Skip to content

feat(deps): upgrade upstream dependencies#1917

Closed
voidzero-guard[bot] wants to merge 1 commit into
mainfrom
deps/upstream-update
Closed

feat(deps): upgrade upstream dependencies#1917
voidzero-guard[bot] wants to merge 1 commit into
mainfrom
deps/upstream-update

Conversation

@voidzero-guard

@voidzero-guard voidzero-guard Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Automated upgrade of upstream dependencies, headlined by a rolldown tag bump
    to v1.1.2 and the oxc crate/package family moving to 0.137.0.
  • oxfmt (0.56.0) and oxlint (1.71.0) bumped.
  • Required code adjustments: oxc parser API rename in vite_static_config, a
    rolldown-compat brand-vite patch dropping the removed native wasm fallback
    plugin, Cargo.toml dependency cleanup, and regenerated NAPI bindings.

Dependency updates

Package From To
rolldown d7f919c v1.1.2 (e0d0b1b)
oxfmt 0.55.0 0.56.0
oxlint 1.70.0 1.71.0
@oxc-project/runtime 0.136.0 0.137.0
@oxc-project/types 0.136.0 0.137.0
oxc-minify 0.136.0 0.137.0
oxc-parser 0.136.0 0.137.0
oxc-transform 0.136.0 0.137.0

Code changes

  • Cargo.toml: bump oxc crates 0.135.0 -> 0.137.0,
    oxc_resolver/oxc_resolver_napi 11.21.0 -> 11.21.3, oxc_sourcemap
    7 -> 8.0.1; drop the removed rolldown_plugin_vite_wasm_fallback path
    dependency; cargo shear cleanup (remove commondir, num-format, ropey,
    urlencoding); add idna_adapter, supports-color.
  • crates/vite_static_config/src/lib.rs: use result.diagnostics instead of
    result.errors for the oxc 0.137 parser API.
  • packages/tools/src/brand-vite.ts: add a tolerant rolldown-compat patch that
    removes the native viteWasmFallbackPlugin from the bundled vite (deleted in
    rolldown but still referenced by the pinned stable vite).
  • packages/cli/binding/index.cjs, packages/cli/binding/index.d.cts:
    regenerate NAPI bindings (export BindingErrorStage).
  • packages/core/package.json: bundled rolldown 1.1.1 -> 1.1.2.
  • pnpm-workspace.yaml: catalog bumps (@babel/*, @napi-rs/cli, acorn,
    oxc*) and minimumReleaseAgeExclude additions.

Build status

  • sync-remote-and-build: success
  • build-upstream: failure

@voidzero-guard
feat(deps): upgrade upstream dependencies
92491c5 
- rolldown: d7f919c -> v1.1.2 (e0d0b1b)
- oxfmt: 0.55.0 -> 0.56.0
- oxlint: 1.70.0 -> 1.71.0
- @oxc-project/runtime: 0.136.0 -> 0.137.0
- @oxc-project/types: 0.136.0 -> 0.137.0
- oxc-minify: 0.136.0 -> 0.137.0
- oxc-parser: 0.136.0 -> 0.137.0
- oxc-transform: 0.136.0 -> 0.137.0

Code changes:
- Cargo.toml: bump oxc crates 0.135.0 -> 0.137.0, oxc_resolver/oxc_resolver_napi
  11.21.0 -> 11.21.3, oxc_sourcemap 7 -> 8.0.1; drop removed
  rolldown_plugin_vite_wasm_fallback path dependency; cargo shear cleanup
  (remove commondir, num-format, ropey, urlencoding); add idna_adapter,
  supports-color.
- crates/vite_static_config/src/lib.rs: use result.diagnostics instead of
  result.errors for the oxc 0.137 parser API.
- packages/tools/src/brand-vite.ts: add tolerant rolldown-compat patch that
  removes the native wasm fallback plugin from the bundled vite.
- packages/cli/binding/index.cjs, packages/cli/binding/index.d.cts: regenerate
  NAPI bindings (export BindingErrorStage).
- packages/core/package.json: bundled rolldown 1.1.1 -> 1.1.2.
- pnpm-workspace.yaml: catalog bumps (@babel/*, @napi-rs/cli, acorn, oxc*) and
  minimumReleaseAgeExclude additions.
@netlify

netlify Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for viteplus-preview ready!

Name Link
🔨 Latest commit 92491c5
🔍 Latest deploy log https://app.netlify.com/projects/viteplus-preview/deploys/6a39e8845f658c00082f31c7
😎 Deploy Preview https://deploy-preview-1917--viteplus-preview.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@socket-security

socket-security Bot commented Jun 23, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​oxfmt@​0.56.0691008996100
Addednpm/​@​babel/​preset-typescript@​7.29.71001007397100
Addednpm/​@​oxc-project/​runtime@​0.137.01001007596100
Addednpm/​oxc-parser@​0.137.09010010096100
Updatedcargo/​oxc_allocator@​0.135.0 ⏵ 0.137.010010093100100
Updatedcargo/​oxc_ast@​0.135.0 ⏵ 0.137.010010093100100
Updatedcargo/​oxc_parser@​0.135.0 ⏵ 0.137.010010093100100
Updatedcargo/​oxc_resolver@​11.21.0 ⏵ 11.21.39710093100100
Updatedcargo/​oxc_span@​0.135.0 ⏵ 0.137.010010093100100
Addednpm/​oxc-transform@​0.137.0941009696100

View full report

@socket-security

socket-security Bot commented Jun 23, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/oxfmt@0.56.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.56.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/oxfmt@0.56.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.56.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@voidzero-guard voidzero-guard Bot closed this Jun 23, 2026
@voidzero-guard voidzero-guard Bot deleted the deps/upstream-update branch June 23, 2026 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants