feat(deps): upgrade upstream dependencies

[voidzero-guard]

Summary

• Automated upgrade of upstream dependencies.
• Bumps rolldown to v1.1.3 (e0d0b1b -> e77f7c7) and the oxc toolchain (oxlint 1.71.0 -> 1.72.0, oxfmt 0.56.0 -> 0.57.0, oxc-*/@oxc-project/* 0.137.0 -> 0.138.0).
• Bumps build-tooling catalog deps @napi-rs/wasm-runtime and rolldown-plugin-dts.
• Regenerates the NAPI bindings to match the new rolldown; no hand-written code changes.

Dependency updates

Package	From	To
rolldown	e0d0b1b	v1.1.3 (e77f7c7)
oxfmt	0.56.0	0.57.0
oxlint	1.71.0	1.72.0
@oxc-project/runtime	0.137.0	0.138.0
@oxc-project/types	0.137.0	0.138.0
oxc-minify	0.137.0	0.138.0
oxc-parser	0.137.0	0.138.0
oxc-transform	0.137.0	0.138.0
@napi-rs/wasm-runtime	^1.1.5	^1.1.6
rolldown-plugin-dts	^0.25.2	^0.26.0

Code changes

• Regenerated NAPI bindings (packages/cli/binding/index.d.cts): added onAdditionalAssets to BindingDevOptions; removed BindingViteBuildImportAnalysisPluginV2Config and the isEnableV2 field.
• Updated bundledVersions.rolldown 1.1.2 -> 1.1.3 (packages/core/package.json).
• Added vitepress-plugin-feedback-tracker@0.2.0-alpha.1 to minimumReleaseAgeExclude (pnpm-workspace.yaml).
• Lockfile and upstream-version metadata updates (Cargo.lock, pnpm-lock.yaml, packages/tools/.upstream-versions.json).

Build status

• sync-remote-and-build: success
• build-upstream: success

[netlify]

✅ Deploy Preview for viteplus-preview canceled.

Name	Link
🔨 Latest commit	ac2cd17
🔍 Latest deploy log	https://app.netlify.com/projects/viteplus-preview/deploys/6a433fc31b7a5c0007b63f85

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​oxfmt@​0.57.0
	npm/​@​oxc-project/​types@​0.138.0
	npm/​@​oxc-project/​runtime@​0.138.0
	cargo/​anyhow@​1.0.102 ⏵ 1.0.103
	npm/​oxc-parser@​0.138.0
	npm/​remove-unused-vars@​0.0.14
	npm/​oxc-transform@​0.138.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm oxfmt is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/oxfmt@0.57.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.57.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm oxfmt is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/oxfmt@0.57.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.57.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[fengmk2]

CI failure root-cause analysis (updated)

main's E2E workflow is green, so all failures here are introduced by this bump (oxlint 1.71.0 -> 1.72.0, oxfmt 0.56.0 -> 0.57.0, rolldown 1.1.2 -> 1.1.3). 5 failures, 4 root causes:

1. CLI snap test (1/3) + CLI E2E (Linux x64 musl) — FIXED (781ca2b)

Both failed on a one-byte diff in packages/cli/snap-tests/check-oxlint-env/snap.txt: the error text is identical, only a trailing newline was added. oxlint 1.72.0 now emits a trailing \n on the tsgolint-not-found error; the committed snapshot ended without one. Regenerated the snapshot (the new blob hash matches exactly what CI expected).

2. bun-vite-template E2E (ubuntu + windows) — real behavior change, not yet fixed

vp fmt now errors: Syntax error: expect token \{`, but found `(`onsrc/components/Welcome/Welcome.module.cssat@media (max-width: $mantine-breakpoint-md). oxfmt 0.57.0 swapped its CSS formatter onto the new oxc-css-parser` (oxc-project/oxc#23920), which rejects this SCSS-in-CSS-Module syntax that 0.56.0 accepted. Genuine upstream regression worth reporting upstream.

3. dify E2E — transient/timing only

ERR_PNPM_NO_MATURE_MATCHING_VERSION: @oxlint/migrate@1.72.0 was published ~1h47m before the run, under the 24h minimumReleaseAge cutoff. Self-resolves once the package ages past the cutoff; just re-run.

4. Security Analysis — FIXED (243bcd0)

Correction to my earlier comment: this is NOT a deny.toml / serde_yml issue. The actual failure is error[unsound]: RUSTSEC-2026-0190, an unsoundness in anyhow 1.0.102's Error::downcast_mut(). The serde_yml advisory-not-detected line is only a warning and does not fail the check (verified locally: "advisories ok" with that warning present). Fixed by updating anyhow 1.0.102 -> 1.0.103; cargo-deny advisories then pass (exit 0).

5. vinext E2E — likely hang/timeout

The test step's log stops mid-run (next/og shim > exports ImageResponse class, MSW "no matching handler"), then jumps ~8 minutes to cleanup with no summary. Looks like a hang/timeout in vinext's own vitest suite. Re-run to confirm flakiness before digging deeper.

Status

• Telemetry #1 and Add global binary vp and delegate to vite-plus #4 fixed and pushed.
• Is vite-plus code gonna be in a new package or integrated into the current vite package #2 is the change to watch upstream (oxfmt 0.57.0 CSS-parser regression, chore(formatter_css): use oxc-css-parser oxc-project/oxc#23920).
• feat: basic command implementation #3 should clear on re-run once the package matures.
• Research options to show multiple tasks in terminal #5 should be re-run to confirm it is flaky.

Relevant upstream links

• oxc release apps_v1.72.0: https://github.com/oxc-project/oxc/releases/tag/apps_v1.72.0
• Compare: oxc-project/oxc@apps_v1.71.0...apps_v1.72.0
• oxfmt CSS-parser swap (failure Is vite-plus code gonna be in a new package or integrated into the current vite package #2): chore(formatter_css): use oxc-css-parser oxc-project/oxc#23920
• anyhow advisory (failure Add global binary vp and delegate to vite-plus #4): https://rustsec.org/advisories/RUSTSEC-2026-0190