chore(deps): update dependency @vitejs/plugin-react to v6

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@vitejs/plugin-react (source)	^5.0.1 → ^6.0.0

---

Release Notes

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v6.0.2

Compare Source

Allow all options in reactCompilerPreset (#​1189)

This is a type only change. Only compilationMode and target options were available for reactCompilerPreset.

v6.0.1

Compare Source

Expand @rolldown/plugin-babel peer dep range (#​1146)

Expanded @rolldown/plugin-babel peer dep range to include ^0.2.0.

v6.0.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying control-layer with    Cloudflare Pages

Latest commit:	24371f8
Status:	🚫  Build failed.

View logs

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0. However, this update introduces a critical compatibility issue: plugin-react v6 explicitly drops support for Vite 7, requiring Vite 8+ instead. Since the dashboard currently uses Vite 7.3.2, this dependency update will cause the build to fail or behave unpredictably.

Verdict: BLOCKED - This PR cannot be merged as-is. Either revert this update or pair it with a Vite 8 upgrade.

Research notes

I fetched the official release notes for plugin-react v6.0.0:

Key breaking changes in v6.0.0:

1. Drop Vite 7 and below support - "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."

2. Remove Babel Related Features - Babel is no longer a dependency. Vite 8+ handles React Refresh Transform by Oxc natively. Users needing Babel must now use @rolldown/plugin-babel as a separate plugin.

3. New peer dependencies:

   peerDependencies:
     vite: ^8.0.0
     @rolldown/plugin-babel: ^0.1.7 || ^0.2.0 (optional)
     babel-plugin-react-compiler: ^1.0.0 (optional)
   

Current project state:

The dashboard's package.json (line 91) specifies:

"vite": "^7.3.2"

This is incompatible with @vitejs/plugin-react@6.0.0 which requires vite: ^8.0.0.

Suggested next steps

1. Option A (Recommended): Revert this dependency update until the team is ready to upgrade to Vite 8. Keep using @vitejs/plugin-react@^5.0.1 which supports Vite 7.

2. Option B: If upgrading to Vite 8 is desired, this PR should be combined with:

   • Update vite to ^8.0.0 (check for breaking changes in Vite 8)
   • Review if any custom Babel configuration exists (the release notes mention Babel features were removed)
   • Test the full build pipeline after upgrade

3. Run pnpm install and verify if pnpm throws a peer dependency warning/error (it should, since v6 requires Vite 8).

General findings

Removed overrides in pnpm-lock.yaml

The diff shows the following pnpm overrides were removed from the lockfile:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

These overrides still exist in package.json (lines 103-107), so they should be preserved in the lockfile. Their removal from the lockfile may indicate a regeneration issue or that pnpm is not respecting them anymore. Verify these security overrides are still being applied.

[doubleword-code]

Blocking: This version of @vitejs/plugin-react (v6.0.0) is incompatible with the current Vite version (v7.3.2).

Why it matters: According to the official v6.0.0 release notes:

Drop Vite 7 and below support

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

The peer dependency was changed to require vite: ^8.0.0. Using this with Vite 7.3.2 will cause peer dependency resolution failures or runtime issues.

Suggested fix: Either:

1. Revert to "@vitejs/plugin-react": "^5.0.1" (supports Vite 7), OR
2. Upgrade Vite to "^8.0.0" and test thoroughly for breaking changes

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0. However, this major version upgrade introduces a critical compatibility issue that blocks merging.

Verdict: Blocked - Requires either (a) upgrading Vite to v8+, or (b) keeping plugin-react at v5.x.

Research notes

I consulted the official vite-plugin-react release notes and CHANGELOG:

@vitejs/plugin-react v6.0.0 Breaking Changes:

1. Drop Vite 7 and below support - Vite 8+ is now required. From the release notes:

   Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

2. Remove Babel Related Features - Babel is no longer bundled. Users needing Babel plugins must install @rolldown/plugin-babel separately.

3. New peer dependency requirements:

   peerDependencies:
     vite: ^8.0.0
   

Current Project State:

The project currently uses Vite 7.3.2 ("vite": "^7.3.2" in package.json), which is explicitly unsupported by plugin-react v6.

Suggested next steps

1. Option A (Recommended): Upgrade Vite to v8+ alongside this plugin update. This requires:

   • Update "vite": "^8.0.0" in package.json
   • Test the dev server and build pipeline thoroughly
   • Verify all Vite plugins remain compatible with Vite 8

2. Option B: Keep @vitejs/plugin-react at v5.x (e.g., "^5.0.1") until the team is ready to upgrade Vite to v8.

3. Fix pnpm-lock.yaml: The lockfile shows the overrides section was removed from the top level. While overrides are still present in package.json, ensure pnpm properly respects them by regenerating the lockfile after resolving the Vite compatibility issue.

General findings

• The pnpm-lock.yaml diff shows removal of several @babel/* packages, which is expected since v6 removes Babel dependencies. However, if the project relies on any custom Babel plugins, they would need to be re-added via @rolldown/plugin-babel.
• The lockfile shows version: 6.0.1(vite@7.3.2...) indicating pnpm installed v6 alongside Vite 7.3.2, violating the peer dependency. This may work in some cases but is unsupported and could cause runtime issues.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0. However, this update introduces a critical compatibility issue: @vitejs/plugin-react v6 requires Vite 8+, but this project currently uses Vite 7.3.2.

Verdict: Blocked - Cannot merge without either (a) upgrading Vite to v8, or (b) keeping @vitejs/plugin-react at v5.

Research notes

Fetched the official CHANGELOG and README from the vite-plugin-react repository:

• CHANGELOG highlights for v6.0.0 (source):

  • "Drop Vite 7 and below support" - Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.
  • "Remove Babel Related Features" - Babel is no longer a dependency; users needing Babel must install @rolldown/plugin-babel separately.
  • Peer dependency changed from vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0 to vite: ^8.0.0

• Current project state:

  • dashboard/package.json line 91: "vite": "^7.3.2" ❌
  • This version constraint allows v7.x but NOT v8.x

Suggested next steps

1. Blocking: Decide on the migration path:

   • Option A (Recommended): Upgrade Vite to v8+ alongside this plugin update. This requires changing "vite": "^7.3.2" to "vite": "^8.0.0" (or latest) in package.json and verifying the build works.
   • Option B: Keep @vitejs/plugin-react at v5.x if Vite 8 upgrade is not ready. Change the specifier back to "^5.0.1".

2. Non-blocking: Review the pnpm-lock.yaml changes - the overrides section was removed from the lockfile but still exists in package.json. This appears to be a lockfile regeneration artifact, but verify the overrides are still being applied correctly after running pnpm install.

General findings

No other issues identified. The lockfile changes appear to be standard dependency tree updates from the plugin version change (removing Babel-related packages, adding platform-specific rollup binaries).

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5 to v6, but introduces a blocking compatibility issue: @vitejs/plugin-react v6 requires Vite 8+, while this project currently uses Vite 7.3.2. The PR should not be merged without also upgrading Vite.

Research notes

Fetched official release notes from vitejs/vite-plugin-react releases:

v6.0.0 breaking changes:

• Dropped Vite 7 support: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8." (#1124)
• Removed Babel integration: Babel is no longer a dependency; custom Babel config via react({ babel: {...}}) is removed. Users must use @rolldown/plugin-babel separately if needed.
• New peer dependencies: vite: ^8.0.0, @rolldown/plugin-babel: ^0.1.7 || ^0.2.0 (optional), babel-plugin-react-compiler: ^1.0.0 (optional)

The pnpm lockfile shows the package resolves despite the peer mismatch:

'@vitejs/plugin-react@6.0.1(vite@7.3.2(...))'

But the declared peer dependency is vite: ^8.0.0.

Suggested next steps

1. Decide on Vite version: Either upgrade Vite to ^8.0.0 to match the plugin requirement, or keep @vitejs/plugin-react at ^5.x
2. If upgrading to Vite 8: Check Vite 8 migration guide for breaking changes that may affect the dashboard build
3. If staying on Vite 7: Update the Renovate config to constrain @vitejs/plugin-react to major version 5

General findings

No other issues found. The pnpm-lock.yaml changes are consistent with the version bump (removing old Babel packages, adding new rolldown dependencies, updating native binary packages for rollup).

Note: The pnpm overrides section was removed from the lockfile (rollup: npm:@rollup/wasm-node, lodash, mdast-util-to-hast). This appears to be an unintended side effect - the overrides are still present in package.json but were stripped from the lockfile structure.

[doubleword-code]

Blocking: This version requires Vite 8+, but the project uses Vite 7.3.2 (line 91).

Why it matters: According to the official v6.0.0 release notes, Vite 7 and below are no longer supported. The peer dependency is vite: ^8.0.0. Using this with Vite 7 may cause runtime errors or missing functionality since v6 removed Babel-based transforms that Vite 7 relied on.

Suggested fix: Either:

1. Downgrade to "@vitejs/plugin-react": "^5.2.0" (latest v5) to stay compatible with Vite 7
2. Or upgrade Vite: "vite": "^8.0.0" (and test thoroughly for Vite 8 breaking changes)

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5 to v6 and regenerates the pnpm lockfile. However, there is a critical compatibility issue that blocks this PR from being merged:

Verdict: BLOCKED - Requires Vite 8 upgrade before this can be merged.

Research notes

I fetched the official release notes for @vitejs/plugin-react v6.0.0 from GitHub Releases:

Drop Vite 7 and below support (#1124)

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

The current project uses Vite ^7.3.2 (specified in dashboard/package.json line 91), which is incompatible with @vitejs/plugin-react@6.x.

Additionally, the pnpm lockfile has lost its overrides section that was present in the original lockfile. The package.json still specifies these overrides:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

But the regenerated pnpm-lock.yaml no longer includes them, which means:

• Security override for lodash (patching known vulnerabilities) is not being enforced
• The WASM version of Rollup is no longer being used
• The mdast-util-to-hast fix is not being applied

Suggested next steps

1. Blocking: Either:

   • Upgrade Vite to v8+ (pnpm add -D vite@^8.0.0), OR
   • Pin @vitejs/plugin-react to ^5.2.0 (the latest v5 version that supports Vite 7)

2. Non-blocking: Regenerate the lockfile properly to preserve the pnpm overrides, or explicitly remove them from package.json if they're no longer needed (with justification).

General findings

Major breaking change in plugin-react v6

The v6 release removes Babel-related features. From the release notes:

Vite 8+ can handle React Refresh Transform by Oxc and doesn't need Babel for it. To reduce the installation size of this plugin, babel is no longer a dependency of this plugin and the related features are removed.

If this project was using any custom Babel configuration via the plugin's babel option, that configuration will stop working. The migration path requires installing @rolldown/plugin-babel separately. Current usage in vite.config.ts is just react() with no options, so this shouldn't impact this project directly.

Dependency tree changes

The lockfile diff shows significant changes to the Babel-related packages - many are being removed as expected since v6 no longer depends on Babel. This reduces bundle size but requires Vite 8.

General findings (auto-demoted from inline due to pre-validation)

• Non-blocking dashboard/pnpm-lock.yaml:1 — Missing pnpm overrides section.
  • (demoted: line 1 (side=RIGHT) is not part of any diff hunk in dashboard/pnpm-lock.yaml)

[doubleword-code]

Blocking: Incompatible Vite version.

Why it matters: @vitejs/plugin-react@6.x explicitly drops support for Vite 7 and below (requires Vite 8+ per release notes). This project uses Vite ^7.3.2 (line 91), which will cause the plugin to fail at runtime or during build.

From the official release notes:

Drop Vite 7 and below support

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

Suggested fix: Either:

1. Upgrade Vite: pnpm add -D vite@^8.0.0 (and verify all plugins are Vite 8 compatible)
2. Or pin this to v5: "@vitejs/plugin-react": "^5.2.0"

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5 to v6. However, there's a critical compatibility issue: @vitejs/plugin-react v6.x requires Vite 8+, but this project is still using Vite 7.3.2. Additionally, the PR removes important pnpm overrides that were in place for security reasons.

Verdict: Blocked - Requires either upgrading Vite to v8 or keeping @vitejs/plugin-react at v5 until Vite is upgraded.

Research notes

I consulted the official @vitejs/plugin-react v6.0.0 release notes, which clearly states:

Drop Vite 7 and below support (#1124)

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

The v6 release also removes Babel-related features, relying on Oxc for React Refresh Transform in Vite 8+. While this project doesn't use custom Babel plugins (good), the Vite version requirement is the blocking factor.

From the CHANGELOG:

• v6.0.0 dropped Vite 7 support
• v5.2.0 added Vite 8 support while maintaining Vite 7 compatibility

Suggested next steps

1. Option A (Recommended): Upgrade Vite to v8 alongside this change:

   • Update "vite": "^8.0.0" in package.json
   • Test thoroughly for any breaking changes from Vite 7 → 8

2. Option B: Keep @vitejs/plugin-react at v5.x until ready to upgrade Vite:

   • Change specifier to "^5.0.1" (or "^5.2.0" for latest v5)

3. Restore pnpm overrides: Re-add the removed overrides section to maintain security patches for lodash and mdast-util-to-hast

General findings

Removed pnpm overrides (security concern)

The PR removes the following pnpm overrides from package.json:

"overrides": {
  "rollup": "npm:@rollup/wasm-node",
  "lodash": "^4.18.0",
  "mdast-util-to-hast": "^13.2.1"
}

While the current lockfile resolves to safe versions (lodash@4.18.1, mdast-util-to-hast@13.2.1), removing these explicit overrides means future installations could pull in vulnerable versions. The lodash override was likely addressing CVE-2021-23337 (prototype pollution in <4.17.21), and mdast-util-to-hast had its own security fixes in v13.2.1.

Rollup implementation change

The rollup: npm:@rollup/wasm-node override ensured consistent behavior across platforms by using the WASM build. Removing it switches to native Rollup, which may behave differently on various architectures. This isn't necessarily wrong, but should be intentional.

[doubleword-code]

Summary

This PR upgrades @vitejs/plugin-react from v5.0.1 to v6.0.0 as part of Renovate's automated dependency updates. However, this upgrade introduces a breaking compatibility issue that blocks merging.

Verdict: ❌ BLOCKED - Requires Vite 8+ upgrade first

Research notes

I fetched the official CHANGELOG for @vitejs/plugin-react v6.0.0 and found:

Breaking Changes in v6.0.0:

1. Drop Vite 7 and below support (#1124): Vite 8+ is now required. The peerDependencies changed from vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 to vite: ^8.0.0.

2. Remove Babel Related Features (#1123): Babel is no longer a dependency. JSX transforms are handled by Oxc. If custom Babel plugins are needed, users must install @rolldown/plugin-babel separately.

3. New optional peer dependencies:

   • @rolldown/plugin-babel: ^0.1.7 || ^0.2.0 (optional)
   • babel-plugin-react-compiler: ^1.0.0 (optional)

Current Project State:

• Vite version: ^7.3.2 (package.json line 91)
• Plugin configuration: react() with no custom Babel options (vite.config.ts)
• Good news: The project doesn't use any custom Babel configuration, so the Babel removal wouldn't affect functionality IF Vite were upgraded.

Suggested next steps

1. BLOCKING: Upgrade Vite from ^7.3.2 to ^8.0.0 (or latest v8) in dashboard/package.json
2. Run pnpm install to update the lockfile with compatible versions
3. Test the dev server and build to ensure Vite 8 compatibility
4. Once Vite 8 is confirmed working, this plugin upgrade can proceed

General findings

pnpm overrides removal concerns

The diff shows removal of the pnpm.overrides section that previously pinned:

• rollup: npm:@rollup/wasm-node
• lodash: ^4.18.0 (security fix for prototype pollution)
• mdast-util-to-hast: ^13.2.1

The lodash override was likely added to address CVE-2021-23337 or similar prototype pollution vulnerabilities. Removing this override could reintroduce security vulnerabilities if transitive dependencies pull in vulnerable lodash versions. Consider keeping these overrides or verifying that all dependencies now resolve to safe versions.

