chore(deps): update dependency @vitejs/plugin-react to v6

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@vitejs/plugin-react (source)	^5.0.1 → ^6.0.0

---

Release Notes

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v6.0.2

Compare Source

Allow all options in reactCompilerPreset (#​1189)

This is a type only change. Only compilationMode and target options were available for reactCompilerPreset.

v6.0.1

Compare Source

Expand @rolldown/plugin-babel peer dep range (#​1146)

Expanded @rolldown/plugin-babel peer dep range to include ^0.2.0.

v6.0.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying control-layer with    Cloudflare Pages

Latest commit:	6fc43ae
Status:	🚫  Build failed.

View logs

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from ^5.0.1 to ^6.0.0. However, this is a breaking change that introduces a version incompatibility: @vitejs/plugin-react v6.0.0 explicitly drops support for Vite 7 and below and requires Vite 8+, while this project currently uses Vite ^7.3.2.

Verdict: Blocked - This PR cannot be merged as-is because it creates an incompatible dependency chain.

Research Notes

From the official v6.0.0 release notes:

Drop Vite 7 and below support (#1124)

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

The peer dependencies for @vitejs/plugin-react@6.0.2 (latest v6) now require:

• vite: ^8.0.0 (previously ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0 in v5)

Additionally, v6 removes Babel-related features since Vite 8+ handles React Refresh Transform via Oxc natively. Users who need Babel must now install @rolldown/plugin-babel as a separate dependency.

Suggested Next Steps

1. Option A (Recommended): Update both Vite and the plugin together in a single PR:

   • Upgrade vite from ^7.3.2 to ^8.0.0 (check Vite 8 migration guide for breaking changes)
   • Then upgrade @vitejs/plugin-react to ^6.0.0
   • Test thoroughly since Vite major versions may have breaking changes

2. Option B: Keep @vitejs/plugin-react at v5.x if Vite 7 must be maintained

General Findings

pnpm Overrides Removed

The diff shows that the following pnpm overrides were removed from package.json:

"overrides": {
  "rollup": "npm:@rollup/wasm-node",
  "lodash": "^4.18.0",
  "mdast-util-to-hast": "^13.2.1"
}

These overrides appear in the old lockfile but not in the updated one. If these overrides were added intentionally to address security vulnerabilities or compatibility issues, they should be preserved. Please verify:

• Was the rollup WASM override needed for a specific platform compatibility?
• Was the lodash override for security patching?
• Was the mdast-util-to-hast override for markdown processing compatibility?

If any of these are still needed, they should be re-added to the pnpm config section.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5 to v6, which is a major version upgrade with breaking changes. However, this upgrade introduces a critical peer dependency mismatch that will prevent the project from building successfully.

Verdict: Blocked - Requires Vite 8 upgrade before this dependency update can be applied.

Research notes

I fetched the official CHANGELOG for @vitejs/plugin-react and found:

1. v6.0.0 breaking change: "Drop Vite 7 and below support" - Vite 8+ is now required
2. Peer dependencies changed: v6 requires vite: ^8.0.0, but this project uses vite: ^7.3.2
3. Babel removed: v6 removes Babel-related features; projects using custom Babel plugins must now use @rolldown/plugin-babel alongside this plugin

The current project configuration:

• vite: ^7.3.2 (in package.json line 91)
• @vitejs/plugin-react: ^6.0.0 (after this PR)

This creates an unsatisfiable peer dependency situation.

Suggested next steps

1. First, upgrade Vite from v7 to v8 (update package.json to "vite": "^8.0.0" or later)
2. Then, re-run pnpm install to regenerate the lockfile with compatible versions
3. Verify the build works after the Vite upgrade before merging this PR
4. Check if any custom Babel plugins are in use (they would need @rolldown/plugin-babel added)

General findings

pnpm overrides discrepancy: The pnpm-lock.yaml shows the overrides section was removed (previously had rollup, lodash, mdast-util-to-hast overrides), but these overrides still exist in package.json. This suggests the lockfile may not have been properly regenerated with pnpm install after the dependency change. The overrides should either be consistently present in both files or intentionally removed with explanation.

[doubleword-code]

Blocking: This major version upgrade introduces a peer dependency conflict.

Why it matters: @vitejs/plugin-react@6.x requires vite: ^8.0.0 as a peer dependency, but this project currently has vite: ^7.3.2 (line 91). According to the official CHANGELOG, v6.0.0 explicitly dropped support for Vite 7 and below:

"Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."

Attempting to build with this configuration will result in peer dependency warnings/errors and potential runtime failures.

Suggested fix: Either:

1. Upgrade Vite to v8 first: change line 91 to "vite": "^8.0.0" (or latest v8.x), then run pnpm install to regenerate the lockfile
2. Or pin this dependency to v5.x if Vite 8 upgrade is not yet feasible: "@vitejs/plugin-react": "^5.0.1"

[doubleword-code]

Non-blocking: The pnpm overrides section was removed from the lockfile but still exists in package.json.

Why it matters: The original lockfile had these overrides:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

These same overrides are still present in package.json (lines 103-107). The removal from the lockfile suggests pnpm install may not have been run after the dependency update, or there's a version resolution issue.

Suggested fix: After resolving the Vite version mismatch, run pnpm install to regenerate pnpn-lock.yaml with consistent overrides. Verify the overrides section appears correctly in the regenerated lockfile.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0 in the dashboard. While this appears to be a routine dependency update, there are critical compatibility issues that must be addressed before this can be merged:

1. Peer dependency mismatch: @vitejs/plugin-react@6.x requires vite:^8.0.0, but the project currently uses vite:^7.3.2
2. Removed pnpm overrides: The update removes three important pnpm overrides that were added for security and platform compatibility reasons

Verdict: Blocked until these issues are resolved.

Research notes

• @vitejs/plugin-react v6.0.0 changelog: Version 6.0.0 explicitly dropped support for Vite 7 and below ("Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.")
• Peer dependencies for @vitejs/plugin-react@6.0.2: vite: ^8.0.0, with optional @rolldown/plugin-babel: ^0.1.7 || ^0.2.0 and babel-plugin-react-compiler: ^1.0.0
• The removed pnpm overrides were introduced in commit fa79316 to address Dependabot vulnerabilities (#1045)

Suggested next steps

1. Upgrade Vite to v8 if you want to use @vitejs/plugin-react@6.x, OR downgrade to @vitejs/plugin-react@5.x to maintain compatibility with Vite 7
2. Evaluate the removed pnpm overrides:
   • rollup: npm:@rollup/wasm-node - May have been added for cross-platform compatibility; verify native rollup works on all target platforms
   • lodash: ^4.18.0 - Security override; check if the vulnerability was fixed upstream
   • mdast-util-to-hast: ^13.2.1 - Likely a security or compatibility fix; verify if still needed
3. Run full test suite (just test ts) after making the above changes

General findings

Breaking changes in @vitejs/plugin-react v6

The v6 release includes significant architectural changes:

1. Babel removed as direct dependency: Vite 8+ handles React Refresh Transform via Oxc, so Babel is no longer bundled. If custom Babel plugins are needed in the future, they must use @rolldown/plugin-babel separately.
2. Node.js version requirement: Requires Node ^20.19.0 || >=22.12.0 - verify this matches your deployment targets.
3. React Compiler setup changed: If you plan to use React Compiler in the future, the setup now requires @rolldown/plugin-babel with reactCompilerPreset instead of inline Babel configuration.

The current vite.config.ts uses react() without custom options, so these breaking changes don't immediately impact the existing setup once the Vite version is aligned.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5 to v6, which is a major version upgrade that removes Babel-related features and drops support for Vite 7 and below. However, the PR has critical compatibility issues that need to be addressed before it can be merged.

Verdict: Blocked - Requires Vite 8 upgrade and fix for missing pnpm overrides.

Research notes

I consulted the official CHANGELOG for @vitejs/plugin-react:

• v6.0.0 breaking changes: "Drop Vite 7 and below support" - Vite 7 and below are no longer supported. If using Vite 7, must upgrade to Vite 8.
• v6.0.0 peer dependencies changed: Now requires vite: ^8.0.0 (previously supported ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0)
• Babel removed: v6 removes Babel as a dependency. If custom Babel plugins are needed, must use @rolldown/plugin-babel alongside this plugin.

The current project uses vite@^7.3.2 (from dashboard/package.json line 91), which is incompatible with @vitejs/plugin-react@6.x.

Suggested next steps

1. Blocking: Upgrade vite to ^8.0.0 in dashboard/package.json to satisfy the peer dependency requirement of @vitejs/plugin-react@6.x
2. Blocking: Ensure pnpm overrides (rollup, lodash, mdast-util-to-hast) from package.json are properly reflected in pnpm-lock.yaml - regenerate lockfile with pnpm install
3. Non-blocking: Address the @ungap/structured-clone@1.3.0 deprecation warning (CWE-502 vulnerability) by updating to 1.3.1+

General findings

Missing pnpm overrides in lockfile

The original pnpm-lock.yaml had an overrides section at the top:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

These overrides are still present in package.json (lines 103-107) under the pnpm.overrides key, but they're missing from the updated lockfile. This means:

• The security override for lodash (likely addressing a prototype pollution CVE) may not be enforced
• The mdast-util-to-hast compatibility fix may not apply
• The WASM-based Rollup override is lost

Regenerate the lockfile with pnpm install to ensure overrides are properly applied.

Deprecated dependency warning

The new lockfile includes @ungap/structured-clone@1.3.0 with a deprecation notice: "Potential CWE-502 - Update to 1.3.1 or higher". CWE-502 refers to deserialization of untrusted data vulnerabilities. This should be investigated and updated if possible.

[doubleword-code]

Blocking: Peer dependency incompatibility with Vite version.

Why it matters: According to the official CHANGELOG, @vitejs/plugin-react@6.0.0 dropped support for Vite 7 and below: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8." The peer dependency changed from vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0 (v5.x) to vite: ^8.0.0 (v6.x). This project currently uses vite@^7.3.2 (line 91), which violates the peer dependency and will cause build/runtime failures.

Suggested fix: Upgrade Vite to v8: change line 91 from "vite": "^7.3.2" to "vite": "^8.0.0", then run pnpm install to regenerate the lockfile with compatible versions.

[doubleword-code]

Blocking: Missing pnpm overrides section in regenerated lockfile.

Why it matters: The original lockfile had an overrides section that enforced:

• rollup: npm:@rollup/wasm-node (WASM-based Rollup)
• lodash: ^4.18.0 (security override, likely for CVE-2021-23337 prototype pollution)
• mdast-util-to-hast: ^13.2.1 (compatibility fix)

These overrides are still defined in package.json (lines 103-107) under pnpm.overrides, but they're missing from the updated lockfile. This means the lockfile doesn't reflect the intended security constraints, potentially reintroducing vulnerabilities.

Suggested fix: Run pnpm install in the dashboard/ directory to regenerate pnpm-lock.yaml with the overrides properly included. Verify the overrides: section appears at the top of the regenerated lockfile.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from ^5.0.1 to ^6.0.0 (specifically v6.0.2 per the lockfile). However, this upgrade introduces a breaking compatibility issue: @vitejs/plugin-react v6.0.0 explicitly drops support for Vite 7 and below, requiring Vite 8+, while this project is still using Vite ^7.3.2.

Verdict: Blocked — This PR cannot be merged as-is because it creates an incompatible peer dependency situation. Either Vite must also be upgraded to v8+, or the plugin version specifier should remain at v5.x.

Research notes

I fetched the official changelog and release notes for @vitejs/plugin-react:

• v6.0.0 Release Notes (March 12, 2026): The major change is "Remove Babel Related Features" and "Drop Vite 7 and below support". The release explicitly states:

  Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

• CHANGELOG.md confirms:

  • v6.0.0 requires Vite 8+ (peerDependencies now specify vite: ^8.0.0)
  • Babel is no longer bundled; users needing Babel must install @rolldown/plugin-babel separately
  • The new peer dependencies include optional @rolldown/plugin-babel and babel-plugin-react-compiler

• Current project state: dashboard/package.json shows "vite": "^7.3.2", which is incompatible with @vitejs/plugin-react v6.

Suggested next steps

1. Blocking: Decide on one of two paths:

   • Option A (Recommended): Also upgrade Vite to v8+ in the same PR. This requires updating "vite": "^8.0.0" (or latest) in package.json and verifying that the rest of the build tooling (plugins, Vitest, etc.) is compatible with Vite 8.
   • Option B: Keep @vitejs/plugin-react at v5.x by changing the specifier back to "^5.0.1" if Vite 8 upgrade is not desired at this time.

2. If upgrading to Vite 8: Test the full development and build pipeline (pnpm run dev, pnpm run build, pnpm test) to ensure no regressions from the Vite major version upgrade.

3. If staying on Vite 7: Consider configuring Renovate to exclude this package from major version updates, or pin it to ~5.x to avoid accidental upgrades.

General findings

Important note on pnpm overrides: The current package.json includes pnpm overrides:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

These overrides were present in the old lockfile but were removed from the top-level in the new lockfile. The overrides themselves remain in package.json, so functionality should be preserved, but this is worth verifying during testing.

The lockfile changes show significant restructuring due to the removal of Babel-related dependencies (@babel/core, @babel/parser, @babel/types, etc.) and the addition of platform-specific Rollup binaries. This is expected behavior for the v6 upgrade.

[doubleword-code]

Blocking: Incompatible peer dependency — @vitejs/plugin-react v6 requires Vite 8+, but project uses Vite ^7.3.2.

Why it matters: According to the official v6.0.0 release notes, this major version explicitly "Drop[s] Vite 7 and below support". The peerDependencies now specify vite: ^8.0.0. Using this plugin version with Vite 7 will result in peer dependency warnings and potential runtime/build failures.

From the changelog:

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

Suggested fix: Either:

1. Also upgrade Vite: Change line 91 to "vite": "^8.0.0" (or latest v8 version), then test thoroughly
2. Or pin this plugin to v5.x: Change to "@vitejs/plugin-react": "^5.0.1" if Vite 8 upgrade is not intended

[doubleword-code]

Summary

This PR upgrades @vitejs/plugin-react from ^5.0.1 to ^6.0.0. However, this upgrade introduces a critical compatibility issue: @vitejs/plugin-react v6.0.0 explicitly dropped support for Vite 7 and below (requiring Vite 8+), but the project is still on Vite ^7.3.2. This will cause the build to fail or behave unexpectedly.

Additionally, the pnpm-lock.yaml changes show the overrides section was removed, and the rollup override (npm:@rollup/wasm-node) no longer appears to be applied - the lockfile now resolves to standard rollup@4.60.3 instead.

Verdict: Blocked - requires Vite 8 upgrade alongside this plugin update.

Research notes

• @vitejs/plugin-react v6.0.0 changelog: States "Drop Vite 7 and below support (#1124)" and "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."
• v6.0.0 also removed Babel-related features - Babel is no longer a dependency of this plugin. Projects using custom Babel plugins need to use @rolldown/plugin-babel alongside this plugin.
• The peerDependencies for v6.0.2 specify vite: ^8.0.0

Suggested next steps

1. Blocking: Upgrade Vite from ^7.3.2 to ^8.0.0 (or later) alongside this plugin upgrade, or pin @vitejs/plugin-react to ^5.2.0 if Vite 7 must be retained.
2. Investigation: Verify that pnpm overrides are being applied correctly. The lockfile no longer contains the overrides section, and rollup appears to be resolving to the standard package instead of @rollup/wasm-node. Run pnpm install to regenerate the lockfile with proper overrides.

General findings

• The removal of the overrides section from pnpm-lock.yaml is concerning. While overrides in package.json should propagate to the lockfile, the diff shows rollup resolving to rollup@4.60.3 instead of @rollup/wasm-node@4.60.3. This could indicate the overrides weren't properly applied during lockfile generation.
• If the project relies on the @rollup/wasm-node override for WASM-based Rollup functionality, this change could break builds on certain platforms.

[doubleword-code]

Blocking: This version requires Vite 8+, but the project uses Vite ^7.3.2.

Why it matters: According to the @vitejs/plugin-react v6.0.0 changelog, this version explicitly "Drop[s] Vite 7 and below support" and requires vite: ^8.0.0 as a peer dependency. Using this plugin version with Vite 7 will likely cause build failures or runtime errors.

Suggested fix: Either:

1. Upgrade Vite to ^8.0.0 alongside this plugin upgrade, OR
2. Pin this plugin to "^5.2.0" (the latest v5.x) if staying on Vite 7 is intentional

[doubleword-code]

Non-blocking: The pnpm overrides section was removed from the lockfile, but overrides are still defined in package.json.

Why it matters: The package.json specifies these overrides:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

However, the lockfile no longer has an overrides section, and examining the resolved dependencies shows rollup@4.60.3 instead of @rollup/wasm-node@4.60.3. This suggests the overrides may not have been properly applied during lockfile generation.

Suggested fix: Run pnpm install in the dashboard directory to regenerate the lockfile with the correct overrides applied. Verify that @rollup/wasm-node is being used if that override is required for your build environment.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from ^5.0.1 to ^6.0.0. However, this major version upgrade introduces breaking changes that make it incompatible with the current project configuration:

1. Peer dependency mismatch: v6 requires vite ^8.0.0, but the project uses vite ^7.3.2
2. Missing overrides in lockfile: The pnpm overrides (including rollup: npm:@rollup/wasm-node) were removed from the lockfile but are still present in package.json
3. Architecture change: v6 switched from Babel-based transforms to Rolldown-specific APIs, marking Rollup as "incompatible"

Verdict: Blocked - This update cannot be applied without also upgrading Vite to v8 and potentially addressing the Rolldown migration.

Research notes

Fetched the official package.json for @vitejs/plugin-react@6.0.2 from the vite-plugin-react repository. Key findings:

• Peer dependencies changed:

  • Old (v5): vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0
  • New (v6): vite: ^8.0.0 only
  • New optional peers: @rolldown/plugin-babel, babel-plugin-react-compiler

• Compatible packages section explicitly states:

  "compatiblePackages": {
    "rolldown": {"type": "compatible", ...},
    "rollup": {"type": "incompatible", "reason": "Uses Rolldown-specific APIs or Vite-specific APIs"}
  }

This confirms v6 is designed for the Rolldown-based Vite 8 ecosystem, not the current Rollup-based Vite 7 setup.

Suggested next steps

1. Do not merge this PR as-is - it will break the build
2. If upgrading to Vite 8 is desired, create a separate PR that:
   • Updates vite to ^8.0.0
   • Updates @vitejs/plugin-react to ^6.0.0
   • Tests the full build pipeline
   • Addresses any Rolldown compatibility issues
3. Alternatively, constrain the Renovate config to only allow @vitejs/plugin-react updates within the v5.x range until Vite 8 migration is planned
4. Investigate why the pnpm overrides were dropped from the lockfile - this should be preserved regardless of the plugin version

General findings

Lockfile inconsistency

The overrides section present in dashboard/package.json (lines 103-107):

"overrides": {
  "rollup": "npm:@rollup/wasm-node",
  "lodash": "^4.18.0",
  "mdast-util-to-hast": "^13.2.1"
}

Was removed from dashboard/pnpm-lock.yaml in this PR. This is likely an artifact of how pnpm regenerated the lockfile, but it means the WASM-based Rollup override is no longer being enforced. This should be investigated - running pnpm install should restore these overrides in the lockfile if they're properly configured.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0 (resolving to v6.0.2). However, this update introduces a blocking compatibility issue: @vitejs/plugin-react v6.x requires Vite 8.0.0+, but this project is currently using Vite 7.3.2.

Verdict: Blocked - This PR cannot be merged as-is because it violates peer dependency requirements.

Research notes

• Fetched the official CHANGELOG for @vitejs/plugin-react:

  • v6.0.0 (2026-03-12) explicitly dropped support for Vite 7 and below: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."
  • v6 also removed Babel-related features; users needing Babel must now install @rolldown/plugin-babel separately

• Fetched npm registry metadata:

  • peerDependencies: { "vite": "^8.0.0" }
  • Current project uses "vite": "^7.3.2" in dashboard/package.json:91

Suggested next steps

1. Option A (Recommended): Upgrade Vite to v8.x alongside this plugin update. This requires:

   • Updating "vite": "^8.0.0" (or latest v8) in package.json
   • Verifying no breaking changes affect the build/dev server configuration
   • Running full test suite to ensure compatibility

2. Option B: Keep @vitejs/plugin-react at v5.x until the team is ready to upgrade Vite to v8

General findings

• The pnpm overrides section was removed from pnpm-lock.yaml (rollup: npm:@rollup/wasm-node, lodash, mdast-util-to-hast). Verify these security/version overrides are no longer needed or if they should be preserved in package.json.

• The project does not use any Babel configuration with the react plugin (both vite.config.ts and vitest.config.ts use react() with no options), so the removal of Babel features in v6 does not directly impact current usage.

• Note that @ungap/structured-clone@1.3.0 in the lockfile has a deprecation warning: "Potential CWE-502 - Update to 1.3.1 or higher". This is unrelated to this PR but worth noting.

General findings (auto-demoted from inline due to pre-validation)

• Non-blocking dashboard/package.json:103 — The pnpm overrides section was removed in this PR (previously contained rollup: npm:@rollup/wasm-node, lodash: ^4.18.0, mdast-util-to-hast: ^13.2.1).
  • (demoted: line 103 (side=LEFT) is not part of any diff hunk in dashboard/package.json)

[doubleword-code]

Blocking: This version requires Vite 8.0.0+ as a peer dependency, but the project uses Vite 7.3.2 (line 91).

Why it matters: According to the official CHANGELOG, v6.0.0 explicitly dropped support for Vite 7: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8." The npm registry confirms peerDependencies: { "vite": "^8.0.0" }. Installing incompatible peer dependencies can cause runtime errors, build failures, or subtle bugs.

Suggested fix: Either:

1. Upgrade Vite to v8.x: Change line 91 to "vite": "^8.0.0" (verify compatibility first)
2. Or keep this plugin at v5.x: "@vitejs/plugin-react": "^5.0.1" until ready to upgrade Vite

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0. While this appears to be a routine dependency update, there are critical compatibility issues that block merging:

1. Vite version mismatch: Plugin React v6 requires Vite 8+, but the project uses Vite 7.3.2
2. Missing pnpm overrides: Security overrides defined in package.json are not reflected in the lockfile

Verdict: 🔴 Blocked - Requires Vite upgrade or pinning to plugin-react v5.x

Research notes

• Fetched @vitejs/plugin-react CHANGELOG:

  • v6.0.0 (2026-03-12): "Drop Vite 7 and below support" - peer dependency now requires vite: ^8.0.0
  • v6.0.0: Removes Babel-related features entirely; plugin now uses Oxc for React refresh transform
  • Node.js requirement: ^20.19.0 || >=22.12.0 (matches current package.json)

• The old lockfile had an overrides section at the root level that's now missing. This indicates pnpm did not properly process the overrides from package.json during install.

Suggested next steps

1. Option A (Recommended): Upgrade Vite to v8+ alongside this plugin update. Test thoroughly as this is a major version bump.

2. Option B: Pin @vitejs/plugin-react to ^5.2.0 if Vite 8 upgrade isn't ready.

3. Critical: Regenerate pnpm-lock.yaml with proper override resolution. Run pnpm install to ensure the rollup, lodash, and mdast-util-to-hast overrides are correctly applied in the lockfile.

4. Verify the build works after resolving the above issues.

General findings

Missing pnpm overrides in lockfile (Security concern)

The dashboard/package.json defines these overrides:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

However, the updated pnpm-lock.yaml removed the overrides section entirely, and the lockfile now resolves to:

• rollup@4.60.3 (native version) instead of npm:@rollup/wasm-node
• No evidence of lodash/mdast-util-to-hast version constraints being enforced

This could expose the project to known vulnerabilities that the overrides were meant to patch. The lodash override specifically targets a security vulnerability (<4.18.0 has prototype pollution issues).

Action: Re-run pnpm install and verify the overrides appear in the lockfile before merging any dependency updates.

Deprecated dependencies noted in lockfile

• recharts@2.15.4: Marked as deprecated - "1.x and 2.x branches are no longer active"
• @ungap/structured-clone@1.3.0: Has deprecation warning about "Potential CWE-502" - should update to 1.3.1+

These are informational only and don't block this PR, but should be addressed in a follow-up dependency audit.

[doubleword-code]

Blocking: Peer dependency mismatch with Vite.

Why it matters: According to the official @vitejs/plugin-react v6.0.0 release notes, this version drops support for Vite 7 and below. The peer dependency now requires vite: ^8.0.0. However, this project uses "vite": "^7.3.2" (line 91). This will cause runtime errors or unexpected behavior since the plugin expects Vite 8 APIs.

Suggested fix: Either:

1. Upgrade Vite: Change line 91 to "vite": "^8.0.0" (or latest v8) and test thoroughly
2. Or pin this plugin: Keep "@vitejs/plugin-react": "^5.2.0" until ready for Vite 8 migration

[doubleword-code]

Blocking: Missing overrides section in lockfile - security patches not applied.

Why it matters: The previous lockfile had an overrides section that enforced:

• rollup: npm:@rollup/wasm-node (WASM version for cross-platform consistency)
• lodash: ^4.18.0 (security patch for prototype pollution)
• mdast-util-to-hast: ^13.2.1 (security/stability fix)

This section is now absent, meaning pnpm is not enforcing these overrides. The lockfile now resolves to rollup@4.60.3 (native) instead of the WASM version, and there's no guarantee the lodash/mdast-util-to-hast versions meet the security requirements.

Suggested fix: Re-run pnpm install in the dashboard/ directory to regenerate the lockfile with proper override resolution. Verify the overrides: section appears at the top of pnpm-lock.yaml before merging.

[doubleword-code]

Summary

This PR upgrades @vitejs/plugin-react from v5.x to v6.x. While dependency upgrades are generally beneficial, this particular major version upgrade introduces breaking changes that are incompatible with the current project configuration.

Verdict: Blocked - This PR cannot be merged as-is due to Vite version incompatibility and missing security overrides.

Research Notes

I consulted the official @vitejs/plugin-react CHANGELOG which documents the following breaking changes in v6.0.0:

1. Dropped Vite 7 support: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."
2. Babel removal: Babel is no longer included as a dependency. The plugin now uses Oxc for React refresh transforms.
3. New peer dependencies: Requires vite: ^8.0.0 (changed from supporting v4.x-v7.x)
4. Node.js requirement: Requires Node 20.19+ or 22.12+ (this is satisfied by current engines field)

Critical Issues

1. Vite Version Incompatibility (Blocking)

The current dashboard/package.json specifies "vite": "^7.3.2" (line 91), but @vitejs/plugin-react@6.x explicitly requires Vite 8+. According to the changelog:

Drop Vite 7 and below support (#1124)

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

This mismatch will cause runtime errors or broken HMR functionality because the plugin relies on Vite 8's native Oxc-based JSX handling.

2. Missing Security Overrides (Blocking)

The pnpm-lock.yaml diff shows that the following security-critical overrides were removed:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0        # REMOVED - Prototype pollution fix
  mdast-util-to-hast: ^13.2.1  # REMOVED - Security fix

These overrides exist in package.json under pnpm.overrides (lines 103-107) but are no longer reflected in the lockfile structure. The lodash override specifically addresses CVE-2021-23337 (prototype pollution), and removing it could reintroduce vulnerabilities.

3. Peer Dependency Warnings

The new plugin declares these peer dependencies:

• vite: ^8.0.0 (current: ^7.3.2 ❌)
• Optional: @rolldown/plugin-babel: ^0.1.7 || ^0.2.0 (if custom Babel transforms needed)
• Optional: babel-plugin-react-compiler: ^1.0.0 (if React Compiler used)

Since the project uses react() without any custom Babel configuration in vite.config.ts, the optional peer deps are not required. However, the Vite version mismatch is a hard blocker.

Suggested Next Steps

1. Upgrade Vite to v8.x first (or concurrently) to satisfy the peer dependency requirement
2. Verify the security overrides are properly preserved in pnpm-lock.yaml - they should still be in package.json but may need explicit reinstallation
3. Test thoroughly after upgrade:
   • HMR (Hot Module Replacement) functionality
   • Build output (pnpm run build)
   • Test suite (pnpm test)
4. Consider upgrading both dependencies in a single PR or creating a follow-up PR immediately after merging this one

General Findings

• The current project uses react() with default configuration in vite.config.ts, which means the Babel removal in v6 should not affect functionality once Vite 8 is upgraded
• No custom .babelrc or babel.config.js files exist in the dashboard directory, confirming no custom Babel transforms are in use
• The Node.js engine requirement (^20.19.0 || >=22.12.0) is correctly specified and compatible with v6

General findings (auto-demoted from inline due to pre-validation)

• Blocking dashboard/pnpm-lock.yaml:4 — Security-critical pnpm overrides have been removed from the lockfile.
  • (demoted: code self-check failed at dashboard/pnpm-lock.yaml:4: diff has autoInstallPeers: true, model claimed overrides:)

[doubleword-code]

Blocking: This upgrade to @vitejs/plugin-react@6.x is incompatible with the current Vite version.

Why it matters: According to the official changelog, v6.0.0 dropped support for Vite 7 and below, requiring vite: ^8.0.0. The current project uses "vite": "^7.3.2" (line 91). The changelog explicitly states:

"Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."

This version mismatch will cause the plugin to fail because v6 relies on Vite 8's native Oxc-based JSX handling, which doesn't exist in Vite 7.

Suggested fix: Either:

1. Upgrade vite to ^8.0.0 in the same PR (recommended)
2. Keep @vitejs/plugin-react at ^5.0.1 until ready to upgrade Vite

If upgrading Vite, also check the Vite 8 migration guide for any breaking changes that might affect the build configuration.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from ^5.0.1 to ^6.0.0 (resolves to 6.0.2). However, this upgrade introduces critical compatibility issues that will break the build:

1. Vite version mismatch: @vitejs/plugin-react@6.x requires vite@^8.0.0, but the project uses vite@7.3.2
2. Lost pnpm overrides: The lockfile no longer includes the overrides section that was in package.json, causing the rollup: npm:@rollup/wasm-node override to be lost

Verdict: This PR cannot be approved as-is. It requires either downgrading to @vitejs/plugin-react@5.x or upgrading Vite to v8 alongside this change.

Research notes

From the @vitejs/plugin-react CHANGELOG:

Drop Vite 7 and below support (#1124)

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

The peer dependencies in the lockfile confirm:

'@vitejs/plugin-react@6.0.2':
  peerDependencies:
    vite: ^8.0.0

Current project uses vite@7.3.2 per the lockfile.

Additionally, the original lockfile had:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

But the new lockfile has no overrides section, even though package.json still specifies them. This indicates the lockfile was regenerated without respecting the overrides configuration.

Suggested next steps

1. Blocking: Either:

   • Option A: Upgrade Vite to ^8.0.0 alongside this plugin update (recommended if Vite 8 is stable for your use case)
   • Option B: Pin @vitejs/plugin-react to ^5.0.1 to maintain compatibility with Vite 7

2. Blocking: Regenerate the lockfile with pnpm to ensure the overrides from package.json are properly reflected. The current lockfile is missing:

   • rollup: npm:@rollup/wasm-node
   • lodash: ^4.18.0
   • mdast-util-to-hast: ^13.2.1

3. Run pnpm install in the dashboard/ directory to regenerate the lockfile correctly, then verify the overrides section appears in pnpm-lock.yaml.

General findings

• The changelog shows v6 removed Babel as a dependency and now uses Oxc for React Refresh transform. This is a significant architectural change that may affect projects using custom Babel plugins.
• There's a deprecation warning for @ungap/structured-clone@1.3.0 about "Potential CWE-502" suggesting an update to 1.3.1+ is needed.
• Recharts has a deprecation notice recommending migration to v3.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0 in the dashboard frontend. However, this upgrade introduces a breaking compatibility issue that will prevent the application from building or running correctly.

