Skip to content

feat(deps): upgrade upstream dependencies#1989

Open
voidzero-guard[bot] wants to merge 5 commits into
mainfrom
deps/upstream-update
Open

feat(deps): upgrade upstream dependencies#1989
voidzero-guard[bot] wants to merge 5 commits into
mainfrom
deps/upstream-update

Conversation

@voidzero-guard

Copy link
Copy Markdown
Contributor

Summary

  • Automated upgrade of upstream dependencies.
  • Bumps rolldown to v1.1.3 (e0d0b1b -> e77f7c7) and the oxc toolchain (oxlint 1.71.0 -> 1.72.0, oxfmt 0.56.0 -> 0.57.0, oxc-*/@oxc-project/* 0.137.0 -> 0.138.0).
  • Bumps build-tooling catalog deps @napi-rs/wasm-runtime and rolldown-plugin-dts.
  • Regenerates the NAPI bindings to match the new rolldown; no hand-written code changes.

Dependency updates

Package From To
rolldown e0d0b1b v1.1.3 (e77f7c7)
oxfmt 0.56.0 0.57.0
oxlint 1.71.0 1.72.0
@oxc-project/runtime 0.137.0 0.138.0
@oxc-project/types 0.137.0 0.138.0
oxc-minify 0.137.0 0.138.0
oxc-parser 0.137.0 0.138.0
oxc-transform 0.137.0 0.138.0
@napi-rs/wasm-runtime ^1.1.5 ^1.1.6
rolldown-plugin-dts ^0.25.2 ^0.26.0

Code changes

  • Regenerated NAPI bindings (packages/cli/binding/index.d.cts): added onAdditionalAssets to BindingDevOptions; removed BindingViteBuildImportAnalysisPluginV2Config and the isEnableV2 field.
  • Updated bundledVersions.rolldown 1.1.2 -> 1.1.3 (packages/core/package.json).
  • Added vitepress-plugin-feedback-tracker@0.2.0-alpha.1 to minimumReleaseAgeExclude (pnpm-workspace.yaml).
  • Lockfile and upstream-version metadata updates (Cargo.lock, pnpm-lock.yaml, packages/tools/.upstream-versions.json).

Build status

  • sync-remote-and-build: success
  • build-upstream: success

- rolldown: e0d0b1b -> v1.1.3 (e77f7c7)
- oxfmt: 0.56.0 -> 0.57.0
- oxlint: 1.71.0 -> 1.72.0
- @oxc-project/runtime: 0.137.0 -> 0.138.0
- @oxc-project/types: 0.137.0 -> 0.138.0
- oxc-minify: 0.137.0 -> 0.138.0
- oxc-parser: 0.137.0 -> 0.138.0
- oxc-transform: 0.137.0 -> 0.138.0
- @napi-rs/wasm-runtime: ^1.1.5 -> ^1.1.6
- rolldown-plugin-dts: ^0.25.2 -> ^0.26.0

Code changes:
- Regenerated NAPI bindings: added onAdditionalAssets to BindingDevOptions,
  dropped BindingViteBuildImportAnalysisPluginV2Config and isEnableV2
  (packages/cli/binding/index.d.cts)
- Bumped bundledVersions.rolldown 1.1.2 -> 1.1.3 (packages/core/package.json)
- Added vitepress-plugin-feedback-tracker@0.2.0-alpha.1 to
  minimumReleaseAgeExclude (pnpm-workspace.yaml)
@netlify

netlify Bot commented Jun 30, 2026

Copy link
Copy Markdown

Deploy Preview for viteplus-preview canceled.

Name Link
🔨 Latest commit ac2cd17
🔍 Latest deploy log https://app.netlify.com/projects/viteplus-preview/deploys/6a433fc31b7a5c0007b63f85

@socket-security

socket-security Bot commented Jun 30, 2026

Copy link
Copy Markdown

@socket-security

socket-security Bot commented Jun 30, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/oxfmt@0.57.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.57.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/oxfmt@0.57.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.57.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@fengmk2 fengmk2 self-assigned this Jun 30, 2026
@fengmk2

fengmk2 commented Jun 30, 2026

Copy link
Copy Markdown
Member

CI failure root-cause analysis (updated)

main's E2E workflow is green, so all failures here are introduced by this bump (oxlint 1.71.0 -> 1.72.0, oxfmt 0.56.0 -> 0.57.0, rolldown 1.1.2 -> 1.1.3). 5 failures, 4 root causes:

1. CLI snap test (1/3) + CLI E2E (Linux x64 musl) — FIXED (781ca2b)

Both failed on a one-byte diff in packages/cli/snap-tests/check-oxlint-env/snap.txt: the error text is identical, only a trailing newline was added. oxlint 1.72.0 now emits a trailing \n on the tsgolint-not-found error; the committed snapshot ended without one. Regenerated the snapshot (the new blob hash matches exactly what CI expected).

2. bun-vite-template E2E (ubuntu + windows) — real behavior change, not yet fixed

vp fmt now errors: Syntax error: expect token \{`, but found `(`onsrc/components/Welcome/Welcome.module.cssat@media (max-width: $mantine-breakpoint-md). oxfmt 0.57.0 swapped its CSS formatter onto the new oxc-css-parser` (oxc-project/oxc#23920), which rejects this SCSS-in-CSS-Module syntax that 0.56.0 accepted. Genuine upstream regression worth reporting upstream.

3. dify E2E — transient/timing only

ERR_PNPM_NO_MATURE_MATCHING_VERSION: @oxlint/migrate@1.72.0 was published ~1h47m before the run, under the 24h minimumReleaseAge cutoff. Self-resolves once the package ages past the cutoff; just re-run.

4. Security Analysis — FIXED (243bcd0)

Correction to my earlier comment: this is NOT a deny.toml / serde_yml issue. The actual failure is error[unsound]: RUSTSEC-2026-0190, an unsoundness in anyhow 1.0.102's Error::downcast_mut(). The serde_yml advisory-not-detected line is only a warning and does not fail the check (verified locally: "advisories ok" with that warning present). Fixed by updating anyhow 1.0.102 -> 1.0.103; cargo-deny advisories then pass (exit 0).

5. vinext E2E — likely hang/timeout

The test step's log stops mid-run (next/og shim > exports ImageResponse class, MSW "no matching handler"), then jumps ~8 minutes to cleanup with no summary. Looks like a hang/timeout in vinext's own vitest suite. Re-run to confirm flakiness before digging deeper.

Status

Relevant upstream links

fengmk2 added 4 commits June 30, 2026 10:46
anyhow 1.0.102 has an unsoundness in Error::downcast_mut() (RUSTSEC-2026-0190),
which fails the Security Analysis cargo-deny advisories check. Fixed in 1.0.103.
oxfmt 0.57.0 (oxc-css-parser, oxc-project/oxc#23920) rejects mantine's
postcss-simple-vars syntax in CSS Modules. Allow vp fmt to fail until
postcss-simple-vars is supported.
E2E intentionally installs just-published toolchain packages (e.g.
@oxlint/migrate during vp migrate). Set pnpm_config_minimum_release_age=0
so a same-day publish does not fail with ERR_PNPM_NO_MATURE_MATCHING_VERSION
(seen on the dify migrate).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant