chore(deps): update devdependency vite-plus to v0.1.16

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vite-plus (source)	0.1.12 → 0.1.16

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

voidzero-dev/vite-plus (vite-plus)

v0.1.16: vite-plus v0.1.16 — Security patches, Volta migration and Windows fixes

Compare Source

A broad release focused on security and ecosystem compatibility: 3 Vite dev server security fixes, Volta migration support, Bun object-form workspaces, JFrog registry support, and a wave of Windows and shell fixes.

Highlights

• Security: 3 Vite dev server vulnerabilities patched — Vite 8.0.5 fixes arbitrary file read via WebSocket (CVE-2026-39363, High — vite#22159), server.fs.deny bypass with query parameters (CVE-2026-39364, High — vite#22160), and path traversal in optimized deps .map handling (CVE-2026-39365, Moderate — vite#22161)
• Volta node version migration — vp migrate now migrates Volta-managed Node.js versions to .node-version (#​1201)
• vp env off disables Node.js management globally — Disables Node.js management for all vp commands, not just the current shell (#​1255)
• Bun object-form workspace support — Workspaces defined as objects in package.json are now properly detected (#​1250)
• Windows install reliability — Fixed PowerShell install errors and scoped CI env vars to child processes (#​1284, #​1292)

Features

• Support volta node version migration to .node-version (#​1201) — @​naokihaba
• Make vp env off disable Node.js management for all vp commands (#​1255) — @​fengmk2
• Add explanations to migration prompts (#​1270) — @​hakshu25
• vp run --cache now supports running without a task specifier and opens the interactive task selector (vite-task#313) — @​HaasStefan

Fixes & Enhancements

• Support JFrog registry metadata JSON format (#​1249) — @​fengmk2
• Support Bun object-form workspaces in package.json (#​1250) — @​fengmk2
• Resolve latest to absolute latest Node.js version (#​1253) — @​fengmk2
• Use bin.js entry point for TypeScript loader in justfile (#​1252) — @​jong-kyung
• Replace deprecated @tanstack/create-start with @tanstack/cli (#​1259) — @​jong-kyung
• Include additional supported config types from lint-staged (#​1263) — @​porada
• Add vitest to devDependencies for peer dep resolution (#​1261) — @​fengmk2
• Do not treat lint warnings as errors in exit code (#​1268) — @​fengmk2
• Resolve tsgolint on Windows with bun package manager (#​1269) — @​fengmk2
• Bypass package manager release age gates during vp upgrade (#​1272) — @​kazupon
• Wrap zsh completion in eval for dash compatibility (#​1280) — @​shaneturner
• Write merged LICENSE directly instead of LICENSE.md (#​1281) — @​fengmk2
• Update .yarnrc template to use node_modules (#​1297) — @​rChaoz
• Scope CI env var to child process in Windows install script (#​1292) — @​fengmk2
• Correctly resolve tsgolint in yarn monorepo packages (#​1310) — @​rChaoz
• Override rolldown panic hook with vite-plus branding (#​1287) — @​fengmk2
• Fix PowerShell install errors on Windows (#​1284) — @​fengmk2

Refactor

• Use .ts import extensions (#​1274) — @​fengmk2
• Migrate CLI build from tsc+rolldown to tsdown (#​1276) — @​fengmk2
  Replaces the split build strategy (tsc for local CLI code + rolldown for global modules) with a unified tsdown configuration. All third-party deps are now inlined at build time, eliminating the rolldown.config.ts and its manual external/path-rewriting plugins. Runtime dependencies dropped from 10 → 6:

  	Before (v0.1.15)	After (v0.1.16)
  dependencies	10	6
  Removed	cac, cross-spawn, jsonc-parser, picocolors	(inlined by tsdown)

Docs

• Document aliased package update steps (#​1266) — @​fengmk2
• Add custom Node.js mirror docs and rename VITE_NODE_DIST_MIRROR to VP_NODE_DIST_MIRROR (#​1254) — @​kazupon
• Add info about bun as pkg manager (#​1294) — @​TheAlexLichter
• Improve docs for core commands (#​1304) — @​connorshea
• Soften troubleshooting claims around vite config loading (#​1313) — @​FleetAdmiralJakob
• Remove redirect (#​1306) — @​connorshea

Chore

• Upgrade upstream dependencies: oxc 0.123.0, rolldown 1.0.0-rc.13, vite 8.0.5, esbuild 0.28.0, TypeScript 6.0.2, sass 1.99.0, oxlint-tsgolint 0.20.0, rolldown-plugin-dts 0.23.2, @​vitejs/devtools 0.1.13, Vue 3.5.31 (#​1267, #​1279, #​1319) — @​Brooooooklyn
• Bump vite-task to 076cef4 (#​1320) — @​fengmk2
• Use matchDepNames for vite-task crates in renovate config (#​1217) — @​fengmk2
• Clarify Node.js version management prompt (#​1273) — @​fengmk2
• Update crate-ci/typos action to v1.45.0 (#​1262)

Published Packages

• @voidzero-dev/vite-plus-core@0.1.16
• @voidzero-dev/vite-plus-test@0.1.16
• vite-plus@0.1.16

Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Upgrade:

vp upgrade

New Contributors

Welcome to all new contributors! 🎉

@​porada, @​hakshu25, @​shaneturner, @​rChaoz, @​FleetAdmiralJakob

Full Changelog: voidzero-dev/vite-plus@v0.1.15...v0.1.16

v0.1.15: vite-plus v0.1.15 -- Task runner concurrency controls, vpr shorthand and bun support

Compare Source

A packed release with task runner concurrency controls, a new vpr shorthand, dynamic shell completions, bun package manager support, and 10x migration performance improvement.

Highlights

• Task runner concurrency controls -- New --concurrency-limit flag to limit concurrent tasks (defaults to 4) and --parallel flag to ignore task dependencies and run all tasks at once (vite-task#288, vite-task#309)
• vpr standalone shorthand -- Run tasks faster with vpr build instead of vp run build (#​1178)
• Dynamic shell completions -- vp run and vpr now offer tab-completion for available tasks across all major shells (#​1181)
• Bun package manager support -- vp create and install scripts now support bun as a first-class package manager (#​1005)
• 10x migration speedup -- rewriteAllImports uses cached rules, pre-filtering, and rayon parallelism for dramatically faster migrations (#​1172)

Breaking Changes

• vp run argument order -- Flags must now come before the task name: vp run -r build instead of vp run build -r, because arguments after the task name are now passed through to the task instead of consumed by vp (vite-task#286, vite-task#290) -- @​liangmiQwQ, @​branchseer
• VITE_PLUS_* env vars renamed to VP_* -- All environment variables now use the shorter VP_ prefix (#​1166) -- @​jong-kyung

Features

• Add vpr as standalone shorthand for vp run (#​1178) -- @​fengmk2
• Implement dynamic shell completion with vp run task support (#​1181) -- @​nekomoyi
• Add shell completion for vpr command (#​1227) -- @​nekomoyi
• Add bun as a package manager (#​1005) -- @​fengmk2
• Non-blocking upgrade check with rate-limited notice (#​1173) -- @​fengmk2
• Migrate .nvmrc to .node-version during vp migrate (#​1159) -- @​naokihaba
• Expose bundled tool versions via vite-plus/versions export (#​1162) -- @​kazupon
• Export JS API from oxfmt under vite-plus/fmt (#​1235) -- @​leaysgur
• Enable task cache by default in monorepo template (#​1230) -- @​fengmk2
• Task runner: --concurrency-limit flag to limit the number of tasks running at the same time (defaults to 4) (vite-task#288, vite-task#309) -- @​branchseer
• Task runner: --parallel flag to ignore task dependencies and run all tasks at once with unlimited concurrency (unless --concurrency-limit is also specified) (vite-task#309) -- @​branchseer
• Task runner: add VP_* to DEFAULT_UNTRACKED_ENV (vite-task#297) -- @​jong-kyung
• Upgrade upstream dependencies: Rolldown 1.0.0-rc.12, Vite 8.0.3, Vitest 4.1.2, tsdown 0.21.7, oxfmt 0.43.0, oxlint 1.58.0, @​oxc-project/runtime 0.122.0, TypeScript peer range ^6.0.0 (#​1147, #​1161, #​1191, #​1244) -- @​Brooooooklyn

