feat(deps): upgrade upstream dependencies (preserved from #1581)#1589
Draft
fengmk2 wants to merge 14 commits into
Draft
feat(deps): upgrade upstream dependencies (preserved from #1581)#1589fengmk2 wants to merge 14 commits into
fengmk2 wants to merge 14 commits into
Conversation
✅ Deploy Preview for viteplus-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
shulaoda
force-pushed
the
deps/upstream-update-1581
branch
from
da20b9a to
283d412
Compare
- rolldown: ac5c710 -> v1.0.1 (2777945) - vite: 66f3194 -> v8.0.13 (a46f11a) - vitest: 4.1.5 -> 4.1.6 - oxfmt: 0.48.0 -> 0.49.0 - oxlint: 1.63.0 -> 1.64.0 - oxc (Rust): 0.128.0 -> 0.130.0 - @oxc-project/runtime: 0.129.0 -> 0.130.0 - @oxc-project/types: 0.129.0 -> 0.130.0 - oxc-minify: 0.129.0 -> 0.130.0 - oxc-parser: 0.129.0 -> 0.130.0 - oxc-transform: 0.129.0 -> 0.130.0 - @vitejs/devtools: 0.1.21 -> 0.1.23 Code changes: - packages/core/build.ts: update rolldown pluginutils source path to read from `packages/rolldown/node_modules/@rolldown/pluginutils`. - packages/tools/src/sync-remote-deps.ts: support `.mjs` / `.d.mts` exports when transforming pluginutils, and update the pluginutils package.json lookup path to match the new nested location. - packages/core/package.json: switch `./rolldown/pluginutils` and `./rolldown/pluginutils/filter` exports to `.mjs` / `.d.mts`; bump bundled `vite`/`rolldown` versions. - pnpm-workspace.yaml: add `@rolldown/pluginutils` catalog entry and drop its workspace override; bump `rolldown-plugin-dts` (^0.23 -> ^0.25), `valibot` (1.3.1 -> 1.4.0), `vitepress-plugin-graphviz` (^0.0.1 -> ^0.1.0); update `vitest-dev` override to `^4.1.6`. - Cargo.toml: pin `mimalloc-safe = "=0.1.58"`. - rust-toolchain.toml: bump nightly channel to `nightly-2026-03-15`. - packages/cli/snap-tests-global/command-staged-broken-config/snap.txt: refresh snapshot for the new oxc parser error formatting (`Error: Unexpected token` -> `Unexpected token`). - packages/tools/.upstream-versions.json, Cargo.lock, pnpm-lock.yaml: regenerated to match the new versions.
- collapsible_match: fold the bounds check into the KeyCode::Down match arm guard in vite_install package_manager - unnecessary_sort_by: switch descending sorts in vite_js_runtime and vite_setup to sort_by_key with std::cmp::Reverse - unnecessary_trailing_comma: drop trailing comma in a help.rs test assertion
bundleVitest copied vitest's distribution into packages/test/dist
without cleaning the directory first. When the upstream vitest
version changed, the new build emitted hashed chunks with new names
(e.g. cac.<new-hash>.js) but stale chunks from the previous version
lingered. The later brandVitest step iterates every cac.*.js chunk
looking for cac("vitest") and threw when it hit a stale chunk whose
pattern was absent or already rewritten, breaking pnpm bootstrap-cli.
Clear dist/ at the start of bundleVitest so each build starts from
a known-empty tree.
The npm-published rolldown@1.0.1 binding enables the mimalloc v3 feature (`crates/rolldown_binding/Cargo.toml` rolldown#9349), which panics with `[internal exception] blocking task ran twice` in tokio when tsdown drives rolldown through vp pack on darwin-arm64. The result is that vp pack exits silently after "Build start", which breaks every CLI snap test that bundles via vp pack (command-pack, command-pack-exe, command-pack-external, command-pack-monorepo, vp-cache-monorepo-missing, vp-pack-cache-disabled). Force the binding download to use rolldown@1.0.0 while keeping the 1.0.1 JS sources (and the pluginutils relocation that depends on them). The 1.0.0 binding is ABI-compatible with the surface vite-plus exercises through tsdown/rolldown. Revert once an upstream rolldown release ships without mimalloc v3 or fixes the panic. The command-staged-broken-config snap.txt also rolls back to its pre-PR form because the diagnostic prefix comes from the binding's bundled oxc — `Error: Unexpected token` (1.0.0/oxc 0.128) vs. `Unexpected token` (1.0.1/oxc 0.130).
