Skip to content

feat(deps): upgrade upstream dependencies#1910

Closed
voidzero-guard[bot] wants to merge 1 commit into
mainfrom
deps/upstream-update
Closed

feat(deps): upgrade upstream dependencies#1910
voidzero-guard[bot] wants to merge 1 commit into
mainfrom
deps/upstream-update

Conversation

@voidzero-guard

@voidzero-guard voidzero-guard Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Automated upgrade of upstream dependencies.
  • Bumps rolldown to v1.1.2 and the oxc npm packages from 0.136.0 to 0.137.0.
  • Requires code adjustments: an oxc parser API rename in vite_static_config, dropping the native wasm fallback plugin in the Vite brand patch, and Cargo dependency cleanup alongside the oxc Rust crate bumps.
  • build-upstream failed; see Build status.

Dependency updates

Package From To
rolldown d7f919c v1.1.2 (e0d0b1b)
@oxc-project/runtime 0.136.0 0.137.0
@oxc-project/types 0.136.0 0.137.0
oxc-minify 0.136.0 0.137.0
oxc-parser 0.136.0 0.137.0
oxc-transform 0.136.0 0.137.0
Unchanged dependencies
  • vite: v8.0.16 (f94df87)
  • vitest: 4.1.9
  • @vitest/browser: 4.1.9
  • @vitest/browser-playwright: 4.1.9
  • @vitest/browser-preview: 4.1.9
  • @vitest/browser-webdriverio: 4.1.9
  • @vitest/expect: 4.1.9
  • @vitest/mocker: 4.1.9
  • @vitest/pretty-format: 4.1.9
  • @vitest/runner: 4.1.9
  • @vitest/snapshot: 4.1.9
  • @vitest/spy: 4.1.9
  • @vitest/utils: 4.1.9
  • tsdown: 0.22.3
  • @oxc-node/cli: 0.1.0
  • @oxc-node/core: 0.1.0
  • oxfmt: 0.55.0
  • oxlint: 1.70.0
  • oxlint-tsgolint: 0.23.0
  • @vitejs/devtools: 0.3.3

Code changes

  • crates/vite_static_config/src/lib.rs: rename oxc parser result field errors -> diagnostics to match the oxc 0.137 API.
  • packages/tools/src/brand-vite.ts: drop the native viteWasmFallbackPlugin (removed upstream in rolldown #9775); the JS wasmHelperPlugin still handles wasm imports.
  • Cargo.toml: bump oxc 0.135.0 -> 0.137.0, oxc_resolver 11.21.0 -> 11.21.3, oxc_sourcemap 7 -> 8.0.1; cargo shear cleanup removes unused deps (commondir, num-format, ropey, urlencoding, rolldown_plugin_vite_wasm_fallback) and adds idna_adapter, supports-color.
  • packages/cli/binding/index.cjs, packages/cli/binding/index.d.cts: regenerated NAPI bindings (adds BindingErrorStage export).
  • pnpm-workspace.yaml: catalog version bumps and minimumReleaseAgeExclude additions.

Build status

  • sync-remote-and-build: success
  • build-upstream: failure

@voidzero-guard
feat(deps): upgrade upstream dependencies
1f48500 
- rolldown: d7f919c -> v1.1.2 (e0d0b1b)
- @oxc-project/runtime: 0.136.0 -> 0.137.0
- @oxc-project/types: 0.136.0 -> 0.137.0
- oxc-minify: 0.136.0 -> 0.137.0
- oxc-parser: 0.136.0 -> 0.137.0
- oxc-transform: 0.136.0 -> 0.137.0

Code changes:
- crates/vite_static_config/src/lib.rs: rename oxc parser result field
  `errors` -> `diagnostics` to match the oxc 0.137 API.
- packages/tools/src/brand-vite.ts: drop the native viteWasmFallbackPlugin
  (removed upstream in rolldown #9775); the JS wasmHelperPlugin still covers
  wasm handling.
- Cargo.toml: bump oxc 0.135.0 -> 0.137.0, oxc_resolver 11.21.0 -> 11.21.3,
  oxc_sourcemap 7 -> 8.0.1; cargo shear cleanup removes unused deps
  (commondir, num-format, ropey, urlencoding,
  rolldown_plugin_vite_wasm_fallback) and adds idna_adapter, supports-color.
- packages/cli/binding/index.cjs, packages/cli/binding/index.d.cts:
  regenerated NAPI bindings (adds BindingErrorStage export).
- pnpm-workspace.yaml: catalog version bumps and minimumReleaseAgeExclude
  additions.
@netlify

netlify Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for viteplus-preview canceled.

Name Link
🔨 Latest commit 1f48500
🔍 Latest deploy log https://app.netlify.com/projects/viteplus-preview/deploys/6a38debe70e56400088a2349

@socket-security

socket-security Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedcargo/​tokio@​1.50.0 ⏵ 1.52.358 -110093100100
Updatedcargo/​nix@​0.31.2 ⏵ 0.31.3801009310070
Addednpm/​@​babel/​preset-typescript@​7.29.71001007397100
Addednpm/​@​oxc-project/​runtime@​0.137.01001007596100
Updatedcargo/​reqwest@​0.13.2 ⏵ 0.13.480 +210093100100
Updatedcargo/​rustls@​0.23.37 ⏵ 0.23.408210093100100
Updatedcargo/​napi@​3.9.0 ⏵ 3.9.38210093100100
Updatedcargo/​serde_json@​1.0.149 ⏵ 1.0.1508210093100100
Addednpm/​oxc-parser@​0.137.09010010096100
Updatedcargo/​chrono@​0.4.44 ⏵ 0.4.459910093100100
Updatedcargo/​clap@​4.6.0 ⏵ 4.6.19910093100100
Updatedcargo/​clap_complete@​4.6.0 ⏵ 4.6.597 +110093100100
Updatedcargo/​ignore@​0.4.25 ⏵ 0.4.269910093100100
Updatedcargo/​indexmap@​2.13.0 ⏵ 2.14.010010093100100
Updatedcargo/​oxc_allocator@​0.135.0 ⏵ 0.137.010010093100100
Updatedcargo/​oxc_ast@​0.135.0 ⏵ 0.137.010010093100100
Updatedcargo/​oxc_parser@​0.135.0 ⏵ 0.137.010010093100100
Updatedcargo/​oxc_resolver@​11.21.0 ⏵ 11.21.39710093100100
Updatedcargo/​oxc_span@​0.135.0 ⏵ 0.137.010010093100100
Updatedcargo/​rayon@​1.11.0 ⏵ 1.12.09910093100100
Updatedcargo/​regex@​1.12.3 ⏵ 1.12.410010093100100
Updatedcargo/​rustc-hash@​2.1.1 ⏵ 2.1.210010093100100
Updatedcargo/​semver@​1.0.27 ⏵ 1.0.2810010093100100
Updatedcargo/​serial_test@​3.4.0 ⏵ 3.5.010010093100100
Updatedcargo/​tar@​0.4.45 ⏵ 0.4.46100100 +293100100
Updatedcargo/​test-log@​0.2.19 ⏵ 0.2.2110010093100100
Updatedcargo/​which@​8.0.2 ⏵ 8.0.49910093100100
Addednpm/​oxc-transform@​0.137.0941009696100

View full report

@socket-security

socket-security Bot commented Jun 22, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: cargo openssl is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?cargo/reqwest@0.13.4cargo/openssl@0.10.81

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/openssl@0.10.81. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: cargo tokio is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: bench/Cargo.tomlcargo/tokio@1.52.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/tokio@1.52.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: cargo zerocopy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?cargo/brush-parser@0.4.0cargo/criterion@0.7.0cargo/brush-parser@0.3.0cargo/zerocopy@0.8.52

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/zerocopy@0.8.52. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

fengmk2
fengmk2 reviewed Jun 22, 2026
View reviewed changes
Comment thread packages/tools/src/brand-vite.ts
* 3. build.ts: Remove startup build banner and change error prefix
* 4. logger.ts: Change default prefix from '[vite]' to '[vite+]'
* 5. plugins/reporter.ts: Suppress redundant "vite v<version>" native reporter line
* 6. plugins/index.ts: Drop the native viteWasmFallbackPlugin (removed upstream in

@fengmk2 fengmk2 Jun 22, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait to update together after vite@8.1.0 is released

@voidzero-guard voidzero-guard Bot closed this Jun 23, 2026
@voidzero-guard voidzero-guard Bot deleted the deps/upstream-update branch June 23, 2026 01:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fengmk2 fengmk2 fengmk2 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fengmk2