Verdict: Blocked - This PR cannot be merged as-is due to a peer dependency version mismatch.

Research notes

I fetched the official changelog for @vitejs/plugin-react. The key breaking changes in v6.0.0 are:

1. Drop Vite 7 and below support (#1124): "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."
2. Remove Babel Related Features (#1123): Babel is no longer a dependency. Users who need custom Babel plugins must now install @rolldown/plugin-babel separately.
3. New peer dependencies: The plugin now requires vite: ^8.0.0 (previously supported v4.2.0 through v7.x).

The current dashboard/package.json specifies:

• "vite": "^7.3.2" (line 91)
• "@vitejs/plugin-react": "^6.0.0" (line 78, after update)

Additionally, the pnpm-lock.yaml shows the overrides section was removed, which previously pinned security-sensitive packages (lodash, mdast-util-to-hast).

Suggested next steps

1. Option A (Recommended): Upgrade Vite to v8.x alongside this change. This requires:

   • Update "vite": "^8.0.0" (or latest v8) in dashboard/package.json
   • Verify all Vite plugins are compatible with Vite 8
   • Test the build and dev server thoroughly

2. Option B: Keep @vitejs/plugin-react at v5.x if Vite 8 upgrade is not desired yet. Change the specifier to "^5.2.0" instead.

3. Restore pnpm overrides: The overrides section in dashboard/package.json should be preserved to maintain security patches for known vulnerabilities in lodash and mdast-util-to-hast.

General findings

Blocking Issues

1. Vite version incompatibility

The upgraded @vitejs/plugin-react@6.0.0 explicitly requires Vite 8+ as a peer dependency, but the project uses Vite 7.3.2. This will cause:

• npm/pnpm peer dependency warnings or errors
• Potential runtime failures since the plugin uses Vite 8-specific APIs
• Build failures in CI/CD pipelines

Non-blocking Issues

2. Missing pnpm overrides in lockfile

The original dashboard/package.json has pnpm overrides for security reasons:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

These overrides ensure:

• lodash uses a patched version (CVE fixes)
• mdast-util-to-hast uses a secure version
• rollup uses the WASM variant

The lockfile diff shows these overrides were removed. While the package.json still contains them, the lockfile regeneration may have dropped them. This should be verified by re-running pnpm install to ensure the overrides are properly applied.

Positive observations

• The project does not use any custom Babel configuration, so the removal of Babel features in v6 does not directly impact existing code
• No React Compiler usage detected, so the new reactCompilerPreset export is not needed
• The upgrade reduces bundle size by removing Babel dependencies (~40 package entries removed from lockfile)

General findings (auto-demoted from inline due to pre-validation)

• Non-blocking dashboard/package.json:103 — Verify pnpm overrides are preserved.
  • (demoted: line 103 (side=RIGHT) is not part of any diff hunk in dashboard/package.json)

[doubleword-code]

Blocking: Peer dependency version mismatch.

Why it matters: @vitejs/plugin-react@6.0.0 requires Vite 8+ as a peer dependency (per official changelog), but this project uses Vite 7.3.2 (line 91). This will cause peer dependency warnings/errors and potential runtime failures.

Suggested fix: Either:

1. Upgrade Vite: Change line 91 to "vite": "^8.0.0" (verify all plugins are compatible first)
2. Or keep plugin-react at v5: Change this line to "@vitejs/plugin-react": "^5.2.0"

[doubleword-code]

Summary

This PR upgrades @vitejs/plugin-react from v5.0.1 to v6.0.0, which is a major version bump. According to the release notes, v6.0.0 removes Babel-related features and drops support for Vite 7 and below (requires Vite 8+). However, this project currently uses Vite 7.3.2, which creates a compatibility issue.

Verdict: Blocked - This PR requires changes before it can be merged due to:

1. Vite version incompatibility (plugin-react v6 requires Vite 8+, but project uses Vite 7.3.2)
2. pnpm overrides not being honored in the regenerated lockfile (@rollup/wasm-node → rollup)

Research Notes

• @vitejs/plugin-react v6.0.0 release notes: "Drop Vite 7 and below support. Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."
• @vitejs/plugin-react v6.0.0 peer dependencies: Now requires vite: ^8.0.0 (changed from ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0 in v5.x)
• pnpm documentation: Since pnpm v11, settings in the pnpm field of package.json should be moved to pnpm-workspace.yaml, but this project uses lockfile v9.0 (pnpm v9.x) where package.json overrides should still work

Suggested Next Steps

1. Upgrade Vite to v8 - Before merging this PR, Vite must be upgraded from v7.3.2 to v8.x to satisfy the new peer dependency requirements of @vitejs/plugin-react v6
2. Fix pnpm overrides - The overrides section in the lockfile was removed during regeneration. Either:
   • Re-run pnpm install with the correct pnpm version to ensure overrides are respected
   • Or migrate the overrides to pnpm-workspace.yaml if upgrading to pnpm v11+
3. Verify React Compiler setup - If the project plans to use React Compiler, note that v6 requires installing @rolldown/plugin-babel separately as a peer dependency

General Findings

Critical Issues

1. Vite version incompatibility: The current vite.config.ts uses Vite 7.3.2, but @vitejs/plugin-react v6 explicitly dropped support for Vite 7. This will cause runtime errors or unexpected behavior.

2. pnpm overrides broken: The package.json specifies "rollup": "npm:@rollup/wasm-node" in the pnpm overrides, but the regenerated lockfile now uses regular rollup@4.60.3 instead of @rollup/wasm-node@4.60.3. This breaks cross-platform consistency that the WASM build provides.

Non-blocking Observations

3. Deprecated recharts warning: The lockfile shows a deprecation warning for recharts v2.15.4: "1.x and 2.x branches are no longer active. Bump to Recharts v3". This is pre-existing and not caused by this PR.

4. Security advisory in lockfile: The @ungap/structured-clone@1.3.0 package has a deprecation notice: "Potential CWE-502 - Update to 1.3.1 or higher". This is also pre-existing.

[doubleword-code]

Blocking: This upgrade introduces a peer dependency incompatibility.

Why it matters: According to the v6.0.0 release notes, @vitejs/plugin-react v6 dropped support for Vite 7 and below, requiring Vite 8+. The current project uses Vite 7.3.2 (line 91 of this file), which is incompatible. The plugin's peerDependencies changed from vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0 in v5.x to vite: ^8.0.0 in v6.x.

Suggested fix: Upgrade Vite to v8.x first ("vite": "^8.0.0"), then upgrade @vitejs/plugin-react. Alternatively, pin @vitejs/plugin-react to v5.x if Vite 7 must be retained.

[doubleword-code]

Blocking: The pnpm overrides section was removed from the lockfile, breaking the rollup override.

Why it matters: The base branch had an overrides section at the top of the lockfile that enforced "rollup": "npm:@rollup/wasm-node". This override ensured cross-platform consistency by using the WebAssembly build of Rollup instead of platform-specific native binaries. After regenerating the lockfile for this PR, the overrides section is gone, and vite now depends on regular rollup@4.60.3 instead of @rollup/wasm-node@4.60.3.

Evidence:

• Base branch: rollup: '@rollup/wasm-node@4.60.3'
• This PR: rollup: 4.60.3

The package.json still has the overrides in the pnpm field, but they're not being honored in the generated lockfile.

Suggested fix: Re-run pnpm install ensuring the pnpm version respects package.json overrides, or migrate the overrides to a pnpm-workspace.yaml file if using pnpm v11+.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0 (resolving to v6.0.2). However, this update introduces a critical version incompatibility that will break the build.

Verdict: Blocked - This PR cannot be merged as-is due to peer dependency mismatch with Vite.

Research notes

I fetched the official CHANGELOG for @vitejs/plugin-react. Key findings:

v6.0.0 Breaking Changes (2026-03-12)

1. Drop Vite 7 and below support: From the changelog:

   "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."

   The peer dependency changed from vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0 (v5) to vite: ^8.0.0 (v6).

2. Babel removed: v6 removes all Babel-related features. Vite 8+ handles React Refresh Transform via Oxc instead. Projects using custom Babel plugins must now use @rolldown/plugin-babel alongside this plugin.

3. New peer dependencies: The plugin now optionally accepts @rolldown/plugin-babel and babel-plugin-react-compiler as peer dependencies.

Current Project State

The project currently uses Vite 7.3.2 (dashboard/package.json line 91), which is incompatible with @vitejs/plugin-react v6.

Additional Issue: pnpm Overrides Removed

The pnpm-lock.yaml diff shows the removal of the overrides section at the root level:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

These overrides exist in dashboard/package.json (lines 103-107) but appear to be lost in the lockfile regeneration. The rollup: npm:@rollup/wasm-node override is particularly important as it forces the WASM build of Rollup.

Suggested next steps

1. Option A (Recommended): Revert this update and keep @vitejs/plugin-react at v5.x until the project is ready to upgrade to Vite 8.

2. Option B: If upgrading to Vite 8 is desired, create a separate PR that:

   • Updates Vite from ^7.3.2 to ^8.0.0 (or latest v8)
   • Updates @vitejs/plugin-react to v6.x
   • Reviews any breaking changes from Vite 7→8 migration
   • Tests thoroughly since this affects the entire build pipeline

3. Verify pnpm overrides: Ensure the pnpm-lock.yaml properly reflects the overrides from package.json. Run pnpm install to regenerate the lockfile if needed.

General findings

No inline comments since the core issue is the version mismatch itself rather than specific lines. The change is straightforward (just a version bump), but the implications are significant.

[doubleword-code]

Blocking: Version incompatibility with Vite.

Why it matters: @vitejs/plugin-react v6 dropped support for Vite 7 and below, requiring vite: ^8.0.0 as a peer dependency. The project currently uses Vite 7.3.2 (line 91). According to the official changelog:

"Drop Vite 7 and below support. Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."

This will cause peer dependency warnings at best, and potential runtime/build failures at worst since v6 removed Babel-based transforms that v5 used, relying instead on Vite 8's native Oxc-based handling.

Suggested fix: Either:

1. Keep @vitejs/plugin-react at ^5.0.1 until ready to upgrade Vite to v8, OR
2. Update both Vite (^8.0.0) and this plugin together in a coordinated upgrade PR

[doubleword-code]

Summary

This PR is a Renovate-generated dependency update that upgrades @vitejs/plugin-react from v5.0.1 to v6.0.0. However, this upgrade introduces critical compatibility issues that block merging:

1. Peer dependency violation: @vitejs/plugin-react@6.x explicitly requires Vite 8+, but this project uses Vite 7.3.2
2. Removed pnpm overrides: The PR removes important security and compatibility overrides that were intentionally configured

Verdict: BLOCKED - This PR cannot be merged as-is. It requires either (a) also upgrading Vite to v8+, or (b) staying on @vitejs/plugin-react@5.x.