Match the lighter-weight handling from #1569: - packages/core/package.json: collapse the two pluginutils exports back to single .mjs strings. TypeScript already resolves a sibling .d.mts for an .mjs path under moduleResolution: bundler / node16, so the explicit `types` entries were redundant. - packages/tools/src/sync-remote-deps.ts: drop the parallel .mjs branch in transformPluginutilsExport — once we stop wrapping string exports into objects, the matching `types` derivation isn't needed either. - .github/actions/build-upstream/action.yml, justfile: drop the `pnpm --filter @rolldown/pluginutils build` step. Since rolldown moved pluginutils out of its workspace into a standalone npm package (rolldown/plugins), no workspace package matches that filter — the step was a silent no-op (`No projects matched the filters`).
The justfile's build recipe and the root package.json's build script had drifted: the justfile knew it needed to build rolldown's native binding, rolldown's JS, and vite's types before the @voidzero-dev/* chain, while package.json's build only ran the @voidzero-dev/* + vite-plus step. That meant pnpm bootstrap-cli (which calls pnpm build) silently produced an incomplete tree on fresh checkouts — packages/ core/dist/vite/node/index.d.ts wouldn't exist, and vp check then failed with TS7016 on every @voidzero-dev/vite-plus-core import. Move the upstream prerequisites into the pnpm build script and have the justfile recipe just call pnpm build, so the build sequence has a single source of truth. CI is unaffected: bootstrap-cli:ci runs only pnpm install-global-cli, and the per-target build-upstream action keeps its own chain (it skips build-binding:release because the binding is pulled from npm, and runs build-ts instead of build because NAPI bindings are built and cached as a separate step).
The existing comment justifies using nightly at all (Z-bindeps and windows_process_extensions_main_thread_handle), but a future `feat(deps): upgrade upstream dependencies` PR bumps the date and nobody remembers why. Add a note that the date itself is gated by oxc_transformer >=0.130 using `if let` guards, which only stabilized in rustc 1.94 (2026-01-29) — earlier nightlies fail with E0658.
This reverts commit 60ae3de.
The reviewer asked us to share a single nightly with voidzero-dev/ vite-task, whose rust-toolchain.toml is currently pinned to nightly-2026-03-05. Match that and replace the date-rationale comment with a directive that future bumps track the vite-task pin. The earlier rationale (oxc_transformer >=0.130 needs `if_let_guard`, stabilized in rustc 1.94 / 2026-01-29) is still satisfied — any nightly past late January 2026 works.
Rolldown 1.0.1 moved @rolldown/pluginutils out of its monorepo into a standalone npm package (rolldown/plugins). In our checkout it shows up hoisted under `rolldown/packages/rolldown/node_modules/@rolldown/ pluginutils`, with `.mjs` / `.d.mts` outputs. Update BUNDLING.md to match what the build actually does now: - source location (top-of-doc table + "Source Directories" table + rolldownPluginUtilsDir code constant) - bundleRolldownPluginutils input path - emitted output structure (.js/.d.ts -> .mjs/.d.mts) - exports table extensions No code change — same content as packages/core/build.ts and packages/core/package.json already reference.
