voidzero-dev/vite-plus v0.2.0

vite-plus v0.2.0

on GitHub

Vite+ now consumes upstream Vitest directly (no wrapper), raises the minimum supported Node.js version to 22.18.0, and ships corepack and devEngines support.

Highlights

• vp test now runs upstream Vitest directly (breaking): Vite+ used to ship @voidzero-dev/vite-plus-test, a rebundled copy of Vitest that lagged upstream releases. That package is removed; vp test now runs the real upstream vitest, which is installed automatically as a dependency of vite-plus (you no longer add vitest or @vitest/* yourself, and vite still resolves to @voidzero-dev/vite-plus-core via package-manager overrides). Your import ... from 'vite-plus/test' code keeps working unchanged and vp migrate updates existing projects (#1588), by @Brooooooklyn
• Minimum supported Node.js version raised to ^22.18.0 || >=24.11.0 (breaking): Node 20 reached end-of-life and the bundled tsdown already required ^22.18.0, so the published engines range now matches what vp pack can actually deliver; vp exec / vp run / vp dlx reject projects resolving an older Node with the existing incompatibility error (#1813), by @fengmk2
• Corepack now works under Vite+: corepack now set up by default, so corepack enable and the pnpm/yarn launchers just work, even on Node 25+ which no longer ships it. (#1808), by @fengmk2
• devEngines support for runtime and package-manager selection: Vite+ reads devEngines.runtime (ranked above engines.node) and devEngines.packageManager; auto-pin and vp migrate write devEngines.packageManager, vp env pin / unpin target devEngines.runtime, and vp env doctor reports conflicts instead of silently resolving them (#1760), by @fengmk2

Features

• vp pm approve-builds: forward to npm's new approve-scripts / deny-scripts (npm >= 11.16.0) instead of the previous no-op, matching pnpm approve-builds / bun pm trust; mixed approve+deny is rejected with actionable guidance and npm's advisory-only caveat is surfaced (#1733), by @fengmk2
• vp create: support local monorepo templates declared in create.templates in vite.config.ts; vp create vite:generator scaffolds a Bingo generator and auto-registers it in the picker, replacing the old package.json-keyword inference (#1777), by @fengmk2
• vp create: detect direct dependencies whose build scripts the package manager gated (e.g. native builds like better-sqlite3) and act on them; prompt to approve each (default off) interactively, point at vp pm approve-builds non-interactively, or build them with --approve-builds (#1828), by @fengmk2
• vp config: add --no-hooks and --no-agent opt-outs to skip git-hook installation and coding-agent instruction updates (#1842), by @leno23
• vp list -g: sort the global package list output so entries appear in a stable order (#1748), by @liangmiQwQ
• Upgrade upstream dependencies: rolldown 1.0.3 -> 1.1.1, tsdown 0.22.1 -> 0.22.3, oxlint 1.67.0 -> 1.70.0, oxfmt 0.52.0 -> 0.55.0, vitest 4.1.8 -> 4.1.9, and the oxc toolchain 0.133.0 -> 0.136.0 (#1749, #1767, #1812, #1834, #1855), by @voidzero-guard[bot]

Fixes & Enhancements

• Security: resolve open Rust Dependabot advisories by bumping transitive openssl 0.10.76 -> 0.10.80 (openssl-sys 0.9.112 -> 0.9.116), fixing five high-severity rust-openssl issues (buffer overflows in key derivation, AES key wrap, and digest finalization; an unchecked PSK/cookie trampoline length leaking adjacent memory; and OCSP-responder undefined behavior: GHSA-pqf5-4pqq-29f5, GHSA-8c75-8mhr-p7r9, GHSA-ghm9-cr32-g9qj, GHSA-hppc-g8h3-xhp3, GHSA-xp3w-r5p5-63rr), and drop the unmaintained, unsound libyml (GHSA-gfxp-f68g-8x78, high) by removing dead serde_yml code (#1742), by @fengmk2
• Security (docs site): update mermaid 11.13.0 -> 11.15.0 to fix improper classDef sanitization in state diagrams that allowed HTML injection (CVE-2026-41149 / GHSA-ghcm-xqfw-q4vr, medium severity; <script> tags are stripped so it does not reach XSS) (#1745), by @renovate[bot]
• vp check --fix / vp staged: create/migrate now wrap inline Vite plugins: [...] arrays with lazyPlugins(...) so plugin factories aren't eagerly executed (and don't hang on open handles) during lint/format/check config loading (#1752), by @jong-kyung
• vp migrate: complete pending migration work for projects that already have vite-plus installed (scripts, imports, tsconfig types, ESLint/Prettier, legacy hooks, package-manager settings) instead of treating vite-plus as migration-complete; fully migrated projects stay idempotent (#1821), by @jong-kyung
• vp create / vp migrate: detect shorthand fmt, / lint, config keys so a duplicate inline block is no longer injected (#1843), by @fengmk2
• IDE oxlint/oxfmt wrappers: set VP_COMMAND so lazyPlugins() skips framework plugins during LSP config reads, preventing a stray .svelte-kit (and similar) directory at the monorepo root (#1764), by @jong-kyung
• vp lint / vp run -r lint on Windows: keep the absolute tsgolint path for workspace lint runs instead of downgrading it to a wrong cwd-relative path (#1758), by @semimikoh
• oxlint wrapper: set the tsgolint path so type-aware lint resolves it (#1811), by @jong-kyung
• vp install -g: use a unique backup directory and treat stale-backup cleanup as best-effort so a locked Windows binary no longer fails an otherwise successful reinstall (#1753), by @fengmk2
• vp install -g: remove stale managed binary shims when a reinstalled package drops a bin from its package.json#bin (#1765), by @liangmiQwQ
• vp create --git: surface git's actual stdout/stderr when the initial commit fails instead of always blaming user.name / user.email (#1819), by @fengmk2
• vp create vite:generator: reject --git / --no-git, since adding a generator to an existing monorepo does not initialize git (#1788), by @jong-kyung
• Global CLI: harden find_system_tool against a self-exec loop (skip the running executable's own bin directory) and fix two vite_global_cli tests that could hang (#1820), by @fengmk2
• CLI help: unify alias display (#1832), show supported run options (#1797), show --fail-if-no-match in exec help (#1798), add the implode documentation link (#1796), and handle nested-command typo help (#1803), by @jong-kyung

