chore: upgrade vite-plus and use setup-vite-plus-action for Node.js setup

[fengmk2]

Summary

• Upgrade vite-plus and related dependencies (qs, undici, @types/node, tshy)
• Use node-version input in setup-vite-plus-action instead of separate actions/setup-node steps
• Rename vite CLI to vp in all workflow commands
• Remove redundant corepack enable step in pkg.pr.new.yml

Test plan

• CI passes on all matrix combinations (Node 20/22/24/25, ubuntu/macos/windows)
• Typecheck job runs successfully
• pkg-pr-new publish workflow runs successfully

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • CI workflows updated to streamline Node setup and pass Node versions through the unified setup step.
  • Build/test/lint scripts now route through the vp command runner for consistent execution.
  • Package scripts and lint-staged entries adjusted to use vp equivalents.
  • Bumped several dependencies and type packages to newer releases.

[coderabbitai]

📝 Walkthrough

Walkthrough

Removed explicit Node.js setup from GitHub Actions, passed node-version into the Setup Vite+ action, and switched CLI invocations from vite to vp across workflows and npm scripts; bumped deps (qs, undici, @types/node, tshy) in package.json.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/nodejs.yml, .github/workflows/pkg.pr.new.yml	Removed explicit Node.js/setup-node steps; added node-version parameter to setup-vite-plus action; replaced vite CLI usages with vp equivalents and propagated matrix node version to Vite+ setup.
Package scripts & lint-staged package.json	Replaced vite CLI calls with vp in scripts and lint-staged entries (lint, fmt, typecheck, build, ci, prepublish, etc.); adjusted test/build orchestration to use vp wrappers.
Dependencies package.json	Bumped qs, undici, @types/node, and tshy dependency versions. No exported/public API changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore: upgrade vite-plus #647: CI and package.json edits to adopt Vite+/vite-plus command changes (same vp replacements).
• test: run test on Node.js 23 #543: Changes to .github/workflows/nodejs.yml Node version handling and workflow matrix setup.
• chore(deps): upgrade vitest from v3 to v4 #642: Overlapping edits to CI workflows and test/script invocations using the Vite+/vp toolchain.

Poem

🐰 vp hops in with nimble feet,
Commands remapped, the logs look neat.
Workflows trimmed, versions aligned,
Packages updated, tidy and kind.
The rabbit cheers — CI's complete! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: upgrading vite-plus and consolidating Node.js setup through setup-vite-plus-action.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch vp-upgrade

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @fengmk2, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on modernizing the project's foundational packages and streamlining the continuous integration pipeline. It updates key dependencies to ensure the development environment remains robust and current, while also making the CI workflows more efficient and consistent through simplified Node.js setup and standardized command usage.

Highlights

• Dependency Upgrades: Upgraded vite-plus and several related dependencies, including qs, undici, @types/node, and tshy, to their latest versions for improved compatibility and features.
• CI Workflow Optimization: Refactored Node.js setup in CI workflows to leverage the node-version input of setup-vite-plus-action, simplifying environment configuration.
• CLI Command Standardization: Standardized CLI command usage by renaming vite to vp across all workflow scripts for consistency.
• Redundant Step Removal: Eliminated a redundant corepack enable step in the pkg.pr.new.yml workflow, enhancing CI efficiency.

Changelog

• CI Workflow Files
  • Modified Node.js setup to use node-version input in setup-vite-plus-action.
  • Renamed vite CLI commands to vp.
  • Removed redundant corepack enable step in pkg.pr.new.yml.
• package.json
  • Updated qs from ^6.14.1 to ^6.15.0
  • Updated undici from ^7.19.0 to ^7.22.0
  • Updated @types/node from ^22.19.7 to ^22.19.11
  • Updated tshy from ^3.1.0 to ^3.3.2
  • Updated vitest to a specific version 0.0.0-b1666489.20260220-0254
• pnpm-lock.yaml
  • Updated various dependency resolutions across the project, reflecting changes in package.json and transitive dependencies.
  • Added new dependency entries for @standard-schema/spec and jsonc-simple-parser.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/nodejs.yml
  • .github/workflows/pkg.pr.new.yml

Activity

• No human activity (comments, reviews, approvals) has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​voidzero-dev/​vite-plus-test@​0.0.0-4d2367587d11c412d283847253d95e4e36ace419 ⏵ 0.0.0-b1666489.20260220-0254			+1	+4
	vite-plus@​0.0.0-4d2367587d11c412d283847253d95e4e36ace419 ⏵ 0.0.0-b1666489.20260220-0254	+1		+1	+4
	@​types/​node@​22.19.7 ⏵ 22.19.11			+1
	tshy@​3.1.0 ⏵ 3.3.2			+1	+13
	qs@​6.14.1 ⏵ 6.15.0	+1	+1		-1
	undici@​7.19.0 ⏵ 7.22.0			+1

View full report

[gemini-code-assist]

Code Review

This pull request upgrades several dependencies, including vite-plus, and refactors the CI workflows. The dependency updates in package.json are mostly fine, but I've identified a significant inconsistency with the vitest dependency versioning. Pinning it in devDependencies while using @latest in overrides can lead to non-deterministic builds. My review includes a comment with a high severity to address this potential issue.

[Copilot]

Pull request overview

This PR upgrades vite-plus and related dependencies, modernizes the GitHub Actions workflows to use the new setup-vite-plus-action with integrated Node.js setup, and renames the CLI command from vite to vp in workflow files.

Changes:

• Upgraded dependencies: qs (6.14.1→6.15.0), undici (7.19.0→7.22.0), @types/node (22.19.7→22.19.11), tshy (3.1.0→3.3.2)
• Updated vite-plus packages to version 0.0.0-b1666489.20260220-0254
• Consolidated Node.js setup in workflows by using node-version input in setup-vite-plus-action instead of separate actions/setup-node steps
• Renamed CLI commands from vite to vp in all GitHub Actions workflows

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File	Description
package.json	Updated dependency versions (qs, undici, @types/node, tshy) and pinned vitest to specific vite-plus-test version
pnpm-lock.yaml	Lockfile updates reflecting all dependency version changes and vite-plus upgrades
.github/workflows/pkg.pr.new.yml	Removed redundant corepack enable and separate Node.js setup steps; added node-version to setup-vite-plus-action; renamed vite to vp commands
.github/workflows/nodejs.yml	Removed separate Node.js setup steps; added node-version to setup-vite-plus-action; renamed vite to vp commands in both typecheck and test jobs

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

Comments suppressed due to low confidence (1)

package.json:135

• The vitest devDependency specifies a pinned version 0.0.0-b1666489.20260220-0254 but both the root overrides section (line 114) and the pnpm.overrides section (line 135) still use latest. This creates an inconsistency where the direct dependency is pinned but overrides allow any version. Consider either:

1. Pinning both override sections to the same version: "vitest": "npm:@voidzero-dev/vite-plus-test@0.0.0-b1666489.20260220-0254"
2. Or using latest for all three locations

This inconsistency could lead to unexpected behavior where different parts of the dependency tree resolve to different versions of vite-plus-test.

    "vitest": "npm:@voidzero-dev/vite-plus-test@0.0.0-b1666489.20260220-0254"
  },
  "overrides": {
    "vite": "npm:@voidzero-dev/vite-plus-core@latest",
    "vitest": "npm:@voidzero-dev/vite-plus-test@latest"
  },
  "lint-staged": {
    "*": [
      "vite run lint --fix",
      "vite fmt --no-error-on-unmatched-pattern"
    ]
  },
  "tshy": {
    "exports": {
      ".": "./src/index.ts",
      "./package.json": "./package.json"
    }
  },
  "engines": {
    "node": ">= 18.19.0"
  },
  "packageManager": "pnpm@10.28.1",
  "pnpm": {
    "overrides": {
      "vite": "npm:@voidzero-dev/vite-plus-core@latest",
      "vitest": "npm:@voidzero-dev/vite-plus-test@latest"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

🧹 Nitpick comments (2)

package.json (1)

110-110: Version mismatch between pinned nightly in devDependencies and latest in pnpm.overrides.

The vitest devDependency is now pinned to a specific nightly build (0.0.0-b1666489.20260220-0254) while pnpm.overrides.vitest remains at @voidzero-dev/vite-plus-test@latest. This creates two problems:

1. Diverging resolution: Transitive packages requesting vitest (including @vitest/coverage-v8's peer dependency) will receive @voidzero-dev/vite-plus-test@latest, whereas direct scripts run against the pinned nightly — potentially two different binaries in the same install.
2. Registry stability: Canary/nightly builds in 0.0.0-* ranges are sometimes pruned from registries, which would break fresh installs on any machine without a lockfile hit.