Research notes

• @vitejs/plugin-react@6.0.0 release notes: Explicitly states "Drop Vite 7 and below support" and "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."
• CHANGELOG.md: Confirms v6 removed Babel-related features and now requires Vite 8+ for Oxc-based React refresh transform
• The removed pnpm overrides included lodash: ^4.18.0 which addresses CVE-2021-23337 prototype pollution vulnerability

Suggested next steps

1. Decide on upgrade path: Either:

   • Upgrade Vite to v8+ alongside this plugin (requires testing full compatibility)
   • Keep @vitejs/plugin-react at ^5.x until ready for Vite 8 migration

2. Restore pnpm overrides: The overrides section in pnpm-lock.yaml should be preserved in package.json under pnpm.overrides to maintain:

   • rollup: npm:@rollup/wasm-node (compatibility override)
   • lodash: ^4.18.0 (security fix)
   • mdast-util-to-hast: ^13.2.1 (bug fix/compatibility)

3. If proceeding with v6: Test thoroughly since v6 removes built-in Babel support - any custom Babel plugins would need to use @rolldown/plugin-babel separately

General findings

Missing peer dependency validation

The PR updates a major version without addressing peer dependency requirements. Package managers like pnpm will warn but still install incompatible versions, which can cause subtle runtime issues.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from ^5.0.1 to ^6.0.0. However, this update introduces a critical peer dependency mismatch that will cause compatibility issues.

Verdict: Blocked - Requires Vite 8 upgrade or pinning to v5.x.

Research Notes

I fetched the official @vitejs/plugin-react v6.0.0 release notes which clearly states:

Drop Vite 7 and below support - Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

The current project uses vite@^7.3.2 (see dashboard/package.json:91), which is incompatible with @vitejs/plugin-react@6.x.

Additionally, the v6 release removes Babel as an internal dependency. Users needing Babel must now install @rolldown/plugin-babel separately.

Suggested Next Steps

1. Option A (Recommended): Upgrade Vite to v8.x alongside this plugin update. This requires checking Vite 8 migration guides for breaking changes.

2. Option B: Pin @vitejs/plugin-react to ^5.2.0 (the last v5 version) if Vite 8 upgrade is not ready.

3. Restore pnpm overrides: The removed overrides (rollup, lodash, mdast-util-to-hast) should be preserved in package.json under pnpm.overrides to maintain security patches.

General Findings

Missing pnpm Overrides

The pnpm-lock.yaml previously contained these important overrides at the top level:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

These are now absent from the lockfile. The rollup override ensures the WASM build is used, while lodash and mdast-util-to-hast overrides address security vulnerabilities. These should be explicitly defined in dashboard/package.json under the pnpm.overrides key (which currently exists but has different content).

React Compiler Peer Dependencies

The new version lists optional peer dependencies for React Compiler support:

• @rolldown/plugin-babel: ^0.1.7 || ^0.2.0
• babel-plugin-react-compiler: ^1.0.0

If the project ever plans to use React Compiler, these would need to be installed. For standard usage without compiler optimizations, these remain optional.

[doubleword-code]

Blocking: This version requires Vite 8+ as a peer dependency, but the project uses vite@^7.3.2 (line 91).

Why it matters: According to the v6.0.0 release notes: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8." The plugin's peerDependencies specify vite: ^8.0.0, which means this combination is unsupported and may cause runtime errors or missing functionality.

Suggested fix: Either:

1. Upgrade Vite: Change line 91 to "vite": "^8.0.0" (check Vite 8 migration guide first)
2. Or pin this plugin: Change to "@vitejs/plugin-react": "^5.2.0" (last v5 compatible version)

[doubleword-code]

Non-blocking: The overrides section was removed from the lockfile, but the corresponding overrides should be preserved.

Why it matters: The removed overrides served important purposes:

• rollup: npm:@rollup/wasm-node - Ensures WASM-based Rollup for cross-platform consistency
• lodash: ^4.18.0 - Security patch for prototype pollution vulnerability
• mdast-util-to-hast: ^13.2.1 - Compatibility fix

These overrides have been moved/removed, potentially exposing the project to known vulnerabilities or platform-specific issues.

Suggested fix: Add these overrides explicitly to dashboard/package.json under the existing pnpm.overrides section:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

[doubleword-code]

Summary

This PR upgrades @vitejs/plugin-react from v5.0.1 to v6.0.0. However, this upgrade introduces a critical peer dependency incompatibility: plugin-react v6.0.0 requires Vite 8+, but the project currently uses Vite 7.3.2.

Verdict: Blocked - This PR cannot be merged as-is. You must either:

1. Upgrade Vite to v8+ alongside this change, OR
2. Pin @vitejs/plugin-react to v5.x (e.g., ^5.0.1)

Research notes

Fetched the official changelog for @vitejs/plugin-react:

• v6.0.0 breaking changes (CHANGELOG.md):

  • "Drop Vite 7 and below support (#1124)" - Vite 7 and below are no longer supported
  • "Remove Babel Related Features (#1123)" - Babel is no longer a dependency; JSX transforms now use Oxc
  • Peer dependencies changed to: vite: ^8.0.0 (was vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0)
  • New optional peer deps: @rolldown/plugin-babel, babel-plugin-react-compiler

• Current project state:

  • dashboard/package.json:91: "vite": "^7.3.2"
  • dashboard/package.json:103-107: Has pnpm overrides for rollup: npm:@rollup/wasm-node which are removed in the updated lock file (see below)

Suggested next steps

1. Blocking: Decide on Vite version strategy:

   • If staying on Vite 7: Change package.json specifier back to "@vitejs/plugin-react": "^5.0.1"
   • If upgrading to Vite 8: Update "vite": "^8.0.0" (and test thoroughly for breaking changes)

2. Non-blocking: Review the removed pnpm overrides in pnpm-lock.yaml. The diff shows these overrides were removed:

   overrides:
     rollup: npm:@rollup/wasm-node
     lodash: ^4.18.0
     mdast-util-to-hast: ^13.2.1

   These same overrides still exist in package.json under pnpm.overrides, so this appears to be a lockfile normalization. Verify the build still works correctly without the overrides section at the root level of the lockfile.

3. Test: Run pnpm run dev and pnpm run build to confirm the frontend works with the new plugin version (once Vite compatibility is resolved).

General findings

Lockfile structure change

The pnpm-lock.yaml shows the overrides section was removed from the top level (lines 7-12 in the old file). However, these overrides are still present in dashboard/package.json under the pnpm.overrides field (lines 103-107). This is expected behavior - pnpm stores overrides in the lockfile under importers when defined in package.json. Just verify the overrides are still being applied correctly by checking the resolved versions in the lockfile.

[doubleword-code]

Blocking: Peer dependency incompatibility - @vitejs/plugin-react@6.0.0 requires Vite 8+, but this project uses Vite 7.3.2.

Why it matters: According to the official changelog, v6.0.0 explicitly dropped support for Vite 7 and below: "Drop Vite 7 and below support (#1124)". The peerDependencies now specify vite: ^8.0.0. Using this plugin with Vite 7 will cause runtime errors or unexpected behavior since the plugin expects Vite 8 APIs.

Additionally, v6.0.0 removed Babel-related features and now uses Oxc for React refresh transforms. If your build relies on custom Babel plugins configured through this plugin, those configurations will stop working.

Suggested fix: Either:

1. Upgrade Vite: Change line 91 to "vite": "^8.0.0" (test thoroughly for Vite 8 breaking changes)
2. Stay on plugin-react v5: Keep "@vitejs/plugin-react": "^5.0.1"

[doubleword-code]

Non-blocking: The top-level overrides section was removed from the lockfile, but these overrides still exist in package.json under pnpm.overrides (lines 103-107).

Why it matters: This appears to be a lockfile format normalization where pnpm moved the overrides into the importers section rather than having a separate top-level overrides block. The overrides for rollup: npm:@rollup/wasm-node, lodash: ^4.18.0, and mdast-util-to-hast: ^13.2.1 should still be applied since they're defined in package.json.

Suggested fix: No action required if the overrides in package.json are sufficient. Just verify after merging that:

1. pnpm install completes without warnings
2. The rollup WASM node override is still active (check resolved rollup version in lockfile)
3. Security overrides for lodash and mdast-util-to-hast are still applied

[doubleword-code]

Summary

This PR upgrades @vitejs/plugin-react from v5.x to v6.x. However, this upgrade is incompatible with the current Vite version and cannot be merged as-is.

Verdict: 🔴 Blocked - Requires Vite upgrade to v8+ before this can be safely merged.

Research notes

I consulted the official @vitejs/plugin-react CHANGELOG which documents the following breaking changes in v6.0.0:

1. Babel-related features removed: "Vite 8+ can handle React Refresh Transform by Oxc and doesn't need Babel for it... babel is no longer a dependency of this plugin and the related features are removed."

2. Dropped Vite 7 support: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."

3. New peer dependencies: The plugin now requires vite: ^8.0.0 (previously supported v4-v7).

The current project configuration shows:

• vite: ^7.3.2 (in dashboard/package.json line 91)
• @vitejs/plugin-react: ^6.0.0 (after this PR)

This creates a peer dependency mismatch that will cause issues at runtime or during build.

Suggested next steps

1. Option A (Recommended): Upgrade Vite to v8+ first, then merge this PR. This would involve:

   • Update vite in package.json to ^8.0.0 (or latest v8)
   • Run tests to ensure Vite 8 compatibility with the rest of the build pipeline
   • Then merge this plugin upgrade

2. Option B: Downgrade this PR to use @vitejs/plugin-react@^5.1.0 instead, which is compatible with Vite 7.

3. Verify overrides: The diff shows pnpm-lock.yaml no longer includes the overrides section that was present before (rollup: npm:@rollup/wasm-node, lodash: ^4.18.0, mdast-util-to-hast: ^13.2.1). These overrides still exist in package.json (lines 103-107), so this appears to be a lockfile formatting change rather than a functional issue. However, verify the overrides are still being applied correctly after running pnpm install.

General findings

Good news: The project does not use any custom Babel configuration (no .babelrc, babel.config.js, or babel plugins in vite config), so the removal of Babel-related features in v6 won't impact the existing setup. The simple react() plugin usage in vite.config.ts will continue to work once the Vite version is upgraded.

Note on recharts deprecation: The lockfile shows a deprecation warning for recharts@2.15.4: "1.x and 2.x branches are no longer active. Bump to Recharts v3 to receive latest features and bugfixes." This is unrelated to this PR but worth noting for future maintenance.

[doubleword-code]

Blocking: This version requires Vite ^8.0.0 as a peer dependency, but the project currently uses Vite ^7.3.2 (line 91).

Why it matters: According to the official CHANGELOG:

"Drop Vite 7 and below support (#1124)... Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."

Installing this version alongside Vite 7 will result in a peer dependency mismatch and potential runtime/build failures.

Suggested fix: Either:

1. Upgrade Vite to ^8.0.0 (or latest) in the same PR, or
2. Change this to "@vitejs/plugin-react": "^5.1.0" to maintain compatibility with Vite 7

[doubleword-code]

Summary

This PR upgrades @vitejs/plugin-react from v5.0.1 to v6.0.0 (resolving to v6.0.2). This is a major version upgrade that introduces breaking changes.

Verdict: BLOCKED - This upgrade cannot be applied as-is due to a critical version incompatibility.

Research Notes

I consulted the official @vitejs/plugin-react v6.0.0 release notes and CHANGELOG.md:

Key Breaking Changes in v6.0.0:

1. Drop Vite 7 and below support (#1124): Vite 8+ is now required. If using Vite 7, you must upgrade to Vite 8 first.

2. Remove Babel Related Features (#1123): Babel is no longer a dependency. Custom Babel plugins must now use @rolldown/plugin-babel as a separate plugin.

3. Node.js version requirement: Node 20.19+ or 22.12+ required (this project's engines field already satisfies this).

Current Project State:

• Vite version: ^7.3.2 (from dashboard/package.json line 91)
• Plugin usage: react() with no custom Babel configuration (from vite.config.ts)

Suggested Next Steps

1. BLOCKING: Upgrade Vite from v7.3.2 to v8.x before upgrading @vitejs/plugin-react to v6. Check the Vite 8 migration guide for breaking changes.

2. Verify the build works after both upgrades, since removing Babel from the plugin could affect edge cases even if not explicitly configured.

3. Consider pinning the exact version (6.0.2) instead of using a range (^6.0.0) for more predictable builds, especially for a library with active development.

General Findings

Overrides Section Discrepancy

The pnpm-lock.yaml diff shows the overrides section being removed from the lock file:

-overrides:
-  rollup: npm:@rollup/wasm-node
-  lodash: ^4.18.0
-  mdast-util-to-hast: ^13.2.1

However, these overrides are still present in package.json (lines 103-107). This appears to be a pnpm lockfile format change rather than an intentional removal. The overrides should still apply during installation, but verify that:

• The rollup: npm:@rollup/wasm-node override is still respected (important for WASM-based Rollup)
• Security overrides for lodash and mdast-util-to-hast remain effective

Rollup Package Changes

The lock file now includes explicit platform-specific Rollup packages (@rollup/rollup-linux-x64-gnu, etc.) instead of the WASM wrapper. This is likely because the override was dropped. This could cause issues on platforms without prebuilt binaries.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0. However, this update introduces breaking compatibility issues that must be addressed before merging.

Verdict: ❌ Blocked - Requires fixing critical peer dependency incompatibility and investigating unintended lockfile changes.

Research notes

I consulted the official @vitejs/plugin-react CHANGELOG and release notes for v6.0.0:

Key breaking changes in v6.0.0 (2026-03-12):

1. Drop Vite 7 and below support (#1124)

   "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."

2. Remove Babel Related Features (#1123)

   "Babel is no longer a dependency of this plugin and the related features are removed."

The current project uses Vite 7.3.2 (dashboard/package.json line 91), which is incompatible with @vitejs/plugin-react@6.x.

Suggested next steps

1. Option A (Recommended): Pin @vitejs/plugin-react to ^5.2.0 (latest v5) to maintain compatibility with Vite 7
2. Option B: Upgrade Vite to ^8.0.0 alongside this update (requires testing for Vite 8 breaking changes)
3. Investigate why pnpm overrides were removed from the lockfile - this appears unintentional and may indicate a pnpm version issue or incorrect regeneration

General findings

pnpm overrides removed from lockfile

The overrides section present in the original pnpm-lock.yaml was removed:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

These overrides remain in package.json but were not reflected in the regenerated lockfile. This is concerning because:

• The lodash override (^4.18.0) addresses a known security vulnerability
• The rollup override switches to the WASM build for specific compatibility reasons

This suggests the lockfile may have been regenerated with a different pnpm version or the overrides are being ignored. Please verify pnpm install was run correctly and that overrides are being respected.

---

Note: The README documentation I fetched shows that v6 changes the peer dependencies to require vite: ^8.0.0, confirming the incompatibility.

[doubleword-code]

Blocking: This version requires Vite 8+, but the project uses Vite 7.3.2.

Why it matters: According to the @vitejs/plugin-react v6.0.0 release notes, this version drops support for Vite 7 and below: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8." The peerDependencies in the npm package metadata also specify vite: ^8.0.0.

Using an incompatible version will result in peer dependency warnings and potential runtime failures since v6 removed Babel-related features that v5 used internally for React Fast Refresh with Vite 7.

Suggested fix: Either:

1. Pin to "^5.2.0" to stay compatible with Vite 7, OR
2. Also upgrade Vite: change line 91 to "vite": "^8.0.0" (requires full regression testing)

[doubleword-code]

Blocking: The pnpm overrides section was removed from the lockfile.

Why it matters: The original lockfile had three important overrides:

• rollup: npm:@rollup/wasm-node - Forces use of WASM build of Rollup
• lodash: ^4.18.0 - Security override addressing CVE-2021-23337 and other lodash vulnerabilities
• mdast-util-to-hast: ^13.2.1 - Compatibility fix

These overrides are still present in package.json under the pnpm.overrides field, but they were not respected when regenerating the lockfile. This indicates either:

1. A pnpm version mismatch during pnpm install
2. The lockfile was manually edited
3. An issue with how pnpm is processing overrides

Suggested fix: Re-run pnpm install in the dashboard/ directory with the correct pnpm version to regenerate the lockfile with overrides properly applied. Verify the overrides section appears in the regenerated lockfile.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0 in the dashboard. However, there are critical compatibility issues that block this upgrade:

1. Vite 8 Required: @vitejs/plugin-react@6.x explicitly drops support for Vite 7 (per CHANGELOG), requiring vite: ^8.0.0, but this project uses vite: ^7.3.2.

2. Missing Rollup Override: The pnpm lockfile no longer includes the rollup: npm:@rollup/wasm-node override that's defined in package.json, potentially causing platform-specific issues.

Verdict: Blocked - Requires Vite upgrade or pinning to plugin-react 5.x.

Research notes

• Fetched @vitejs/plugin-react CHANGELOG

  • v6.0.0 (2026-03-12): "Drop Vite 7 and below support" - "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."
  • v6.0.0: "Remove Babel Related Features" - Vite 8+ handles React Refresh Transform via Oxc. Babel plugins must now use @rolldown/plugin-babel if needed.
  • Peer dependencies changed to require vite: ^8.0.0

• Current project state:

  • dashboard/package.json line 91: "vite": "^7.3.2"
  • dashboard/package.json lines 103-107: pnpm overrides for rollup, lodash, mdast-util-to-hast
  • New pnpm-lock.yaml: Missing top-level overrides section, no @rollup/wasm-node present

Suggested next steps

1. Option A (Recommended): Pin @vitejs/plugin-react to ^5.0.1 until ready to upgrade Vite to v8

2. Option B: Upgrade Vite to v8 alongside this change:

   • Update "vite": "^8.0.0" in package.json
   • Run pnpm install to regenerate lockfile with proper overrides
   • Test thoroughly for any breaking changes from Vite 8

3. Fix lockfile: After resolving the Vite version issue, run pnpm install to ensure the pnpm overrides are properly reflected in the lockfile

General findings

Removed Babel dependencies

The upgrade removes Babel from the plugin's transitive dependencies (@babel/core, @babel/parser, etc. are no longer listed). This is expected per the CHANGELOG - v6 uses Oxc for React refresh transforms. If the project uses any custom Babel plugins via the babel option in the react plugin config, those will need to be migrated to use @rolldown/plugin-babel instead.

recharts deprecation notice

The lockfile shows a deprecation warning for recharts 2.15.4: "1.x and 2.x branches are no longer active. Bump to Recharts v3 to receive latest features and bugfixes." This is unrelated to this PR but worth noting for future maintenance.

[doubleword-code]

Blocking: This version requires Vite 8+, but the project uses Vite 7.3.2.

Why it matters: According to the @vitejs/plugin-react CHANGELOG, version 6.0.0 explicitly dropped support for Vite 7 and below: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8." The peerDependencies in the lockfile confirm this requires vite: ^8.0.0.

Using an incompatible version will cause peer dependency warnings and may result in runtime errors or missing functionality.

Suggested fix: Either:

1. Keep @vitejs/plugin-react at ^5.0.1 until ready to upgrade Vite, OR
2. Upgrade Vite: change line 91 to "vite": "^8.0.0" and test thoroughly

[doubleword-code]

Blocking: The pnpm overrides section is missing from the lockfile.

Why it matters: The diff shows the overrides section was removed from the top level of the lockfile:

-overrides:
-  rollup: npm:@rollup/wasm-node
-  lodash: ^4.18.0
-  mdast-util-to-hast: ^13.2.1

However, package.json still defines these overrides (lines 103-107). The new lockfile does not include @rollup/wasm-node anywhere, meaning the WASM-based Rollup override is not being applied. This could cause issues on platforms where the native Rollup binaries don't work correctly.

Suggested fix: Run pnpm install in the dashboard/ directory to regenerate the lockfile with the overrides properly applied. Verify the lockfile includes the @rollup/wasm-node package after regeneration.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0. However, there are critical compatibility issues that block merging:

1. Vite version incompatibility: Plugin React v6 dropped support for Vite 7 (requires Vite 8+), but this project uses Vite 7.3.2
2. Missing pnpm overrides: Security-related overrides for rollup, lodash, and mdast-util-to-hast were removed from the lockfile

Verdict: Blocked - requires Vite upgrade or pinning to plugin-react v5.x

Research notes

Fetched the official changelog from vite-plugin-react CHANGELOG:

v6.0.0 breaking changes (2026-03-12):

• Drop Vite 7 and below support: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."
• Remove Babel-related features: Babel is no longer bundled; the plugin now uses Oxc for React refresh transform
• New peer dependencies: @rolldown/plugin-babel (optional), babel-plugin-react-compiler (optional)
• Requires Node 20.19+ or 22.12+

The current project configuration:

• vite: ^7.3.2 (in package.json)
• No @rolldown/plugin-babel or babel-plugin-react-compiler installed

Suggested next steps

1. Option A (Recommended): Upgrade Vite to v8+ alongside this plugin update

   • Update "vite": "^8.0.0" in package.json
   • Test thoroughly as Vite major versions may have breaking changes

2. Option B: Pin @vitejs/plugin-react to ^5.1.4 (latest v5.x) if Vite 8 upgrade isn't ready

3. Restore pnpm overrides: Add back the security overrides that were removed:

   "pnpm": {
     "overrides": {
       "rollup": "npm:@rollup/wasm-node",
       "lodash": "^4.18.0",
       "mdast-util-to-hast": "^13.2.1"
     }
   }

General findings

• The pnpm lockfile shows @vitejs/plugin-react@6.0.2(vite@7.3.2(...)) - pnpm resolved it despite the peer dependency mismatch, but this could cause runtime issues or unexpected behavior
• The removal of rollup: npm:@rollup/wasm-node override means the standard rollup package will be used instead of the WASM variant (may have been intentional, but should be verified)
• The lodash and mdast-util-to-hast security overrides removal could reintroduce known vulnerabilities

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0. However, this update introduces a critical compatibility issue: @vitejs/plugin-react v6 explicitly drops support for Vite 7 and below, requiring Vite 8+ (see CHANGELOG). The current project uses Vite 7.3.2 ("vite": "^7.3.2" in package.json), which is incompatible with the v6 plugin.

Verdict: 🚫 Blocked - Cannot merge without also upgrading Vite to v8+, or should downgrade the plugin spec to stay on v5.x.

Research notes

• Fetched @vitejs/plugin-react CHANGELOG - Version 6.0.0 (2026-03-12) states: "Drop Vite 7 and below support - Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."
• Fetched @vitejs/plugin-react README - Peer dependencies now require vite: ^8.0.0
• The diff shows peer dependency change in the lockfile from supporting ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0 to just ^8.0.0
• Version 6.0.0 also removed Babel-related features; if custom Babel plugins are used, they must migrate to @rolldown/plugin-babel

Suggested next steps

1. Option A (Recommended): Also upgrade Vite to v8+ in the same PR:

   • Update "vite": "^8.0.0" (or latest v8 version) in dashboard/package.json
   • Test thoroughly as Vite 8 may have additional breaking changes

2. Option B: Keep the plugin on v5.x if Vite 8 upgrade is not desired yet:

   • Change spec back to "@vitejs/plugin-react": "^5.0.1" (or ^5.2.0 for latest v5)

General findings

None beyond the blocking compatibility issue above. The lockfile changes appear to be standard pnpm resolution updates reflecting the new plugin version and its different dependency tree (removal of Babel dependencies, native Rollup platform-specific binaries).

[doubleword-code]

Blocking: Incompatible peer dependency - @vitejs/plugin-react v6 requires Vite 8+, but project uses Vite 7.3.2.

Why it matters: According to the official CHANGELOG, version 6.0.0 explicitly dropped support for Vite 7 and below: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8." The peer dependencies changed from vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0 (v5.x) to vite: ^8.0.0 (v6.x). This will cause runtime errors or build failures.

Suggested fix: Either:

1. Upgrade Vite: Change line 91 to "vite": "^8.0.0" (test thoroughly for Vite 8 breaking changes)
2. Or keep plugin on v5: Change this line to "@vitejs/plugin-react": "^5.2.0" (latest v5)

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0. However, there is a critical compatibility issue that blocks merging:

Verdict: Blocked - Requires Vite upgrade alongside this change.

Research notes

I reviewed the @vitejs/plugin-react CHANGELOG and found these breaking changes in v6.0.0:

1. Drop Vite 7 and below support: Vite 8+ is now required. The changelog explicitly states: "If you are using Vite 7, please upgrade to Vite 8."
2. Babel removed: Babel is no longer bundled; users needing Babel transforms must install @rolldown/plugin-babel separately
3. Node.js requirement: Requires Node 20.19+ or 22.12+

The current project uses Vite ^7.3.2 (package.json line 91), which is incompatible with plugin-react v6.

Additionally, the pnpm-lock.yaml previously had an overrides: section that was removed in this PR. While the overrides are still defined in package.json, the lockfile no longer includes the rollup: npm:@rollup/wasm-node override - regular rollup@4.61.0 is now installed instead of the WASM variant.

Suggested next steps

1. Upgrade Vite to v8+ before or alongside this change (check Vite 8 compatibility with other plugins first)
2. Re-run pnpm install after upgrading Vite to ensure overrides are properly applied to the lockfile
3. Test the build to verify React Fast Refresh still works correctly
4. If any custom Babel plugins are being used, install @rolldown/plugin-babel as a separate dependency

General findings

Missing rollup WASM override in lockfile

The pnpm.lock file no longer contains the overrides: section at the document level. The overrides are still present in package.json under pnpm.overrides, but the lockfile shows rollup@4.61.0 instead of @rollup/wasm-node. This override was likely added intentionally for a reason (possibly ARM compatibility or build consistency). After running pnpm install, the lockfile should reflect these overrides.

General findings (auto-demoted from inline due to pre-validation)

• Non-blocking dashboard/pnpm-lock.yaml:1 — Overrides section removed from lockfile.
  • (demoted: line 1 (side=RIGHT) is not part of any diff hunk in dashboard/pnpm-lock.yaml)

[doubleword-code]

Blocking: Incompatible Vite version.

Why it matters: @vitejs/plugin-react v6.0.0 requires Vite 8+ as a peer dependency, but this project uses Vite ^7.3.2 (line 91). According to the official changelog:

Drop Vite 7 and below support

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

Using incompatible versions will cause runtime errors or unexpected behavior.

Suggested fix: Either:

1. Upgrade Vite to ^8.0.0 alongside this change: "vite": "^8.0.0"
2. Or pin @vitejs/plugin-react to ^5.0.1 if Vite 8 upgrade needs to be deferred

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0, which is a major version upgrade with breaking changes. However, there is a critical compatibility issue: @vitejs/plugin-react@6.x requires Vite 8+, but this project currently uses vite@^7.3.2.

Verdict: 🚫 Blocked - This PR cannot be merged as-is because it creates a peer dependency mismatch. The project must either:

1. Upgrade vite to v8+ alongside this change, OR
2. Pin @vitejs/plugin-react to v5.x if staying on Vite 7

Research notes

I consulted the official @vitejs/plugin-react v6.0.0 release notes and CHANGELOG:

Breaking Changes in v6.0.0:

1. Drop Vite 7 and below support (#1124):

   "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."

2. Remove Babel Related Features (#1123):

   "Vite 8+ can handle React Refresh Transform by Oxc and doesn't need Babel for it... babel is no longer a dependency of this plugin and the related features are removed."

   • Projects using custom Babel plugins must now install @rolldown/plugin-babel separately
   • The good news: this project's vite.config.ts doesn't use any custom Babel configuration, so migration would be straightforward once Vite is upgraded

3. New peer dependency: vite: ^8.0.0 (previously ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0)

Current Project State:

• dashboard/package.json declares: "vite": "^7.3.2" (line 91)
• dashboard/package.json declares: "@vitejs/plugin-react": "^6.0.0" (after this PR)
• The lockfile shows @vitejs/plugin-react@6.0.2 with peer dep vite: ^8.0.0

This creates an unsatisfied peer dependency that npm/pnpm should warn about during installation.

Suggested next steps

1. Decide on Vite version strategy:

   • If ready to upgrade to Vite 8: Update "vite": "^8.0.0" in package.json and test thoroughly
   • If staying on Vite 7: Change the specifier to "@vitejs/plugin-react": "^5.1.4" (latest v5.x)

2. If upgrading to Vite 8, check the Vite 8 migration guide for breaking changes that may affect:

   • Build configuration in vite.config.ts
   • Plugin compatibility (especially rollup-plugin-visualizer and @tailwindcss/vite)
   • Any custom Vite plugins or hooks

3. Verify pnpm overrides: The pnpm.overrides section in package.json includes "rollup": "npm:@rollup/wasm-node". Ensure this override still works correctly after any Vite upgrade, as Vite's Rollup integration may have changed.

General findings

No other issues found. The lockfile changes are consistent with a standard dependency update—the diff primarily reflects:

• Removal of Babel-related transitive dependencies (@babel/core, @babel/parser, etc.) since v6 no longer bundles them
• Addition of platform-specific @rollup/* binaries (standard for native Rollup)
• Updated @rolldown/pluginutils from 1.0.0-rc.3 to 1.0.1

Note: There's a deprecation warning in the lockfile for recharts@2.15.4 stating "1.x and 2.x branches are no longer active", but this is unrelated to the current PR.

General findings (auto-demoted from inline due to pre-validation)

• Blocking dashboard/package.json:91 — This Vite version is incompatible with @vitejs/plugin-react@6.x declared on line 78.
  • (demoted: line 91 (side=RIGHT) is not part of any diff hunk in dashboard/package.json)

[doubleword-code]

Blocking: Peer dependency mismatch - @vitejs/plugin-react@6.x requires vite: ^8.0.0, but this project uses vite: ^7.3.2 (line 91).

Why it matters: According to the v6.0.0 release notes, this version "Drop[s] Vite 7 and below support." Installing with mismatched peer dependencies can cause:

• Runtime errors due to API incompatibilities between Vite 7 and 8
• Build failures if the plugin calls Vite 8-only APIs
• Silent bugs from behavior changes between major versions

The lockfile already shows the new peer dependency requirement:

peerDependencies:
  vite: ^8.0.0

Suggested fix: Choose one of these paths:

1. Upgrade Vite to v8 (recommended if ready):

   "vite": "^8.0.0"

   Then run pnpm install and test the dev server, builds, and tests.

2. Stay on Vite 7 (safer short-term):

   "@vitejs/plugin-react": "^5.1.4"

   This keeps you on the latest v5.x which supports Vite 7.

3. Use exact v5 version (most conservative):

   "@vitejs/plugin-react": "5.2.0"

   This pins to the current version before the major bump.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0. However, this upgrade is incompatible with the current Vite version.

Verdict: Blocked — The plugin v6 requires Vite 8+, but the project uses Vite ^7.3.2.

---

Research notes

I fetched the official @vitejs/plugin-react CHANGELOG which clearly states for v6.0.0:

Drop Vite 7 and below support (#1124)

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

The peer dependency in v6 now requires vite: ^8.0.0 (previously accepted v4.x through v7.x).

Current project state (dashboard/package.json:91):

"vite": "^7.3.2"

---

Suggested next steps

1. Option A (Recommended): Downgrade the plugin update to stay on v5.x until Vite 8 is officially released and ready for adoption:

   "@vitejs/plugin-react": "^5.2.0"

2. Option B: If upgrading to Vite 8 is intended, update both dependencies together:

   "vite": "^8.0.0",
   "@vitejs/plugin-react": "^6.0.0"

   Then test thoroughly as Vite 8 may introduce additional breaking changes.