Fixes & Enhancements

• Speed up rewriteAllImports ~10x with cached rules, pre-filter, and rayon (#​1172) -- @​fengmk2
• Adapt vp run argument order for flags-before-task breaking change (#​1170) -- @​fengmk2
• Show helpful error for unknown vite: templates (#​1130) -- @​naokihaba
• Upgrade reqwest from 0.12 to 0.13 and rename rustls-tls feature (#​1068) -- @​Giorno-Giovana
• Suggest vp run for all templates (#​1127) -- @​jong-kyung
• Remove misleading PATH position check in vp env doctor (#​1140) -- @​jong-kyung
• Fix fish shell wrapper for vp env use (#​1141) -- @​nekomoyi
• Exclude node_modules/.vite-temp from cache input tracking (#​1096) -- @​fengmk2
• Correctly inform about prettierignore (#​1160) -- @​TheAlexLichter
• Allow registry commands to work outside a project (#​1151) -- @​fengmk2
• Auto-set git core.hooksPath without prompting (#​1157) -- @​fengmk2
• Inject default fmt: {} config and rebrand oxfmt messages (#​1163) -- @​fengmk2
• Auto-remove esModuleInterop: false from tsconfig.json (#​1148) -- @​fengmk2
• Auto-remove allowSyntheticDefaultImports: false from tsconfig.json (#​1153) -- @​fengmk2
• Get vite_plus_home from node wrapper's path (#​1185) -- @​liangmiQwQ
• Support JSONC format in oxlintrc/oxfmtrc migration (#​1195) -- @​connorshea
• Rewrite vitest self-references in globals.d.ts for type-aware linting (#​1177) -- @​fengmk2
• Remove setting oxlint configPath option in Zed editor config (#​1205) -- @​camc314
• Stop intercepting vite as vp and synthesize vpr in task scripts (#​1186) -- @​fengmk2
• Add package-scoped negative globs to prevent cache miss in monorepos (#​1198) -- @​fengmk2
• Add peerDependencyRules for standalone pnpm projects (#​1222) -- @​fengmk2
• Remove defineConfig export from oxlint (#​1234) -- @​leaysgur
• Preserve browser provider peer deps and fix version warning (#​1236) -- @​fengmk2
• Pin @oxlint/migrate to bundled oxlint version (#​1243) -- @​fengmk2
• Task runner: Ctrl-C now prevents future tasks from being scheduled and prevents caching of in-flight task results (vite-task#309) -- @​branchseer
• Task runner: restore terminal state on Ctrl+C during interactive task selection (vite-task#306) -- @​kazupon

Refactoring

• Simplify vp --version by using generated versions module (#​1164) -- @​kazupon
• Remove PM fallback from vp run, always delegate to vite-plus (#​1179) -- @​fengmk2
• Move pnpm config into pnpm-workspace.yaml (#​1237) -- @​fengmk2

Chore

• Pin node version to avoid flaky tests (#​1135) -- @​fengmk2
• Bump vite-task rev and adapt spawn API (#​1155) -- @​jong-kyung
• Add snap test sharding with --shard=X/Y support (#​1189) -- @​fengmk2
• Use --no-frozen-lockfile in install E2E test (#​1199) -- @​fengmk2
• Retry failed snap test cases instead of skipping flaky tests (#​1209) -- @​fengmk2
• Update GitHub Actions to latest versions (#​1212) -- @​fengmk2
• Add #[serial] to env-var tests to prevent concurrent access races (#​1223) -- @​fengmk2
• Enforce .js file extensions in imports via nodenext module resolution (#​1232) -- @​fengmk2
• Bump vite-task to 1ef4e2f (#​1240) -- @​branchseer
• Disable upgrade deps in fork (#​1242) -- @​hyoban
• Task runner: port packages/tools bins to single Rust binary (vtt) (vite-task#291) -- @​branchseer
• Task runner: add ctrl-c tests for labeled mode and cached tasks (vite-task#307) -- @​branchseer
• Task runner: add ctrl-c propagation test for SIGINT handling (vite-task#303) -- @​branchseer
• Task runner: make snapshot tests self-contained (vite-task#302) -- @​branchseer
• Task runner: fix flaky ctrl-c e2e test on macOS Rosetta CI (vite-task#308) -- @​branchseer

Published Packages

• @voidzero-dev/vite-plus-core@0.1.15
• @voidzero-dev/vite-plus-test@0.1.15
• vite-plus@0.1.15

Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Upgrade:

vp upgrade

New Contributors

Welcome to all new contributors! 🎉

@​Giorno-Giovana, @​connorshea

Full Changelog: voidzero-dev/vite-plus@v0.1.14...v0.1.15

v0.1.14: vite-plus v0.1.14 — Shell Completions, Log Modes, Linux musl, and Devcontainer Support

Compare Source

A feature-packed release bringing shell completion support, new task log output modes, Linux musl target builds, improved project creation UX, and numerous testing and compatibility fixes.