Consider either aligning both to the pinned nightly for full reproducibility, or keeping both at latest and relying on the lockfile for pinning:

♻️ Option A — align overrides to the nightly pin

-    "vitest": "npm:`@voidzero-dev/vite-plus-test`@latest"
+    "vitest": "npm:`@voidzero-dev/vite-plus-test`@0.0.0-b1666489.20260220-0254"

(Apply the same change to both the root overrides and pnpm.overrides.)

♻️ Option B — revert devDependencies to `latest` and rely on lockfile

-    "vitest": "npm:`@voidzero-dev/vite-plus-test`@0.0.0-b1666489.20260220-0254"
+    "vitest": "latest"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 110, The package.json currently pins "vitest" in
devDependencies to a specific nightly ("0.0.0-b1666489.20260220-0254") while
pnpm.overrides.vitest (and any root "overrides") point to
`@voidzero-dev/vite-plus-test`@latest, causing inconsistent resolution; pick one
approach and make both locations consistent: either set devDependencies."vitest"
and pnpm.overrides.vitest (and root overrides if present) to the same nightly
version string for reproducible installs, or change devDependencies."vitest" to
`@voidzero-dev/vite-plus-test`@latest and make pnpm.overrides.vitest use
`@voidzero-dev/vite-plus-test`@latest so the lockfile handles pinning—update both
symbols ("vitest" in devDependencies, pnpm.overrides.vitest, and any top-level
"overrides") accordingly.

.github/workflows/pkg.pr.new.yml (1)

18-18: Nit: quote node-version consistently with nodejs.yml

node-version: 22 is a YAML integer; nodejs.yml uses node-version: '24' (quoted string). GitHub Actions coerces both to strings, so it won't break — but a quoted value is more explicit and consistent.

🔧 Proposed fix

-          node-version: 22
+          node-version: '22'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pkg.pr.new.yml at line 18, Change the unquoted YAML
integer node-version to a quoted string to match the style used elsewhere:
update the node-version key value from 22 to '22' (i.e., use node-version: '22')
so it is explicitly a string and consistent with nodejs.yml.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/pkg.pr.new.yml:
- Line 18: Change the unquoted YAML integer node-version to a quoted string to
match the style used elsewhere: update the node-version key value from 22 to
'22' (i.e., use node-version: '22') so it is explicitly a string and consistent
with nodejs.yml.

In `@package.json`:
- Line 110: The package.json currently pins "vitest" in devDependencies to a
specific nightly ("0.0.0-b1666489.20260220-0254") while pnpm.overrides.vitest
(and any root "overrides") point to `@voidzero-dev/vite-plus-test`@latest, causing
inconsistent resolution; pick one approach and make both locations consistent:
either set devDependencies."vitest" and pnpm.overrides.vitest (and root
overrides if present) to the same nightly version string for reproducible
installs, or change devDependencies."vitest" to
`@voidzero-dev/vite-plus-test`@latest and make pnpm.overrides.vitest use
`@voidzero-dev/vite-plus-test`@latest so the lockfile handles pinning—update both
symbols ("vitest" in devDependencies, pnpm.overrides.vitest, and any top-level
"overrides") accordingly.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/node-modules/urllib@659

commit: af54e50

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/node-modules/urllib@659

commit: af54e50

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.77%. Comparing base (482dfa8) to head (af54e50).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #659   +/-   ##
=======================================
  Coverage   92.77%   92.77%           
=======================================
  Files          10       10           
  Lines         747      747           
  Branches      233      233           
=======================================
  Hits          693      693           
  Misses         51       51           
  Partials        3        3           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 48-72: Update CLAUDE.md to replace all documented uses of the old
"vite" CLI with the new "vp" alias: change examples and commands such as "vite
lint" → "vp lint", "vite fmt" → "vp fmt", "vite test" → "vp test", "vite
install" → "vp install", "vite run" → "vp run", and update the entire "Review
Checklist" section to show the corresponding vp commands so the contributor
guide matches package.json and lint-staged usage.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check repo structure and locate CLAUDE.md
git ls-files | head -20
echo "---"
# Look for CLAUDE.md
find . -maxdepth 2 -name "CLAUDE.md" -o -name "claude.md" 2>/dev/null
echo "---"
# Check current vite-plus version in package.json
head -100 package.json | grep -A 5 "vite-plus"

