chore(deps): update dependency vite to v8

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vite (source)	^7.3.2 → ^8.0.0

---

Release Notes

vitejs/vite (vite)

v8.0.13

Compare Source

Features

• bundled-dev: add lazy bundling support (#​21406) (4f0949f)
• optimizer: improve the esbuild plugin converter to pass some properties of build result to onEnd (#​22357) (47071ce)
• update rolldown to 1.0.1 (#​22444) (8c766a6)

Bug Fixes

• build: copy public directory after building same environment with write=false (#​22328) (158e8ae)
• css: await sass/less/styl worker disposal on teardown (fix #​22274) (#​22275) (b7edcb7)
• css: keep deprecated name/originalFileName in synthetic assetFileNames call (#​22439) (8e59c97)
• make isBundled per environment (#​22257) (a576326)
• ssr: avoid rewriting labels that collide with imports (#​22451) (d9b18e0)

Miscellaneous Chores

• remove irrelevant commits from changelog (#​22430) (6ea3838)
• update changelog (#​22413) (fcdc87c)

v8.0.12

Compare Source

Features

• update rolldown to 1.0.0 (#​22401) (cf0ff41)

Bug Fixes

• create-vite: pass react framework to TanStack CLI (#​22397) (18f0f90)
• deps: update all non-major dependencies (#​22420) (2be6000)
• module-runner: prevent partial-exports race on concurrent imports of in-flight invalidated re-export chains (#​22369) (f5a22e6)
• refer to rolldownOptions instead of deprecated rollupOptions in messages (#​22400) (b675c7b)
• worker: apply build.target to worker bundle (#​22404) (3c93fde)
• worker: forward define to worker bundle transform (#​22408) (d4838a0)

Miscellaneous Chores

• deps: update dependency eslint-plugin-n to v18 (#​22423) (2fe7bd2)
• deps: update rolldown-related dependencies (#​22421) (66b9eb3)

v8.0.11

Compare Source

Features

• update rolldown to 1.0.0-rc.18 (#​22360) (3f80524)

Bug Fixes

• deps: update all non-major dependencies (#​22334) (672c962)
• deps: update all non-major dependencies (#​22382) (5c0cfcb)
• glob: align hmr matcher options with glob enumeration (#​22306) (30028f9)
• make separate object instance for each environment (#​22276) (7c2aa3b)

Documentation

• create-vite: list react-compiler templates in README (#​22347) (7c3a61f)
• explain mergeConfig skips null/undefined (#​22325) (2151f70)
• mention native config loader in CLI options (#​22348) (0420c5d)
• update evan's x handle (640202a)

Miscellaneous Chores

• deps: update dependency tsdown to ^0.21.10 (#​22333) (3b51e05)
• deps: update rolldown-related dependencies (#​22383) (555ff36)
• deps: update transitive packages to fix npm audit alerts (#​22316) (86aee62)

Code Refactoring

• devtools integration (#​22312) (3c8bf06)
• remove unnecessary async (#​22296) (b31fd35)
• show direct path type in bad character warning (#​22339) (0c162e9)

Tests

• create-vite: use short help alias (#​22389) (994ab66)

v8.0.10

Compare Source

Features

• update rolldown to 1.0.0-rc.17 (#​22299) (a4d06d9)

Bug Fixes

• hmrClient.logger.debug and hmrClient.logger.error looked different from other HMR logs (#​22147) (a4d828f)
• css: show filename in CSS minification warnings for .css?inline (#​22292) (83f0a78)
• optimizer: allow user transform.target to override default in optimizeDeps (#​22273) (5c7cec6)
• remove format sniffing module resolution from JS resolver (#​22297) (b8a21cc)

Code Refactoring

• enable some typecheck rules (#​22278) (9437518)
• typecheck client directory (#​22284) (40a0847)

v8.0.9

Compare Source

Features

• update rolldown to 1.0.0-rc.16 (#​22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#​22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#​22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#​22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#​22039) (374bb5d)
• deps: update all non-major dependencies (#​22219) (4cd0d67)
• deps: update all non-major dependencies (#​22268) (c28e9c1)
• detect Deno workspace root (fix #​22237) (#​22238) (1b793c0)
• dev: handle errors in watchChange hook (#​22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#​22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#​22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (#​22231) (44c42b9)
• fix reuses wording in dev environment comment (#​22173) (9163412)
• fix wording in sass error comment (#​22214) (bc5c6a7)
• update build CLI defaults (#​22261) (605bb97)

Miscellaneous Chores

• deps: update dependency dotenv-expand to v13 (#​22271) (0a3887d)

v8.0.8

Compare Source

Features

• update rolldown to 1.0.0-rc.15 (#​22201) (6baf587)

Bug Fixes

• avoid dns.getDefaultResultOrder temporary (#​22202) (15f1c15)
• ssr: class property keys hoisting matching imports (#​22199) (e137601)

v8.0.7

Compare Source

Bug Fixes

• use sync dns.getDefaultResultOrder instead of dns.promises (#​22185) (5c05b04)

v8.0.6

Compare Source

Features

• update rolldown to 1.0.0-rc.13 (#​22097) (51d3e48)

Bug Fixes

• css: avoid mutating sass error multiple times (#​22115) (d5081c2)
• optimize-deps: hoist CJS interop assignment (#​22156) (17a8f9e)

Performance Improvements

• early return in getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#​22151) (56ec256)

Miscellaneous Chores

• create-vite: remove unnecessary DOM.Iterable (#​22168) (bdc53ab)
• replace remaining prettier script (#​22179) (af71fb2)

v8.0.5

Compare Source

Bug Fixes

• apply server.fs check to env transport (#​22159) (f02d9fd)
• avoid path traversal with optimize deps sourcemap handler (#​22161) (79f002f)
• check server.fs after stripping query as well (#​22160) (a9a3df2)
• disallow referencing files outside the package from sourcemap (#​22158) (f05f501)

v8.0.4

Compare Source

Features

• allow esbuild 0.28 as peer deps (#​22155) (b0da973)
• hmr: truncate list of files on hmr update (#​21535) (d00e806)
• optimizer: log when dependency scanning or bundling takes over 1s (#​21797) (f61a1ab)

Bug Fixes

• hasBothRollupOptionsAndRolldownOptions should return false for proxy case (#​22043) (99897d2)
• add types for vite/modulepreload-polyfill (#​22126) (17330d2)
• deps: update all non-major dependencies (#​22073) (6daa10f)
• deps: update all non-major dependencies (#​22143) (22b0166)
• resolve: resolve tsconfig paths starting with # (#​22038) (3460fc5)
• ssr: use browser platform for webworker SSR builds (fix #​21969) (#​21963) (364c227)

Documentation

• add environment.fetchModule documentation (#​22035) (54229e7)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​21989) (0ded627)

Code Refactoring

• upgrade to typescript 6 (#​22110) (cc41398)

v8.0.3

Compare Source

Features

• update rolldown to 1.0.0-rc.12 (#​22024) (84164ef)

Bug Fixes

• html: cache unfiltered CSS list to prevent missing styles across entries (#​22017) (5464190)
• module-runner: handle non-ascii characters in base64 sourcemaps (#​21985) (77c95bf)
• module-runner: skip re-import if the runner is closed (#​22020) (ee2c2cd)
• optimizer: scan is not resolving sub path import if used in a glob import (#​22018) (ddfe20d)
• ssr: ssrTransform incorrectly rewrites meta identifier inside import.meta when a binding named meta exists (#​22019) (cff5f0c)

Miscellaneous Chores

• deps: bump picomatch from 4.0.3 to 4.0.4 (#​22027) (7e56003)

Tests

• html: add tests for getCssFilesForChunk (#​22016) (43fbbf9)

v8.0.2

Compare Source

Features

• update rolldown to 1.0.0-rc.11 (#​21998) (ff91c31)

Bug Fixes

• deps: update all non-major dependencies (#​21988) (9b7d150)

Miscellaneous Chores

• deps: update dependency @​vitejs/devtools to ^0.1.5 (#​21992) (b2dd65b)

v8.0.1

Compare Source

Features

• update rolldown to 1.0.0-rc.10 (#​21932) (b3c067d)

Bug Fixes

• bundled-dev: properly disable inlineConst optimization (#​21865) (6d97142)
• css: lightningcss minify failed when build.target: 'es6' (#​21933) (5fcce46)
• deps: update all non-major dependencies (#​21878) (6dbbd7f)
• dev: always use ESM Oxc runtime (#​21829) (d323ed7)
• dev: handle concurrent restarts in _createServer (#​21810) (40bc729)
• handle + symbol in package subpath exports during dep optimization (#​21886) (86db93d)
• improve no-cors request block error (#​21902) (5ba688b)
• use precise regexes for transform filter to avoid backtracking (#​21800) (dbe41bd)
• worker: require(json) result should not be wrapped (#​21847) (0672fd2)
• worker: make worker output consistent with client and SSR (#​21871) (69454d7)

Miscellaneous Chores

• add changelog rearrange script (#​21835) (efef073)
• deps: bump required @vitejs/devtools version to 0.1+ (#​21925) (12932f5)
• deps: update rolldown-related dependencies (#​21787) (1af1d3a)
• rearrange 8.0 changelog (8e05b61)
• rearrange 8.0 changelog (#​21834) (86edeee)

v8.0.0

Compare Source

Features

• update rolldown to 1.0.0-rc.9 (#​21813) (f05be0e)
• warn when vite-tsconfig-paths plugin is detected (#​21781) (ada493e)

Bug Fixes

• deps: update all non-major dependencies (#​21786) (eaa4352)

v7.3.3

Compare Source

Please refer to CHANGELOG.md for details.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying control-layer with    Cloudflare Pages

Latest commit:	7ec5177
Status:	🚫  Build failed.