---

General findings

pnpm-lock.yaml overrides removal (informational)

The diff shows the top-level overrides block was removed from pnpm-lock.yaml:

-overrides:
-  rollup: npm:@rollup/wasm-node
-  lodash: ^4.18.0
-  mdast-util-to-hast: ^13.2.1
-  minimatch@<3.1.3: ^3.1.3

These overrides are still present in package.json under pnpm.overrides (lines 102-108), so this is just a lockfile formatting change and not a functional issue. pnpm will continue applying these overrides from the package.json source.

[doubleword-code]

Summary

This PR upgrades @vitejs/plugin-react from v5.0.1 to v6.0.0. However, there is a critical peer dependency mismatch that blocks this upgrade: @vitejs/plugin-react v6 explicitly dropped support for Vite 7 and below, requiring Vite 8+. The current package.json still specifies Vite ^7.3.2, creating an incompatible configuration.

Verdict: Blocked - Requires Vite 8 upgrade alongside this plugin update.

Research notes

From the @vitejs/plugin-react CHANGELOG:

Drop Vite 7 and below support (#1124)

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

6.0.0-beta.0 (2026-03-03)

Remove Babel Related Features (#1123)

Vite 8+ can handle React Refresh Transform by Oxc and doesn't need Babel for it... babel is no longer a dependency of this plugin.

The v6 release introduces breaking changes:

1. Peer dependency: vite: ^8.0.0 (was ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0 in v5)
2. Architecture change: Babel is removed; React Refresh is now handled by Oxc
3. Optional peer deps: @rolldown/plugin-babel and babel-plugin-react-compiler are now optional peer dependencies for users who need custom Babel transforms or React Compiler

Vite 8 is available (latest: v8.0.16 as of June 2026).

Suggested next steps

1. Blocking: Upgrade Vite from ^7.3.2 to ^8.0.0 in dashboard/package.json line 91 to satisfy the peer dependency requirement of @vitejs/plugin-react@6.

2. Non-blocking: Review the removal of pnpm overrides - the diff shows the overrides section was removed from pnpm-lock.yaml. If these overrides were added for security or compatibility reasons, they should be preserved in package.json:

   "pnpm": {
     "overrides": {
       "rollup": "npm:@rollup/wasm-node",
       "lodash": "^4.18.0",
       "mdast-util-to-hast": "^13.2.1",
       "minimatch@<3.1.3": "^3.1.3"
     }
   }

3. Testing: After upgrading Vite, run the full test suite (just test ts) and verify the dev server builds correctly (pnpm run dev and pnpm run build).

General findings

• The lockfile changes show significant simplification due to Babel-related packages being removed (e.g., @babel/core, @babel/traverse, gensync, json5, lru-cache, etc.). This is expected and reduces bundle size.
• The rollup package resolution changed from @rollup/wasm-node to native rollup@4.61.0 with platform-specific binaries. This may affect CI/build environments depending on the platform.
• No changes to actual application code are required for this upgrade since the React Fast Refresh transform is now handled internally by Oxc rather than Babel.

General findings (auto-demoted from inline due to pre-validation)

• Non-blocking dashboard/package.json:102 — The entire pnpm.overrides block appears to have been removed in this diff (lines 102-108 in the original). These overrides were likely added for specific security or compatibility reasons.
  • (demoted: line 102 (side=LEFT) is not part of any diff hunk in dashboard/package.json)

[doubleword-code]

Blocking: Peer dependency mismatch - @vitejs/plugin-react@6 requires vite@^8.0.0, but line 91 specifies "vite": "^7.3.2".

Why it matters: According to the official CHANGELOG, v6.0.0 dropped support for Vite 7 and below. The peerDependencies now specify vite: ^8.0.0. Running with Vite 7 will result in an unsatisfied peer dependency warning and potential runtime incompatibilities since v6 uses Oxc for React Refresh instead of Babel.

Suggested fix: Update Vite to v8:

"vite": "^8.0.0"

Then run pnpm install to regenerate the lockfile with compatible versions.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0 (resolves to 6.0.2). While this is framed as a routine dependency update, there are significant issues that need to be addressed:

1. Critical: The pnpm-lock.yaml diff removes the overrides section containing security patches for lodash, minimatch, mdast-util-to-hast, and the rollup WASM compatibility override. These overrides exist in package.json but are not reflected in the lockfile.

2. Compatibility concern: @vitejs/plugin-react v6 officially drops support for Vite 7 (requires vite@^8.0.0), but this project uses vite@^7.3.2. The plugin may work, but it's outside the supported version range.

Verdict: Blocked on fixing the missing overrides in pnpm-lock.yaml. The lockfile must be regenerated to include the security overrides from package.json.

Research notes

Fetched the official CHANGELOG.md and README.md for @vitejs/plugin-react v6:

• v6.0.0 breaking changes:

  • Babel is completely removed; React Fast Refresh now uses Oxc instead
  • Vite 7 and below are no longer supported (requires Vite 8+)
  • Peer dependencies changed to require vite@^8.0.0

• From the README, v6 requires @rolldown/plugin-babel + babel-plugin-react-compiler + @babel/core only if using React Compiler features (not used in this project).

Suggested next steps

1. Blocking: Regenerate pnpm-lock.yaml to include the overrides from package.json. Run pnpm install in the dashboard/ directory to ensure the security overrides (lodash ^4.18.0, minimatch ^3.1.3, mdast-util-to-hast ^13.2.1, rollup WASM) are properly locked.

2. Non-blocking: Consider upgrading Vite to v8+ to match the peer dependency requirements of @vitejs/plugin-react v6, or pin the plugin to v5.x if staying on Vite 7.

3. Verify the build and tests pass after regenerating the lockfile, since the removal of Babel could affect any custom JSX transformation behavior.

General findings

• The package.json correctly retains all four overrides in the pnpm.overrides section (lines 103-108)
• The lockfile removal of these overrides appears to be an error in how pnpm lockfile was generated
• No custom Babel configuration is present in vite.config.ts or vitest.config.ts, so the Babel removal in v6 should not impact functionality
• The project uses React 19, which is compatible with v6's React Compiler support if needed in future

[doubleword-code]

Blocking: The entire overrides section (lines 7-12 in the original) has been removed from pnpm-lock.yaml, but these overrides still exist in package.json:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1",
    "minimatch@<3.1.3": "^3.1.3"
  }
}

Why it matters:

• lodash: ^4.18.0 and minimatch@<3.1.3: ^3.1.3 are security overrides protecting against known prototype pollution vulnerabilities (CVE-2021-23566 for lodash, CVE-2024-45296 for minimatch)
• rollup: npm:@rollup/wasm-node is a compatibility override ensuring the WASM build is used
• When pnpm install runs with this lockfile, these security overrides will NOT be applied, potentially introducing vulnerabilities

Suggested fix: Regenerate the lockfile by running pnpm install in the dashboard/ directory. The lockfile should preserve the overrides section matching package.json. If using Renovate, ensure the bot is configured to regenerate the full lockfile including overrides.

[doubleword-code]

Non-blocking: This upgrade to v6.0.0 introduces a peer dependency mismatch. According to the @vitejs/plugin-react CHANGELOG:

Drop Vite 7 and below support (#1124)

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

This project uses vite@^7.3.2 (line 91), which is outside the supported range (vite@^8.0.0).

Why it matters: While pnpm allows installing with peer dependency mismatches, running on unsupported versions means:

• Potential runtime issues if v6 relies on Vite 8+ APIs
• No guarantee of compatibility or bug fixes for Vite 7 users
• Future updates may break without warning

Suggested fix: Either:

1. Upgrade Vite to v8+: "vite": "^8.0.0" (recommended, but test thoroughly)
2. Pin to v5.x if staying on Vite 7: "@vitejs/plugin-react": "^5.0.1"
3. Keep current setup but verify all dev/build/test workflows work correctly

[doubleword-code]

Summary

This PR upgrades @vitejs/plugin-react from v5.0.1 to v6.0.0. While this is framed as a routine dependency update, it introduces a breaking change that was not accounted for: @vitejs/plugin-react v6 requires Vite 8+, but this project is still using Vite 7.3.2.

Verdict: Blocked - Cannot merge without also upgrading Vite to v8 or pinning @vitejs/plugin-react to v5.x.

Research notes

Fetched the official changelog from vitejs/vite-plugin-react:

Key breaking changes in v6.0.0:

• Drop Vite 7 and below support: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."
• Remove Babel-related features: Vite 8+ handles React Refresh Transform via Oxc. Babel is no longer bundled; users needing Babel must install @rolldown/plugin-babel separately.
• Node.js requirement: Node 20.19+ or 22.12+

The lockfile confirms the peer dependency requirement:

peerDependencies:
  vite: ^8.0.0

But the project's package.json specifies "vite": "^7.3.2".

Suggested next steps

1. Blocking: Either:

   • Upgrade Vite to v8 (pnpm add -D vite@^8.0.0), test thoroughly, then merge this PR, OR
   • Pin @vitejs/plugin-react to ^5.1.4 (latest v5.x) if Vite 8 upgrade needs to be deferred

2. Non-blocking: Address security warning for @ungap/structured-clone@1.3.0 (CWE-502) by running pnpm update to get patched versions

3. Future consideration: recharts@2.15.4 shows deprecation notice for 2.x branch - plan migration to v3 when convenient

General findings

Good news

• No custom Babel configuration is used (react() is called with no options in both vite.config.ts and vitest.config.ts), so the removal of Babel features won't require code changes once Vite 8 is installed
• The project already meets the Node.js requirement (engines: ^20.19.0 || >=22.12.0)
• pnpm overrides in package.json are preserved correctly

Lockfile observation

The pnpm-lock.yaml shows the overrides section was removed from the lockfile root, but this appears to be a formatting change - the overrides still exist in package.json under pnpm.overrides.

General findings (auto-demoted from inline due to pre-validation)

• Non-blocking dashboard/pnpm-lock.yaml:281 — Security vulnerability in transitive dependency.
  • (demoted: code self-check failed at dashboard/pnpm-lock.yaml:281: diff has resolution: {integrity: sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4cc, model claimed '@ungap/structured-clone@1.3.0':)

[doubleword-code]

Blocking: This upgrade introduces an incompatible peer dependency.

Why it matters: @vitejs/plugin-react v6.0.0 requires vite ^8.0.0 as a peer dependency, but this project uses vite ^7.3.2 (line 91). According to the official changelog:

"Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."

The pnpm-lock.yaml confirms this:

peerDependencies:
  vite: ^8.0.0

While pnpm allows installing despite peer mismatches (with warnings), this can lead to runtime issues since v6 assumes Vite 8's Oxc-based JSX transform infrastructure.

Suggested fix: Either:

1. Upgrade Vite: Change line 91 to "vite": "^8.0.0" and test thoroughly
2. Or pin this to v5: Change to "@vitejs/plugin-react": "^5.1.4" if Vite 8 upgrade needs separate planning