chore(deps): bump vite-plus to v0.1.24#7
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies in package.json to use preview releases from pkg.pr.new and adjusts workspace configurations in pnpm-workspace.yaml to allow these exotic dependencies. The review feedback recommends keeping the global minimumReleaseAge at 4320 (3 days) instead of lowering it to 60 (1 hour) to maintain security protections for other dependencies, especially since the specific packages have already been added to the exclusion list.
| blockExoticSubdeps: true | ||
| minimumReleaseAge: 4320 | ||
| blockExoticSubdeps: false | ||
| minimumReleaseAge: 60 |
There was a problem hiding this comment.
Lowering the global minimumReleaseAge from 4320 (3 days) to 60 (1 hour) reduces the security protection against dependency hijacking/malicious releases for all other dependencies in the monorepo. Since you have already added the relevant packages to minimumReleaseAgeExclude, you can safely keep the global minimumReleaseAge at 4320 to maintain the 3-day safety buffer for the rest of your dependencies.
minimumReleaseAge: 4320
fengmk2
changed the title
1 participant
Summary
Bump
vite-plusand related packages to the pkg.pr.new prerelease build for v0.1.24.Updated where applicable:
vite-plus-> pkg.pr.newvite/vitestaliases and overrides ->@voidzero-dev/vite-plus-core/@voidzero-dev/vite-plus-test@voidzero-dev/vite-plus-*direct deps,overrides/resolutions/pnpm.overrides/ catalogsminimum-release-agewith vite-plus stack excluded (pnpm / npm / bun / yarn as applicable)pnpm.*package.json fields intopnpm-workspace.yamlwhere presentTest plan