Highlights

• Shell completion support — Tab completions for bash, zsh, fish, and PowerShell (#​974)
• Task log output modes — New --log=interleaved|labeled|grouped modes for controlling task output display (vite-task#266)
• Smart cache skipping — Tasks that modify their own inputs are now automatically excluded from caching (vite-task#248)
• Linux musl target support — Native builds for Alpine Linux and musl-based distros (#​995)
• Create project in current directory — vp create . now works to scaffold a project in the current directory (#​1097)
• Non-interactive installation — Devcontainers and CI environments can now install vite-plus without interactive prompts (#​1092)

Features

• Add shell completion support for bash, zsh, fish, and PowerShell (#​974) — @​nekomoyi
• Add --log=interleaved|labeled|grouped modes for task output (vite-task#266) @​branchseer
• Skip caching tasks that modify their inputs (vite-task#248) @​branchseer
• Add Linux musl target support (#​995) — @​fengmk2
• Support creating project in current directory (#​1097) — @​jong-kyung
• Upgrade Vite 8.0.1→8.0.2, Rolldown rc.10→rc.11, Vitest 4.1.0→4.1.1 (#​1121) — @​Brooooooklyn
• Upgrade @​vitejs/devtools 0.1.8→0.1.11, oxfmt 0.41.0→0.42.0, oxlint 1.56.0→1.57.0 (#​1126) — @​Brooooooklyn

Fixes & Enhancements

• Show binary location when shell config is not writable (#​1060) — @​fengmk2
• Add troubleshooting tips for npm template not found error (#​1055) — @​naokihaba
• Warn when object-form manualChunks is detected (#​1046) — @​kazupon
• Use OxfmtConfig instead of FormatOptions for fmt types (#​1075) — @​camc314
• Include skill docs in release artifacts (#​1087) — @​kazupon
• Invalidate resolve cache after version configuration changes (#​1089) — @​kazupon
• Traverse parent directories to find vite.config.ts in vp pack (#​1072) — @​kazupon
• Support non-interactive installation for devcontainers (#​1092) — @​fengmk2
• Correct Vue.js language key in Zed settings (#​1109) — @​CoutinhoTTS
• Exclude @​vitest/browser/context from vendor-aliases to fix missing server export (#​1110) — @​kazupon
• Handle spurious key events in Windows command picker (#​1100) — @​nekomoyi
• Revert bundler module resolution in monorepo template (#​1111) — @​fengmk2
• Auto-inline packages that use expect.extend() to fix module instance splitting (#​1113) — @​kazupon
• Add .claude/worktrees/ to monorepo template gitignore (#​1125) — @​jong-kyung
• Warn on uncoercible husky version instead of false positive (#​1124) — @​jong-kyung
• Fix cargo deny workflow (#​1048) — @​fengmk2
• Align default untracked env patterns with Turborepo (vite-task#262)
• Fix flaky SIGSEGV on musl (vite-task#278)
• Use neutral symbols for cache hit/miss indicators (vite-task#268)

Docs

• Fix invalid links (#​1061) — @​bhbs
• Add CI integration section to scaffolded AGENTS.md (#​1088) — @​fengmk2

Chore

• Migrate runner to namespace (#​1066) — @​Brooooooklyn
• Suppress Node.js warnings in snap tests for stable output (#​1070) — @​kazupon
• Bump vite-task to 69cc6eb (#​1091) — @​branchseer
• Add cloudflare/vinext to ecosystem-ci (#​1050) — @​fengmk2
• Add reactive-resume ecosystem-ci test case (#​1052) — @​fengmk2
• Add yaak ecosystem-ci test case (#​1053) — @​fengmk2
• Add npmx.dev ecosystem-ci test case (#​1054) — @​fengmk2
• Skip flaky command-staged-with-config snap test on macOS (#​1080) — @​fengmk2

Published Packages

• @voidzero-dev/vite-plus-core@0.1.14
• @voidzero-dev/vite-plus-test@0.1.14
• vite-plus@0.1.14

Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Upgrade:

vp upgrade

New Contributors

Welcome to all new contributors! 🎉

@​bhbs, @​naokihaba, @​camc314, @​CoutinhoTTS

Full Changelog: voidzero-dev/vite-plus@v0.1.13...v0.1.14

v0.1.13: vite-plus v0.1.13 — Windows Improvements, Svelte Support & DTS Fixes

Compare Source

This release brings significant Windows platform improvements, Svelte template support, and resolves over 130 DTS warnings.