View logs

[doubleword-code]

Summary

This PR updates the Vite dependency from v7.3.2 to v8.0.0 in the dashboard package. Vite 8 represents a significant architectural shift, replacing esbuild and Rollup with Rolldown and Oxc for JavaScript transformation and bundling.

Verdict: Needs changes - There are compatibility concerns that need to be addressed before this upgrade can be safely merged.

Research notes

I consulted the official Vite 8 Migration Guide and Breaking Changes documentation. Key findings:

1. Rolldown replaces Rollup: Vite 8 now uses Rolldown instead of Rollup for bundling. The build.rollupOptions config is deprecated (though still supported via backward compatibility layer).

2. esbuild is now optional: Vite 8 no longer directly uses esbuild - it uses Oxc for JavaScript transforms and minification. If any plugins rely on transformWithEsbuild, esbuild must be installed as a devDependency.

3. manualChunks deprecation: The object form of output.manualChunks is removed; the function form is deprecated in favor of Rolldown's codeSplitting option.

4. CommonJS interop changes: Vite 8 implements consistent CommonJS interop that may break existing imports from CJS modules.

Suggested next steps

1. Blocking: Address the pnpm override for rollup: npm:@rollup/wasm-node - this override is still in package.json but Vite 8 no longer uses Rollup directly. Either remove it if no longer needed, or verify which dependencies still require it.

2. Blocking: Update vite.config.ts to migrate from build.rollupOptions.output.manualChunks to Rolldown's codeSplitting API, as the current configuration uses the deprecated object form.

3. Non-blocking: Consider migrating from the deprecated build.rollupOptions to build.rolldownOptions to future-proof the configuration.

4. Non-blocking: Test the build thoroughly, especially checking for any CommonJS module import issues due to the new consistent CJS interop behavior.

General findings

• The lockfile shows the override section was removed (overrides: rollup: npm:@rollup/wasm-node...), but the source package.json still contains this override. This inconsistency should be resolved.
• The rollup-plugin-visualizer plugin is still being used. According to the lockfile, it now accepts both rolldown and rollup as optional peer dependencies, so this should work.
• Node.js engine requirement ^20.19.0 || >=22.12.0 in package.json aligns with Vite 8's requirements.
• The @tailwindcss/vite and @vitejs/plugin-react plugins have been updated to versions compatible with Vite 8.

General findings (auto-demoted from inline due to pre-validation)

• Blocking dashboard/package.json:104 — This pnpm override for rollup may no longer be necessary or correctly targeted in Vite 8.
  • (demoted: line 104 (side=RIGHT) is not part of any diff hunk in dashboard/package.json)
• Blocking dashboard/vite.config.ts:94 — Using deprecated build.rollupOptions configuration. Vite 8 deprecated this in favor of build.rolldownOptions.
  • (demoted: path "dashboard/vite.config.ts" is not in the PR diff)

[doubleword-code]

Non-blocking: The pnpm overrides section was removed from the lockfile.

Why it matters: This indicates that pnpm regenerated the lockfile without applying the rollup: npm:@rollup/wasm-node override. This is expected behavior since Vite 8 no longer directly depends on Rollup. However, the mismatch between package.json (which still has the override) and the lockfile (which doesn't) should be reconciled.

Suggested fix: After addressing the Blocking comment on dashboard/package.json line 104, run pnpm install to regenerate a consistent lockfile.

[doubleword-code]

Summary

This PR updates Vite from v7.3.2 to v8.0.0 (resolved to 8.0.12) along with corresponding dependency updates in the lockfile. This is a major version upgrade that introduces Rolldown as the default bundler, replacing esbuild/Rollup.

Verdict: BLOCKED - This PR cannot be merged as-is because the vite.config.ts uses build.rollupOptions.output.manualChunks with the object form, which has been removed in Vite 8 and will cause build failures.