General findings (auto-demoted from inline due to pre-validation)

• Non-blocking dashboard/package.json:102 — Removal of pnpm overrides section - verify security implications.
  • (demoted: line 102 (side=LEFT) is not part of any diff hunk in dashboard/package.json)

[doubleword-code]

Blocking: This version requires Vite 8+ but the project uses Vite ^7.3.2 (line 91).

Why it matters: According to the v6.0.0 release notes, this version dropped support for Vite 7 and below. The peerDependencies now specify vite: ^8.0.0. Installing this with Vite 7 will cause peer dependency warnings and potential runtime incompatibilities since the plugin expects Vite 8+ APIs.

Suggested fix: First upgrade Vite to v8+:

"vite": "^8.0.0",

Then verify the dev server and production build work correctly before merging this plugin upgrade.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from ^5.0.1 to ^6.0.0 in the dashboard. While this is a routine dependency update, there is a critical compatibility issue that blocks merging.

Verdict: 🛑 BLOCKED - Requires Vite version upgrade alongside this change.

Research notes

I fetched the CHANGELOG.md for @vitejs/plugin-react and found the following breaking changes in v6.0.0:

1. Drop Vite 7 and below support (#1124): "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."

2. Remove Babel Related Features (#1123): Babel is no longer a dependency. The plugin now uses Oxc for React refresh transform. Users who need custom Babel plugins must use @rolldown/plugin-babel alongside this plugin.

3. Node.js requirement: Node 20.19+ or 22.12+ (already satisfied by this project's engines field)

The current project uses vite@^7.3.2 (see dashboard/package.json line 91), which is incompatible with @vitejs/plugin-react@6.x.

Suggested next steps

1. Upgrade Vite to v8 alongside this plugin update. Check the Vite 8 migration guide for breaking changes.

2. Verify the pnpm overrides behavior: The overrides section was removed from pnpm-lock.yaml but remains in package.json. After upgrading Vite, run pnpm install to regenerate the lockfile and ensure the rollup/lodash/mdast-util-to-hast overrides are properly applied.

3. Test the build: Since v6 removes Babel, verify that any custom JSX transforms or Babel plugins (if used) are migrated to use @rolldown/plugin-babel as shown in the changelog examples.

4. Run frontend tests: After upgrading both Vite and the plugin, run just test ts to ensure no regressions.

General findings

Bundle size improvement (Positive)

The diff shows significant reduction in Babel-related packages in the lockfile (@babel/core, @babel/parser, @babel/traverse, etc. are removed). This is a beneficial side effect of v6's shift to Oxc-based transforms.

Peer dependency change

The plugin now lists @rolldown/plugin-babel and babel-plugin-react-compiler as optional peer dependencies instead of bundling Babel directly. This is fine since the project doesn't appear to use custom Babel plugins.

Rollup resolution change

The lockfile now resolves rollup-plugin-visualizer@7.0.1 with explicit (rollup@4.60.3) peer dependency. The @rollup/wasm-node override in package.json should still apply, but this should be verified after running pnpm install with the updated versions.

General findings (auto-demoted from inline due to pre-validation)

• Non-blocking dashboard/pnpm-lock.yaml:4 — The overrides section was removed from the lockfile but remains in package.json
  • (demoted: code self-check failed at dashboard/pnpm-lock.yaml:4: diff has autoInstallPeers: true, model claimed overrides:)

[doubleword-code]

Blocking: Incompatible Vite version - @vitejs/plugin-react@6.x requires Vite 8+

Why it matters: According to the official changelog, version 6.0.0 explicitly dropped support for Vite 7 and below. The project currently uses vite@^7.3.2 (line 91 of this file). Installing this version will result in an unsatisfied peer dependency warning and potential runtime failures.

Suggested fix: Upgrade Vite to v8 alongside this plugin update:

"vite": "^8.0.0",

Or pin the plugin to v5 if Vite upgrade needs to be deferred:

"@vitejs/plugin-react": "^5.0.1",