chore(deps-dev): bump vite-plus from 0.1.19 to 0.1.24 in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: vite-plus.

Updates vite-plus from 0.1.19 to 0.1.24

Release notes

Sourced from vite-plus's releases.

vite-plus v0.1.24

A new vp pm stage publishing workflow, hardened installs and upgrades, a Node-version mismatch reinstall prompt, and the bundled vite/vitest/tsdown stack moves forward.

Features

• vp pm stage: a new vp pm subcommand exposing npm's staged-publishing workflow (upload a build to a staging area without 2FA, then approve or reject it from a trusted device); it maps to pnpm stage / npm stage / yarn npm ... --staged per package manager, with an npm fallback for yarn Classic and bun (#1715), by @​fengmk2
• vp: prompt to reinstall when up-to-date global packages were built against a different Node.js than the active one (defaults to no); adds --reinstall-node-mismatch and --ignore-node-mismatch, and skips the prompt in CI (#1666), by @​liangmiQwQ
• vp format: add format as a visible alias of vp fmt, so the common slip vp format resolves correctly and vp format --init / --migrate apply the same vite.config.ts wiring as vp fmt (#1727), by @​semimikoh

Fixes & Enhancements

• vp install / Node runtime download: HTTP retries now wrap the whole body stream, hash verification, and archive extraction (not just the request headers), so truncated or corrupt downloads of package managers and Node are re-fetched instead of failing on the first attempt (#1719), by @​fengmk2
• vp upgrade --force on Windows: install into a fresh directory before repointing current, so the forced reinstall no longer fails trying to overwrite the running vp.exe (#1714), by @​fengmk2
• vp install -g: install global packages directly into their final prefix instead of a temp dir that gets moved, so packages whose postinstall scripts bake in absolute or relative temp paths still resolve their bins; a failed package in a multi-package install no longer removes the shims of the ones that already succeeded (#1698), by @​liangmiQwQ
• vp why: remove the -g / --global flag, which delegated to the package manager's global mode and ignored Vite+-managed global packages; vp why stays project-scoped while vp outdated -g keeps using the managed global flow (#1720), by @​liangmiQwQ
• Windows installer: remove the existing current link via PowerShell (detecting junctions, symlinks, and stale directories) instead of cmd /c rmdir, which could fail with "The directory is not empty" (#1726), by @​TheAlexLichter
• vp create: skip editor-config detection and package-local editor settings by default when creating a project inside an existing monorepo; --editor <name> stays an explicit opt-in and --no-editor an opt-out (#1729), by @​jong-kyung
• vp create vite:monorepo (pnpm): keep the aliased vite/vitest in the website app's package.json so the workspace overrides.vite: catalog: has a direct consumer and vp why vite resolves to @voidzero-dev/vite-plus-core; npm/yarn/bun still drop the dead-weight keys (#1728), by @​fengmk2
• vp pack: rewrite direct createRequire(...)("picomatch") calls in bundled tsdown output to the local bundled CJS entry, so packing no longer depends on an undeclared runtime picomatch under pnpm hoist: false (#1732), by @​fengmk2
• vp migrate: resolve a catalog: husky pin from the workspace catalog (pnpm-workspace.yaml, .yarnrc.yml, or package.json catalogs) during the git-hooks preflight, so a compatible catalog-pinned husky no longer triggers a false "could not determine husky version" warning and skips hook setup (#1710), by @​fengmk2

Docs

• Add a Copy Prompt button to the docs site that copies an AI-friendly getting-started prompt (intro, llms-full.txt pointer, install commands, and core vp commands) for handing straight to a coding agent (#1706), by @​fengmk2
• Update troubleshooting.md: vite.config.ts related issues are resolved by updating oxlint and oxfmt (#1708), by @​leaysgur
• Clarify the product and repository documentation locations and the new Run guide/config paths in AGENTS.md (#1707), by @​leaysgur

Chore

• vp install: reduce retained vp versions from 5 to 3 across the installer, vp upgrade, and the shell/PowerShell bootstrap scripts (active and previous versions stay protected for rollback); document the 3-version retention and vp upgrade --rollback (#1716), by @​fengmk2
• Exclude the snap-tests directory from Vitest config discovery so the VS Code Vitest extension stops generating a stray .vitest-plugin-loaded file (#1723), by @​liangmiQwQ
• Refresh trusted stack stats on the docs homepage (#1734), by @​voidzero-guard[bot]
• Update @​wan9chi's GitHub handle (formerly branchseer) (#1705), by @​wan9chi
• Update GitHub Actions (#1724, #1730), by @​renovate[bot]
• Upgrade upstream dependencies: vite 8.0.14 → 8.0.16, vitest 4.1.7 → 4.1.8, tsdown 0.22.0 → 0.22.1, @vitejs/devtools 0.2.0 → 0.3.1 (#1713, #1735, #1737), by @​voidzero-guard[bot]

Bundled Versions

Tool	Version	Source
vite	8.0.16	f94df87
rolldown	1.0.3	a287faa
tsdown	0.22.1	npm
vitest	4.1.8	npm
oxlint	1.67.0	npm
oxlint-tsgolint	0.23.0	npm
oxfmt	0.52.0	npm

New Contributors

... (truncated)

Commits

• a1a2bbd release: v0.1.24 (#1738)
• 2af030a feat(deps): upgrade upstream dependencies (#1735)
• 183f8e7 fix(migrate): resolve husky version from catalog during hooks check (#1710)
• 7ec9124 feat(pm): add vp pm stage command (#1715)
• ce4509e fix(pack): bundle direct tsdown picomatch require (#1732)
• adf79db fix(create): keep aliased vite in pnpm monorepo website so override stays eff...
• ca2e417 feat(cli): add format alias for vp fmt (#1727)
• 6a5246a chore(install): reduce retained vp versions from 5 to 3 (#1716)
• 7501b30 fix(create): skip monorepo editor configs by default (#1729)
• e3315d0 fix(cli): remove windows current link without rmdir (#1726)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	fireargs	e6e8070	Commit Preview URL Branch Preview URL	Jun 15 2026, 05:59 PM

[claude]

Claude finished @dependabot[bot]'s task in 1m 12s —— View job

---

PR Review: vite-plus 0.1.19 → 0.1.24

• Gather context
• Review package.json changes
• Review pnpm-lock.yaml changes
• Security analysis (OWASP Top 10)
• Post findings

---

Summary

This is a straightforward dev-only dependency bump. vite-plus is not shipped in the published package ("files": ["build"] in package.json), so consumers of fireargs are not affected.

Changed packages (transitive)

Package	From	To
vite-plus / @voidzero-dev/vite-plus-*	0.1.19	0.1.24
@oxlint/binding-*	1.60.0	1.67.0
@oxlint-tsgolint/*	0.21.1	0.23.0
@oxfmt/binding-*	0.45.0	0.52.0
@oxc-project/runtime	0.126.0	0.133.0
@oxc-project/types	0.126.0	0.133.0
@oxlint/plugins	(new)	1.61.0

All updates are platform-specific native bindings for the bundled oxlint/oxfmt toolchain inside vite-plus, plus the vite-plus core and test packages.

Code Quality

NONE — Changes are limited to package.json (version bump) and pnpm-lock.yaml (hash updates). No application code is modified. The lockfile uses pnpm's integrity hash model, so each changed entry has a new sha512 hash tied to the published tarball.

One new package enters the lockfile: @oxlint/plugins@1.61.0. This is pulled in by the updated oxlint bundled inside vite-plus and has no runtime impact on this project.

Breaking changes risk

From the release notes, vp why --global was removed in 0.1.24. The project's package.json scripts use vp fmt, vp lint, and vp test — none are affected.

OWASP / Security

Severity: NONE

• All changed packages are dev-only tools (linter, formatter, test runner) — not included in the published artifact.
• No runtime code paths, user input handling, or network behavior is changed.
• No hardcoded secrets, credentials, or sensitive data in the lockfile changes.
• Dependency compatibility score badge from Dependabot indicates no regressions.

Verdict

Safe to merge.