Research notes

I consulted the following authoritative sources:

1. Vite 8 Announcement - Confirms Rolldown replaces Rollup/esbuild, install size increases ~15MB

2. Vite 8 Migration Guide - Documents all breaking changes including:

   • build.rollupOptions.output.manualChunks object form is removed (function form deprecated)
   • build.rollupOptions renamed to build.rolldownOptions
   • New output.codeSplitting API replaces manualChunks

3. Rolldown Manual Code Splitting docs - Shows the new codeSplitting.groups API with test patterns

4. @vitejs/plugin-react v6 Release Notes - Babel removed, but v5 (currently pinned) still works with Vite 8

Suggested next steps

1. Blocking: Migrate vite.config.ts from manualChunks to the new codeSplitting API (see inline comment)
2. Non-blocking: Decide whether to keep or remove pnpm overrides in package.json - they're currently defined but the lockfile overrides section was removed
3. Recommended: Consider upgrading @vitejs/plugin-react to v6 to benefit from smaller install size (Babel removed)
4. Testing: Run full build pipeline (pnpm build) to verify production builds work correctly with Rolldown

General findings

pnpm overrides inconsistency

The package.json still contains:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

But the lockfile's top-level overrides section was removed by this PR. The overrides may still apply via the pnpm key in package.json, but this should be verified. The original reason for these overrides should be reviewed to determine if they're still needed with Vite 8's new architecture.

Install size impact

Per Vite team documentation, Vite 8 adds ~15MB to install size:

• ~10MB from lightningcss (now a normal dependency)
• ~5MB from Rolldown binary

This is acceptable for production but worth noting for CI/CD environments.

General findings (auto-demoted from inline due to pre-validation)

• Blocking dashboard/vite.config.ts:94 — build.rollupOptions is deprecated and the nested manualChunks object form is removed in Vite 8.
  • (demoted: path "dashboard/vite.config.ts" is not in the PR diff)
• Non-blocking dashboard/package.json:103 — Review whether these pnpm overrides are still necessary with Vite 8.
  • (demoted: line 103 (side=RIGHT) is not part of any diff hunk in dashboard/package.json)

[doubleword-code]

Non-blocking: The pnpm overrides section was removed from the lockfile.

Why it matters: This change removes the previous overrides for rollup, lodash, and mdast-util-to-hast. Combined with the overrides still present in package.json, this creates an inconsistent state. The overrides in package.json should take precedence, but this should be verified by running pnpm install after merge to ensure the lockfile regenerates correctly.

Suggested fix: After merging, run pnpm install to regenerate the lockfile with consistent override handling. Verify the resulting lockfile has the expected overrides applied.

[doubleword-code]

Summary

This PR updates the dashboard from Vite 7.3.2 to Vite 8.0.0, which is a major architectural change replacing the dual-bundler approach (esbuild + Rollup) with Rolldown as the unified Rust-based bundler. The lockfile shows extensive changes with new Rolldown-related dependencies and removal of the Rollup WASM override.

Verdict: Needs changes before merging - There's a breaking configuration change in vite.config.ts that must be addressed, plus a transitive dependency security issue to investigate.

Research notes

Fetched the official Vite 8 announcement and migration guide:

• Vite 8 Announcement
• Migration Guide

Key learnings:

1. Vite 8 uses Rolldown instead of Rollup for production builds and Oxc instead of esbuild for transforms
2. build.rollupOptions.output.manualChunks (object form) is not supported, function form is deprecated - should use build.rolldownOptions.output.codeSplitting instead
3. build.rollupOptions is deprecated in favor of build.rolldownOptions
4. Lightning CSS is now used for CSS minification by default
5. Node.js requirement remains ^20.19.0 || >=22.12.0 (already satisfied by current engines field)

Also discovered via lockfile: @ungap/structured-clone@1.3.0 has a known security vulnerability (CWE-502: Deserialization of Untrusted Data) - should update to 1.3.1+

Suggested next steps

1. Blocking: Migrate build.rollupOptions.output.manualChunks to Rolldown's codeSplitting API in vite.config.ts
2. Non-blocking: Investigate the @ungap/structured-clone@1.3.0 security advisory and update if possible
3. Non-blocking: Verify whether the removed pnpm overrides (lodash, mdast-util-to-hast) are still needed for security or if transitive deps now include the fixes
4. Run full frontend test suite after making changes to ensure build output is functionally equivalent

General findings

Architecture Change Impact

This is not a routine minor version bump - it's the most significant architectural change since Vite 2. The migration from Rollup to Rolldown affects:

• Build pipeline (different bundler semantics)
• Plugin compatibility (though most Vite plugins work out-of-the-box per docs)
• Code splitting strategy (manualChunks → codeSplitting)
• CSS minification (now Lightning CSS by default, may affect bundle size)
• JavaScript minification (now Oxc instead of esbuild)

The install size increases by ~15MB (~10MB from lightningcss becoming a normal dependency, ~5MB from Rolldown binary).

CommonJS Interop Change

Vite 8 implements consistent CommonJS interop that may affect imports of CJS modules. The default import behavior changed - teams should test any CJS dependency imports during QA.

General findings (auto-demoted from inline due to pre-validation)

• Blocking dashboard/vite.config.ts:94 — This build.rollupOptions configuration uses deprecated Rollup-specific APIs that are incompatible with Vite 8's Rolldown-based architecture.
  • (demoted: path "dashboard/vite.config.ts" is not in the PR diff)
• Non-blocking dashboard/pnpm-lock.yaml:1883 — This dependency version has a known security vulnerability.
  • (demoted: code self-check failed at dashboard/pnpm-lock.yaml:1883: diff has ``, model claimed '@ungap/structured-clone@1.3.0':)

[doubleword-code]

Non-blocking: The pnpm overrides section was removed, which includes security patches for lodash and mdast-util-to-hast.

Why it matters: The original overrides included:

• rollup: npm:@rollup/wasm-node - No longer needed since Rolldown replaces Rollup ✓
• lodash: ^4.18.0 - Security patch for prototype pollution vulnerabilities
• mdast-util-to-hast: ^13.2.1 - Likely a security or bug fix

Removing the lodash and mdast-util-to-hast overrides assumes the new dependency tree includes patched versions. This should be verified.

Suggested fix:

1. Check if the current transitive lodash version satisfies ^4.18.0 using pnpm why lodash
2. If not, add back the security overrides:

"pnpm": {
  "overrides": {
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

3. Alternatively, run a security audit (pnpm audit or npm audit) to identify any remaining vulnerabilities

[doubleword-code]

Summary

This PR updates Vite from v7.3.2 to v8.0.0, which is a major version upgrade that introduces Rolldown as the primary bundler instead of esbuild/Rollup. The dependency update itself is straightforward, but there are several configuration changes needed to fully align with Vite 8's new architecture.

Verdict: Needs changes before merging - the vite.config.ts requires updates to use the new Rolldown-based configuration options.

Research notes

Based on the Vite 8 announcement and Migration Guide:

1. Vite 8 uses Rolldown (Rust-based) instead of esbuild + Rollup for bundling
2. build.rollupOptions is deprecated in favor of build.rolldownOptions
3. The object form of output.manualChunks is no longer supported - Rolldown uses codeSplitting instead
4. @vitejs/plugin-react v6 is available with Oxc-based transforms (smaller install size, faster builds)
5. Node.js 20.19+ or 22.12+ is required (already satisfied by existing engines field)
6. CommonJS interop behavior has changed to be more consistent

Suggested next steps

1. Blocking: Update vite.config.ts to use build.rolldownOptions instead of build.rollupOptions
2. Blocking: Migrate the manualChunks configuration to Rolldown's codeSplitting API
3. Non-blocking: Consider updating @vitejs/plugin-react to v6 for Oxc-based transforms
4. Non-blocking: Review pnpm overrides - either remove from package.json if no longer needed, or investigate why they were dropped from lockfile
5. Test the build thoroughly to ensure no CJS interop issues with dependencies

General findings

• The lodash override (^4.18.0) is no longer needed as the lockfile now has 4.18.1
• The mdast-util-to-hast override (^13.2.1) is satisfied as the lockfile has 13.2.1
• The rollup WASM override removal is intentional since Vite 8 uses Rolldown
• The rollup-plugin-visualizer plugin still works but now receives both rolldown and rollup parameters

General findings (auto-demoted from inline due to pre-validation)

• Blocking dashboard/vite.config.ts:94 — The build.rollupOptions option is deprecated in Vite 8 and renamed to build.rolldownOptions.
  • (demoted: path "dashboard/vite.config.ts" is not in the PR diff)
• Blocking dashboard/vite.config.ts:96 — The object form of output.manualChunks is no longer supported in Vite 8's Rolldown-based bundler.
  • (demoted: path "dashboard/vite.config.ts" is not in the PR diff)
• Non-blocking dashboard/package.json:103 — The pnpm overrides are still present in package.json but were removed from pnpm-lock.yaml during regeneration.
  • (demoted: line 103 (side=RIGHT) is not part of any diff hunk in dashboard/package.json)

[doubleword-code]

Non-blocking: Consider updating @vitejs/plugin-react to v6 for optimal Vite 8 compatibility.

Why it matters: Vite 8 ships with @vitejs/plugin-react v6 which uses Oxc for React Refresh transform instead of Babel. This results in a smaller installation size and faster builds. However, v5 (current version) still works with Vite 8, so this is optional.

Suggested fix: Update the dependency:

"@vitejs/plugin-react": "^6.0.0"

If you need the React Compiler, v6 provides a reactCompilerPreset helper that works with @rolldown/plugin-babel.

[doubleword-code]

Summary

This PR updates the Vite dependency from v7.3.2 to v8.0.0, a major version upgrade that introduces significant architectural changes including the replacement of esbuild/Rollup with Rolldown/Oxc.

Verdict: Blocked - The existing vite.config.ts configuration uses build.rollupOptions.output.manualChunks which has been removed in Vite 8 and will cause build failures.

Research notes

• Vite 8 Migration Guide - Documents all breaking changes
• Key change: Vite 8 now uses Rolldown instead of Rollup for bundling
• The manualChunks object form is completely removed; the function form is deprecated
• Migration path: Use Rolldown's codeSplitting option instead

Suggested next steps

1. Blocker (Required): Migrate build.rollupOptions.output.manualChunks in dashboard/vite.config.ts to use Rolldown's codeSplitting option
2. Verify the build succeeds with Vite 8 after the migration
3. Run frontend tests (just test ts) to ensure no regressions
4. Consider testing the production build output to verify code splitting behavior is as expected

General findings

Breaking Configuration Change

The current vite.config.ts at lines 93-118 defines:

build: {
  rollupOptions: {
    output: {
      manualChunks: {
        "react-core": ["react", "react-dom"],
        // ... more chunks
      }
    }
  }
}

Per the Vite 8 migration guide:

The object form output.manualChunks option is not supported anymore. The function form output.manualChunks is deprecated. Rolldown has the more flexible codeSplitting option.

Additionally, build.rollupOptions is deprecated and renamed to build.rolldownOptions. This configuration needs to be migrated before merging.

General findings (auto-demoted from inline due to pre-validation)

• Blocking dashboard/package.json:91 — The Vite 8 upgrade requires migrating the build.rollupOptions.output.manualChunks configuration in vite.config.ts to Rolldown's codeSplitting option.
  • (demoted: code self-check failed at dashboard/package.json:91: diff has "vite": "^8.0.0",, model claimed "vitest": "^3.2.4")

[doubleword-code]

Summary

This PR upgrades Vite from v7.3.2 to v8.0.0, which is a major version bump that introduces significant architectural changes under the hood. The upgrade includes:

1. Rolldown integration: Vite 8 now uses Rolldown (Rust-based bundler) instead of esbuild + Rollup for bundling
2. Oxc for transformations: JavaScript transforms now use Oxc instead of esbuild
3. Lightning CSS for CSS minification: Replaces esbuild for CSS minification
4. Updated browser target defaults: Aligned with Baseline Widely Available feature sets as of 2026-01-01

The pnpm lockfile has been regenerated with the new dependency tree. However, there's an inconsistency between package.json and pnpm-lock.yaml regarding pnpm overrides that needs attention.

Verdict: Needs changes - the pnpm overrides inconsistency should be resolved before merging.

Research notes

• Vite 8 Migration Guide: Documents the shift to Rolldown, Oxc, and Lightning CSS, along with breaking changes and deprecation notices
• Rolldown Documentation: Rust-based bundler with Rollup-compatible API and esbuild feature parity
• Vite 8 requires Node.js ^20.19.0 || >=22.12.0, which aligns with the current engines specification in package.json
• The CI workflow uses Node 24, which is compatible

Suggested next steps

1. Blocking: Resolve the pnpm overrides inconsistency - either remove the overrides from package.json if they're no longer needed with Vite 8, or regenerate the lockfile with the overrides properly applied
2. Non-blocking: Test the build (pnpm run build) and dev server (pnpm run dev) to ensure Rolldown doesn't introduce any regressions with the current codebase
3. Non-blocking: Verify that the rollup-plugin-visualizer plugin still works correctly with Rolldown (it appears to support both rolldown and rollup based on the lockfile)

General findings

pnpm Overrides Inconsistency

The package.json still contains pnpm overrides:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

However, the pnpm-lock.yaml has the overrides: section completely removed. This means:

1. rollup: npm:@rollup/wasm-node: The lockfile now uses native rollup@4.60.3 instead of the WASM version. This could cause issues on platforms where native Rollup binaries aren't available (though Vite 8 primarily uses Rolldown now, so this may be less critical).

2. lodash: ^4.18.0 and mdast-util-to-hast: ^13.2.1: These security-related overrides appear to be satisfied through normal dependency resolution (lodash@4.18.1 and mdast-util-to-hast@13.2.1 are installed), but the explicit override protection is gone.

Recommendation: Either:

• Remove the overrides from package.json if they're truly unnecessary with Vite 8's new architecture
• Or run pnpm install to regenerate the lockfile with the overrides properly applied

Rolldown Compatibility

The rollup-plugin-visualizer in vite.config.ts now resolves to version 7.0.1 with support for both rolldown and rollup (rolldown@1.0.0)(rollup@4.60.3)). This should work, but should be tested to ensure bundle visualization still functions correctly.

The @tailwindcss/vite and @vitejs/plugin-react plugins have been updated to their versions compatible with Vite 8.

General findings (auto-demoted from inline due to pre-validation)

• Blocking dashboard/package.json:103 — pnpm overrides in package.json are not reflected in pnpm-lock.yaml.
  • (demoted: line 103 (side=RIGHT) is not part of any diff hunk in dashboard/package.json)

[doubleword-code]

Non-blocking: The overrides: section was removed from the lockfile.

Why it matters: This removal corresponds to the inconsistency noted in package.json. The overrides for rollup, lodash, and mdast-util-to-hast are no longer explicitly pinned in the lockfile.

As shown in the diff, lines 7-11 containing the overrides block were removed:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

This should be addressed in conjunction with the package.json overrides to ensure consistency.

Suggested fix: Coordinate with the package.json change - either restore the overrides by regenerating the lockfile, or remove them from package.json as well.

[doubleword-code]

Summary

This PR upgrades Vite from v7.3.2 to v8.0.0 (resolving to 8.0.12), which is a major version upgrade introducing significant architectural changes. Vite 8 replaces esbuild and Rollup with Rolldown and Oxc as the underlying build tools. While this brings performance improvements, there are breaking changes that require attention before this can be safely merged.

Verdict: Needs changes - The upgrade introduces a deprecated configuration option that should be addressed.

Research notes

I reviewed the Vite 8 Migration Guide which documents the following key changes:

1. Rolldown replaces Rollup/esbuild: Vite 8 now uses Rolldown for bundling and dependency optimization, and Oxc for JavaScript transforms/minification instead of esbuild.

2. manualChunks is deprecated: The migration guide explicitly states: "The object form output.manualChunks option is not supported anymore. The function form output.manualChunks is deprecated. Rolldown has the more flexible codeSplitting option."

3. Node.js requirements: Vite 8 requires Node.js ^20.19.0 || >=22.12.0, which matches the current engines field in package.json.

4. Security advisory: The lock file includes @ungap/structured-clone@1.3.0 which has a deprecation warning: "Potential CWE-502 - Update to 1.3.1 or higher".

Suggested next steps

1. Blocking: Migrate build.rollupOptions.output.manualChunks in vite.config.ts to Rolldown's codeSplitting API (see line 94-117)
2. Non-blocking: Consider updating pnpm overrides if still needed for security patches (lodash, mdast-util-to-hast were removed)
3. Non-blocking: Verify the build output works correctly with the new Rolldown-based bundler
4. Nit: The @ungap/structured-clone transitive dependency should be updated if possible

General findings

Removed pnpm overrides

The previous pnpm overrides in package.json (lines 103-107) included:

• rollup: npm:@rollup/wasm-node - This was likely added to use WASM version of Rollup. With Vite 8 using Rolldown, this override is no longer applicable.
• lodash: ^4.18.0 - Security override for lodash vulnerability
• mdast-util-to-hast: ^13.2.1 - Likely a compatibility fix

These overrides were removed in the lock file. If the lodash security fix is still needed, consider re-adding it to the pnpm.overrides section.

General findings (auto-demoted from inline due to pre-validation)

• Blocking dashboard/vite.config.ts:94 — The build.rollupOptions configuration is deprecated in Vite 8 and should be migrated to build.rolldownOptions.
  • (demoted: path "dashboard/vite.config.ts" is not in the PR diff)
• Non-blocking dashboard/package.json:103 — The pnpm overrides section previously contained security patches that were removed.
  • (demoted: line 103 (side=RIGHT) is not part of any diff hunk in dashboard/package.json)
• Nit dashboard/pnpm-lock.yaml:1607 — This package version has a known deprecation warning.
  • (demoted: code self-check failed at dashboard/pnpm-lock.yaml:1607: diff has engines: {node: '>= 20'}, model claimed '@ungap/structured-clone@1.3.0':)

[doubleword-code]

Summary

This PR updates Vite from v7.3.2 to v8.0.0, which is a major version upgrade that introduces significant architectural changes. Vite 8 replaces Rollup with Rolldown and esbuild with Oxc for building and transformation. While this is a dependency update generated by Renovate, it requires careful review due to breaking changes.

Verdict: Needs changes before merging - There are configuration issues that need to be addressed.

