyung - vite-task: bump pnpm to `11.1.2` ([vite-task#383](voidzero-dev/vite-task#383)), by @branchseer - vite-task: update lint-staged to v17 ([vite-task#385](voidzero-dev/vite-task#385)), by @renovate[bot] ### Bundled Versions | Tool | Version | Source | | --- | --- | --- | | vite | `8.0.11` | [`66f3194`](vitejs/vite@66f3194) | | rolldown | `1.0.0` | [`ac5c710`](rolldown/rolldown@ac5c710) | | tsdown | `0.22.0` | [npm](https://npmx.dev/package/tsdown/v/0.22.0) | | vitest | `4.1.6` | [npm](https://npmx.dev/package/vitest/v/4.1.6) | | oxlint | `1.63.0` | [npm](https://npmx.dev/package/oxlint/v/1.63.0) | | oxlint-tsgolint | `0.22.1` | [npm](https://npmx.dev/package/oxlint-tsgolint/v/0.22.1) | | oxfmt | `0.48.0` | [npm](https://npmx.dev/package/oxfmt/v/0.48.0) | ### New Contributors Welcome to all new contributors! 🎉 @nozomee, @ryohidaka, @leno23 **Full Changelog**: v0.1.21...v0.1.22 --- Merging this PR will trigger the release workflow. --------- Co-authored-by: voidzero-guard[bot] <278573678+voidzero-guard[bot]@users.noreply.github.com> Co-authored-by: MK <fengmk2@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add
VP_PR_VERSIONenv var to bothinstall.shandinstall.ps1so users can install an unreleased PR build (or any commit) via pkg.pr.new for temporary testing. Since npm releases only ship frommain, pkg.pr.new is the only available testing channel for in-flight changes.When
VP_PR_VERSIONis set, the installer:https://pkg.pr.new/voidzero-dev/vite-plus/@voidzero-dev/vite-plus-cli-{platform}@{PR_or_SHA}vite-plusin the wrapperpackage.jsonashttps://pkg.pr.new/voidzero-dev/vite-plus@{PR_or_SHA}— the published pkg.pr.new tarball already rewrites scoped workspace deps to matching pkg.pr.new URLs by commit SHA, so pnpm pulls in a coherent PR build.~/.vite-plus/pkg-pr-new-{PR_or_SHA}/— a non-semver dir name socleanup_old_versionswon't auto-delete it.VP_LOCAL_TGZ.Usage
VP_PR_VERSIONaccepts either a PR number (e.g.1569) or a commit SHA.Test plan
End-to-end verified against #1569 in a sandboxed
HOME:vp --versionreportsv0.0.0-pkg-pr-new.c178e90(matches PR feat(deps): upgrade upstream dependencies #1569 commit)node_modules/vite-plus/package.jsonversion matches the PR build@voidzero-dev/vite-plus-coreresolves via pkg.pr.new URL with the same commit SHApnpm-lock.yamlrecordsvite-plus.specifier: https://pkg.pr.new/voidzero-dev/vite-plus@1569VP_PR_VERSION) flow unchanged — still hits npm registryVP_PR_VERSION+VP_LOCAL_TGZerrors early as expectedbash -npasses oninstall.shNote
Medium Risk
Changes the installation path and download sources in the cross-platform installers, which could break installs or pull unintended artifacts if the new URL construction/branching logic is wrong. Scope is limited to
install.sh/install.ps1and guarded by an opt-in env var.Overview
Adds
VP_PR_VERSIONtoinstall.shandinstall.ps1to install unreleased PR/commit builds viapkg.pr.new, bypassing npm metadata/version resolution.When set, the installers (1) refuse to run alongside
VP_LOCAL_TGZ, (2) download the platform CLI tarball frompkg.pr.new, (3) install into a synthetic non-semver version directory (pkg-pr-new-...) to avoid old-version cleanup, and (4) write the wrapperpackage.jsondependency as apkg.pr.newURL sopnpmpulls a coherent PR build ofvite-plusand its workspace deps.Reviewed by Cursor Bugbot for commit 247c17e. Configure here.