Highlights

• Svelte Support — vp create now supports Svelte templates via the sv CLI (#​982)
• Windows Trampoline — Replaced .cmd wrappers with a trampoline exe for more reliable Node.js version switching on Windows (#​981)
• DTS Warnings Resolved — Fixed ~137 DTS warnings in vp pack when importing UserConfig (#​993)
• Terminal Color Detection — Adopted DA1 sandwich technique for robust OSC color query detection (#​986)

Features

• Add svelte template support via sv CLI (#​982) — @​mudiageo
• Use trampoline exe instead of .cmd wrappers on Windows (#​981) — @​fengmk2
• Add Kiro agent instructions (#​1033) — @​ErikCH
• Upgrade oxlint 1.55→1.56, oxfmt 0.40→0.41, tsdown 0.21.3→0.21.4, @​vitejs/devtools 0.1.0→0.1.2 (#​980) — @​Brooooooklyn
• Upgrade Vite 8.0.0→8.0.1, Rolldown rc.9→rc.10, oxc_resolver→11.19.1 (#​1043) — @​Brooooooklyn
• Upgrade oxlint-tsgolint 0.17.0→0.17.1 (#​1058) — @​Brooooooklyn

Fixes & Enhancements

• Normalize target directory to forward slashes on Windows in vp create (#​971) — @​fengmk2
• Use vp fmt instead of bin in create (#​972) — @​Salnika
• Split IDE and shell profile checks in vp env doctor (#​961) — @​jong-kyung
• Resolve vendor-aliases paths from package root, not distRoot (#​985) — @​Brooooooklyn
• Unset session override when vp env use called without arguments (#​960) — @​JasonOA888
• Add Windows support and extract clean-dist in justfile (#​953) — @​nekomoyi
• Adopt DA1 sandwich technique for robust OSC color query detection (#​986) — @​Brooooooklyn
• Copy esm-shims.js to dist during tsdown bundling (#​1013) — @​kazupon
• Auto-install hooks and staged config in prepare script (#​1028) — @​fengmk2
• Update resolution logic for vp create to match npm-init (#​1041) — @​rrdelaney
• Resolve ~137 DTS warnings in vp pack when importing UserConfig (#​993) — @​kazupon
• Use jsonc-parser for vscode settings (#​1003) — @​liangmiQwQ
• Export all values from vite-plus/pack subpath (#​1044) — @​kazupon
• Handle permission errors when configuring shell PATH (#​1040) — @​kazupon
• Remove --tag alpha from vp upgrade in CI (#​1009) — @​fengmk2
• Upgrade cac to v7 to fix sync-remote major version conflict (#​1049) — @​fengmk2
• Show node version fallback in vp --version (#​1032) — @​TheAlexLichter

Docs

• Clarify built-in command vs custom script precedence in AGENTS.md (#​1010) — @​creativerezz

Chore

• Auto-update agent instructions, never create new files (#​1027) — @​fengmk2
• Update oxc to v0.120.0 (#​969) — @​renovate[bot]
• Fix editor list (#​1006) — @​cpojer
• Rename rolldown-vite directory to vite (#​1024) — @​Boshen
• Add graphite optimizer to CI (#​983) — @​Brooooooklyn
• Add Claude issue triage workflow for bug reports (#​1011) — @​Boshen
• Skip flaky snap tests on macOS and win32 (#​1022) — @​fengmk2
• Ignore command-staged-with-config flaky test output (#​1047) — @​fengmk2

Published Packages

• @voidzero-dev/vite-plus-core@0.1.13
• @voidzero-dev/vite-plus-test@0.1.13
• vite-plus@0.1.13

Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Upgrade:

vp upgrade

New Contributors

Welcome to all new contributors! 🎉

@​jong-kyung, @​JasonOA888, @​mudiageo, @​creativerezz, @​rrdelaney, @​liangmiQwQ, @​ErikCH, @​TheAlexLichter

Full Changelog: voidzero-dev/vite-plus@v0.1.12...v0.1.13

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying unsight with    Cloudflare Pages

Latest commit:	e964a75
Status:	🚫  Build failed.

View logs

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 3 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
packages/web                             |  WARN  deprecated unplugin-vue-router@0.19.2
Progress: resolved 36, reused 0, downloaded 0, added 0
Progress: resolved 45, reused 0, downloaded 0, added 0
Progress: resolved 46, reused 0, downloaded 0, added 0
Progress: resolved 284, reused 0, downloaded 0, added 0
Progress: resolved 479, reused 0, downloaded 0, added 0
Progress: resolved 663, reused 0, downloaded 0, added 0
Progress: resolved 803, reused 0, downloaded 0, added 0
Progress: resolved 989, reused 0, downloaded 0, added 0
Progress: resolved 1073, reused 0, downloaded 0, added 0
Progress: resolved 1271, reused 0, downloaded 0, added 0
/tmp/renovate/repos/github/danielroe/unsight.dev/packages/web:
 ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "semver@6.3.1" (possible package takeover)

This error happened while installing the dependencies of nuxt@4.4.2
 at @nuxt/vite-builder@4.4.2
 at @vitejs/plugin-vue-jsx@5.1.5
 at @babel/core@7.29.0

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.

[socket-security]

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request