shulaoda
force-pushed
the
deps/upstream-update-1581
branch
7 times, most recently
from
3adf29f to
34ef519
Compare
shulaoda
force-pushed
the
deps/upstream-update-1581
branch
from
34ef519 to
63e00a5
Compare
shulaoda
force-pushed
the
deps/upstream-update-1581
branch
2 times, most recently
from
986cc92 to
a26da8f
Compare
shulaoda
force-pushed
the
deps/upstream-update-1581
branch
from
a26da8f to
03a4c1b
Compare
shulaoda
force-pushed
the
deps/upstream-update-1581
branch
from
22329de to
c3d7618
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR is identical in tree to #1581 at its latest commit (
847f7862). The bot-authored upgrade commit is preserved, and the hand-authored fixes layered on top stay attached:feat(deps): upgrade upstream dependenciesfix(clippy): satisfy new lints from nightly-2026-03-15cargo clippy --all-targets --all-features -- -D warningsagainst oxc 0.130fix(test/build): clean dist before bundling vitestcac.<old>.js) beforebrandVitestruns, sopnpm bootstrap-cliis idempotent across vitest upgrades~~fix(ci): work around rolldown@1.0.1 binding tokio panic~~refactor(deps): simplify pluginutils handling after rolldown move.mjsexports, drop the deadpnpm --filter @rolldown/pluginutils buildstep fromaction.yml+justfile, no.mjswrapping branch intransformPluginutilsExportrefactor(build): consolidate build chain into pnpm build scriptpnpm buildnow drives the full chain (rolldown binding + node + vite types +@voidzero-dev/*+ vite-plus);just buildjust callspnpm build. Fixes the earliervp checkfailure on fresh checkouts caused by missingvite/dist/node/*.d.ts.docs(rust-toolchain): explain why the pinned nightly date mattersif_let_guardconstraint (later softened into "track vite-task")Revert "fix(ci): work around rolldown@1.0.1 binding tokio panic"chore(rust): sync nightly with vite-task (2026-03-05)docs(core): sync BUNDLING.md with relocated @rolldown/pluginutils.mjsoutputsCI snap tests on
aarch64-apple-darwinstill fail; full root-cause writeup posted at #1581 (comment). Short version:e932d68a…). Not a tsdown/rolldown mismatch./tmp: only the combination "our bundled tsdown → bundled rolldown → 1.0.1 binding" SIGSEGVs with[internal exception] blocking task ran twice; unbundled tsdown with the same binding works fine.mimalloc-v3disabled fixes it.local_dynamic_tls(-ftls-model=local-dynamic); Windows escapes because the Windowscc::Buildpath inlibmimalloc-sys2never selects themimalloc3source tree at all. Only macOS gets the full v3 hot path on the unmitigated TLS model.rolldown/crates/rolldown_binding/Cargo.tomlin CI to dropv3on macOS and rebuild the binding from source.Why this branch exists
.github/workflows/upgrade-deps.ymlcloses whatever PR is open againstdeps/upstream-updateand force-recreates the branch every night. Moving the work todeps/upstream-update-1581insulates these manual fixes from that lifecycle.Original bot-authored PR description (from #1581)
Summary
rolldowntov1.0.1andvitetov8.0.13; bumpsvitestto4.1.6and the oxc family (oxcRust crate,@oxc-project/*,oxc-minify/parser/transform,oxlint,oxfmt) to their latest releases.@rolldown/pluginutilsunderpackages/rolldown/node_modules/@rolldown/pluginutilsand to its new.mjs/.d.mtsexports.mimalloc-safeto=0.1.58and bumps the nightly Rust toolchain tonightly-2026-03-15.Dependency updates
rolldownac5c710v1.0.1 (2777945)vite66f3194v8.0.13 (a46f11a)vitest4.1.54.1.6oxfmt0.48.00.49.0oxlint1.63.01.64.0oxc(Rust)0.128.00.130.0@oxc-project/runtime0.129.00.130.0@oxc-project/types0.129.00.130.0oxc-minify0.129.00.130.0oxc-parser0.129.00.130.0oxc-transform0.129.00.130.0@vitejs/devtools0.1.210.1.23Unchanged dependencies
tsdown:0.22.0@oxc-node/cli:0.1.0@oxc-node/core:0.1.0oxlint-tsgolint:0.22.1Code changes
packages/core/build.ts: update the rolldown pluginutils source path to the new nestedpackages/rolldown/node_modules/@rolldown/pluginutilslocation.packages/tools/src/sync-remote-deps.ts: handle.mjs/.d.mtsexports intransformPluginutilsExport, and look uppluginutils/package.jsonunder the new nested path.packages/core/package.json: switch./rolldown/pluginutilsand./rolldown/pluginutils/filterexports to.mjs/.d.mts; bump@vitejs/devtoolsto^0.1.23and bundledvite/rolldownversions.pnpm-workspace.yaml: add@rolldown/pluginutils: ^1.0.0to the catalog and remove the workspace override for it; bumprolldown-plugin-dtsto^0.25.0,valibotto1.4.0,vitepress-plugin-graphvizto^0.1.0; update thevitest-devoverride tonpm:vitest@^4.1.6.Cargo.toml: bump theoxcfamily of crates to0.130.0; pinmimalloc-safe = "=0.1.58".rust-toolchain.toml: bump nightly channel tonightly-2026-03-15.packages/cli/snap-tests-global/command-staged-broken-config/snap.txt: refresh snapshot for the new oxc parser error formatting.packages/tools/.upstream-versions.json,Cargo.lock,pnpm-lock.yaml: regenerated to match the new versions.Build status
sync-remote-and-build: failurebuild-upstream: failure