Research notes

I reviewed the following resources:

• Vite 8 Migration Guide - Documents breaking changes including Rolldown integration, removed features, and deprecated APIs
• Vite 8.0.0 Release Notes - Confirms Rolldown 1.0.0-rc.9 integration
• Vite 8 Changelog - Details all changes in the v8 release

Key learnings:

1. Vite 8 uses Rolldown instead of Rollup for bundling
2. The object form of build.rollupOptions.output.manualChunks is removed (function form is deprecated)
3. The rollup: npm:@rollup/wasm-node pnpm override is no longer appropriate and may conflict with internal resolution
4. Node.js requirement: ^20.19.0 || >=22.12.0 (already satisfied in package.json)
5. build.rollupOptions is renamed to build.rolldownOptions (deprecated but still works)

Suggested next steps

1. Blocking: Remove or update the rollup pnpm override in package.json since Vite 8 no longer uses Rollup internally
2. Blocking: Migrate manualChunks configuration from object form to Rolldown's codeSplitting option
3. Non-blocking: Consider renaming rollupOptions to rolldownOptions in vite.config.ts (current name is deprecated)
4. Run full frontend test suite (just test ts) to verify build and dev server work correctly
5. Verify production build output and bundle sizes are as expected

General findings

Inconsistent lock file state

The pnpm-lock.yaml had its top-level overrides section removed in this PR, but dashboard/package.json (lines 102-107) still contains:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

This creates an inconsistency. The rollup override was originally added to use the WASM version of Rollup in Vite 7, but Vite 8 has completely replaced Rollup with Rolldown. Keeping this override could cause unexpected behavior or conflicts with Vite's internal dependency resolution.

The lodash and mdast-util-to-hast overrides appear to be security patches that should be kept, but the rollup override should be removed.

General findings (auto-demoted from inline due to pre-validation)

• Blocking dashboard/package.json:104 — This rollup override is incompatible with Vite 8.
  • (demoted: line 104 (side=RIGHT) is not part of any diff hunk in dashboard/package.json)
• Blocking dashboard/vite.config.ts:96 — The object form of manualChunks is removed in Vite 8.
  • (demoted: path "dashboard/vite.config.ts" is not in the PR diff)
• Non-blocking dashboard/vite.config.ts:94 — rollupOptions is deprecated in favor of rolldownOptions.
  • (demoted: path "dashboard/vite.config.ts" is not in the PR diff)

[doubleword-code]

Summary

This PR updates the Vite dependency from v7.3.2 to v8.0.0 in the dashboard package. Vite 8 is a major version update that introduces significant architectural changes including switching from esbuild/Rollup to Rolldown/Oxc for bundling and transformation.

Verdict: Needs changes - The upgrade removes important pnpm overrides and uses deprecated manualChunks configuration that will not work correctly in Vite 8.

Research notes

Based on the Vite 8 Migration Guide:

1. Rolldown replaces Rollup: Vite 8 now uses Rolldown instead of Rollup for bundling. The build.rollupOptions is renamed to build.rolldownOptions (deprecated but still supported via compatibility layer).

2. manualChunks deprecated: The object form of output.manualChunks is not supported anymore, and the function form is deprecated. Rolldown uses a more flexible codeSplitting option instead.

3. pnpm overrides removed: The diff shows the overrides section was removed from package.json:

   "overrides": {
     "rollup": "npm:@rollup/wasm-node",
     "lodash": "^4.18.0",
     "mdast-util-to-hast": "^13.2.1"
   }

   These overrides were likely added for security or compatibility reasons and should be preserved if still needed.

4. Node.js version requirement: Vite 8 requires Node.js ^20.19.0 || >=22.12.0, which is correctly specified in the updated package.json engines field.

5. CSS minification now uses Lightning CSS: This is already being used in the project (lightningcss@1.32.0), so this should be compatible.

Suggested next steps

1. Add back the pnpm overrides in dashboard/package.json if they are still needed for security patches or compatibility.

2. Migrate manualChunks to Rolldown's codeSplitting in vite.config.ts. The current configuration at lines 94-117 uses the object form which is no longer supported.

3. Test the build thoroughly - Run pnpm build and verify the bundle works correctly, especially checking that code splitting still functions as expected.

4. Update rollup-plugin-visualizer usage - This plugin now supports both Rolldown and Rollup, but verify it produces correct output with the new bundler.

General findings

• The lockfile changes show many new platform-specific optional dependencies for Rolldown bindings, which is expected.
• The @rollup/wasm-node override was previously used - this may still be needed depending on your deployment environment.
• Consider testing in all target environments (Docker, local development, production) before merging.

General findings (auto-demoted from inline due to pre-validation)

• Blocking dashboard/package.json:102 — The entire pnpm.overrides section has been removed in this diff. These overrides were likely added for specific reasons:
  • (demoted: line 102 (side=LEFT) is not part of any diff hunk in dashboard/package.json)
• Blocking dashboard/vite.config.ts:96 — The manualChunks object-form syntax is no longer supported in Vite 8. According to the Vite 8 Migration Guide:
  • (demoted: path "dashboard/vite.config.ts" is not in the PR diff)
• Non-blocking dashboard/vite.config.ts:94 — The build.rollupOptions option is deprecated in favor of build.rolldownOptions in Vite 8. While there's a compatibility layer that converts the old format automatically, you should migrate to the new naming convention.
  • (demoted: path "dashboard/vite.config.ts" is not in the PR diff)