Repository: node-modules/urllib

Length of output: 548

---

🏁 Script executed:

#!/bin/bash
# Check if vite-plus is installed and what binary it exports
if [ -f node_modules/vite-plus/package.json ]; then
  echo "=== vite-plus package.json bin field ==="
  jq '.bin' node_modules/vite-plus/package.json 2>/dev/null || \
    python3 -c "import json; pkg=json.load(open('node_modules/vite-plus/package.json')); print('bin:', pkg.get('bin', {}))" 
else
  echo "vite-plus not found in node_modules"
  # Try to find package info in package-lock or online sources
  echo "=== Looking for vite-plus version info ==="
  grep -A 2 '"vite-plus"' package.json package-lock.json 2>/dev/null | head -20
fi

Repository: node-modules/urllib

Length of output: 268

---

🏁 Script executed:

#!/bin/bash
# Search for CLAUDE.md in the repo
find . -type f -name "CLAUDE.md" -o -name "claude.md" 2>/dev/null | head -5
# Also check what documentation files exist
git ls-files | grep -i "\.md$" | head -20

Repository: node-modules/urllib

Length of output: 107

---

🏁 Script executed:

#!/bin/bash
# Read CLAUDE.md to check what it currently documents
cat CLAUDE.md

Repository: node-modules/urllib

Length of output: 6369

---

🏁 Script executed:

#!/bin/bash
# Read package.json lines around scripts and lint-staged
echo "=== Lines 48-72 (scripts section) ==="
sed -n '48,72p' package.json
echo ""
echo "=== Lines 118-119 (lint-staged) ==="
sed -n '118,119p' package.json
echo ""
echo "=== Check vite-plus entry ==="
sed -n '75,85p' package.json

Repository: node-modules/urllib

Length of output: 2303

---

🌐 Web query:

vite-plus npm package vp binary command

💡 Result:

The vite-plus npm package installs two CLI binaries:

• vite
• vp

In the package metadata, both commands point to the same executable (./bin/vite), so vp is just an alias of vite. [1]

That means you can run the same subcommands either way, e.g. vite dev / vp dev, vite build / vp build, etc. (Vite+’s CLI is described as adding commands like vite test, vite lint, vite fmt, vite run, etc.). [2]

Sources: [1] [2]

---

🌐 Web query:

vite-plus vp cli tool

💡 Result:

There isn’t a widely documented “vp” CLI for Vite+. What’s online points to two different things:

1. Vite+ (VoidZero) unified toolchain
   Vite+ is a “drop-in superset of Vite” that aims to unify dev/build, test, lint, format, monorepo task running (with caching), UI devtools, and library bundling under a single CLI experience. The public overview lists these capabilities (dev & build, test, lint, fmt, run, ui, lib). [1] It was announced as a unified CLI/toolchain by VoidZero. [2]

2. vp CLI is commonly “VersionPress CLI”
   A known vp command comes from @versionpress/vp-cli (“VersionPress.com CLI”), installed globally and run as vp. [3]

If you share where you saw “vite-plus vp” (a repo link, npm package name, or command snippet), I can pinpoint exactly which tool it refers to.

Sources: [1] [2] [3]

---

Update CLAUDE.md to reflect the renamed vp CLI

The vite → vp rename in scripts is correct and applied consistently across all package.json scripts (lines 48–72) and lint-staged (lines 118–119). The vp binary is a documented official alias exported by vite-plus alongside vite, so all commands will function correctly.

However, CLAUDE.md still documents vite commands (vite lint, vite fmt, vite test, vite install). Since this file guides contributors and is the source of project learnings, update it to reference vp instead so the stored guidance remains accurate:

• Change vite lint → vp lint
• Change vite fmt → vp fmt
• Change vite test → vp test
• Change vite install → vp install
• Change vite run → vp run
• Update the "Review Checklist" section to use vp commands

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 48 - 72, Update CLAUDE.md to replace all
documented uses of the old "vite" CLI with the new "vp" alias: change examples
and commands such as "vite lint" → "vp lint", "vite fmt" → "vp fmt", "vite test"
→ "vp test", "vite install" → "vp install", "vite run" → "vp run", and update
the entire "Review Checklist" section to show the corresponding vp commands so
the contributor guide matches package.json and lint-staged usage.