Docs

• Document vp create opt-out options (#1790), by @jong-kyung
• Document vp upgrade options (#1847), by @jong-kyung
• Align the config overview with the sidebar (#1846), by @jong-kyung
• Sync the documented command lists with the help output (#1850), by @jong-kyung
• Clarify lazy plugin side effects (#1841), by @leno23
• Add JongKyung's X profile (#1844) and update Christoph's X profile (#1845) on the team page, by @jong-kyung

Refactor

• Remove the CLI tips system; the shortcuts it printed on vp install are already covered by the help system and added unnecessary complexity (#1799), by @cpojer

Chore

• Re-enable Renovate dependency updates with a targeted ignore-list (#1744), by @fengmk2
• Keep generated NAPI bindings during upgrade-deps (#1759), by @fengmk2
• Remove the vite_glob dependency from vite-plus (#1763), by @wan9chi
• Keep sync-remote from churning pnpm-workspace.yaml (dedupe minimumReleaseAgeExclude, preserve comments) (#1787), by @fengmk2
• Make unix just test runnable (#1755), by @situ2001
• CI: reuse just lint and just test as the single source of truth (#1809), pin cargo-zigbuild to a git rev to fix the aarch64-musl link failure (#1815), and keep upgrade-deps green when rolldown bumps oxc (#1833), by @fengmk2
• Update Rust to nightly-2026-06-10 (#1725), typos to v1.47.1 / v1.47.2 (#1772, #1775), GitHub Actions (#1778, #1829), and npm packages (#1779), by @renovate[bot]
• Bump oxc-project/setup-node to v1.3.1 (#1792), by @Boshen
• Refresh trusted stack stats on the docs homepage (#1786, #1837), by @voidzero-guard[bot]

Bundled Versions

Upgrading from 0.1.24 to 0.2.0

This release has two breaking changes. For most projects the upgrade is vp upgrade, bump the project's vite-plus, then vp migrate.

1. Update the CLI

vp upgrade

2. Node.js 20 is no longer supported

The minimum supported Node.js version is now ^22.18.0 || >=24.11.0 (Node 20 reached end-of-life). If you are still on Node 20:

• Check your version: node --version (or vp env doctor)
• Move to a supported release: vp env pin 22.18.0 (or a newer LTS), or update your .node-version / devEngines.runtime

vp exec / vp run / vp dlx now refuse to run against a project that resolves Node < 22.18.0.

3. Vitest is now upstream (the wrapper is gone)

@voidzero-dev/vite-plus-test has been removed; Vite+ consumes upstream vitest directly. Bump vite-plus first, then migrate:

vp update vite-plus --latest    # project's vite-plus -> 0.2.0 (ignores the old range, updates the lockfile); monorepo: add -r
vp migrate                      # local vite-plus is now 0.2.0, so the new migration runs

vp update --latest re-resolves vite-plus to the newest release regardless of the old semver range, so the lockfile cannot pin you back to 0.1.24. The project's local vite-plus is then 0.2.0, and since the global vp delegates migrate to the project's local install, vp migrate runs the new migration.

• Your import { vi, ... } from 'vite-plus/test' code is unchanged. vp migrate rewrites any leftover vitest / @vitest/* imports and normalizes stale vitest: npm:@voidzero-dev/vite-plus-test@* aliases.
• You no longer add vitest or @vitest/* yourself; they arrive transitively through vite-plus.

New Contributors

Welcome to our new contributor @situ2001! 🎉

Full Changelog: v0.1.24...v0.2.0

Published Packages

• @voidzero-dev/vite-plus-core@0.2.0
• vite-plus@0.2.0

Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Or download and run vp-setup.exe from the assets below.

View the full commit: 6f97f09