chore(deps-dev): Bump vite from 7.3.3 to 8.0.10 in the npm group#27
chore(deps-dev): Bump vite from 7.3.3 to 8.0.10 in the npm group#27
Conversation
Bumps the npm group with 1 update: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `vite` from 7.3.3 to 8.0.10 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.10/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 8.0.10 dependency-type: direct:development update-type: version-update:semver-major dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
| Experiment | Status | Actions |
|---|---|---|
| Uppercase (py) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Uppercase (ts) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Mixed dir (node) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Mixed dir (python) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Regression fixture | ❌ Regression | View GitHub Action Run · View in Langfuse |
Details
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Major version bump (vite 7→8); deferring per the repo's auto-merge policy which scopes auto-merge to patch updates only.
Extended reasoning...
Overview
This Dependabot PR bumps the dev-only dependency vite from 7.3.3 to 8.0.10 in package.json and pnpm-lock.yaml. Vite is only consumed indirectly through vitest (there is no vite.config.*; only vitest.config.ts using vitest/config). The lockfile churn includes the v8 switch from rollup to rolldown and the addition of lightningcss as a non-optional dep, plus updated peer-dep declarations.
Security risks
None directly introduced by the diff. Vite is a build/test-time dependency and does not ship in the action's runtime bundle (which is produced via @vercel/ncc). The risk surface is limited to local development and CI.
Level of scrutiny
Low-to-moderate. It is a major version bump, which carries a non-trivial chance of subtle test-infrastructure regressions (rolldown is still RC, lightningcss now pulled in unconditionally, peer-dep signature changed). CI exercises vitest so most breakage would be caught automatically, but a human glance is warranted before merging.
Other factors
The repository's own .github/workflows/dependabot-auto-merge.yml explicitly restricts auto-merge to version-update:semver-patch and notes that "minor/major updates still get human review." That stated policy is the deciding factor: I am deferring to honor it. The bug-hunting system found no issues.
wochinge
left a comment
wochinge
left a comment
There was a problem hiding this comment.
Reviewed the Vite 8 dev-dependency bump. CI is green, including lint/typecheck/unit tests, dist/schema checks, CodeQL, workflow linting, and the real Langfuse e2e job. Vite is only used in the test/dev toolchain via Vitest, so this is safe to merge.
1 participant
Bumps the npm group with 1 update: vite.
Updates
vitefrom 7.3.3 to 8.0.10Release notes
Sourced from vite's releases.
... (truncated)
Changelog
Sourced from vite's changelog.
... (truncated)
Commits
32c2978release: v8.0.10a4d06d9feat: update rolldown to 1.0.0-rc.17 (#22299)a4d828ffix:hmrClient.logger.debugandhmrClient.logger.errorlooked different f...83f0a78fix(css): show filename in CSS minification warnings for.css?inline(#22292)b8a21ccfix: remove format sniffing module resolution from JS resolver (#22297)40a0847refactor: typecheck client directory (#22284)5c7cec6fix(optimizer): allow user transform.target to override default in optimizeDe...9437518refactor: enable some typecheck rules (#22278)ce729f5release: v8.0.9605bb97docs: update build CLI defaults (#22261)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions