fix(docs): pin vite override to ^6.4.2 (was unbounded, pulled vite 8)#135
Merged
Conversation
My security-fix override in #133 used \`vite: \">=6.4.2\"\` which is unbounded. pnpm resolved that to vite 8.0.14 — vite 8 made esbuild an optional/separate install, but vitepress 1.6.4 still calls \`transformWithEsbuild\`, so the deploy-docs workflow has failed on every push since: Failed to load \`transformWithEsbuild\`. It is deprecated and it now requires esbuild to be installed separately. ELIFECYCLE Command failed with exit code 1. Constrain to \`^6.4.2\` — keeps the security patch (path traversal in dev-server map handling, GHSA-4w7w-66w2-5vf9) but stays within the major version vitepress was tested against. Also constrain \`esbuild: \"^0.25.0\"\` for the same reason. Verified locally: \`pnpm install --frozen-lockfile && pnpm build\` completes in ~5s, \`pnpm audit\` finds 0 vulnerabilities. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
runonthespot
added a commit
that referenced
this pull request
May 24, 2026
Headline: C, C++, and Markdown language support land via #102 and #104 (both by @szavadsky). Plus the docs-deploy fix (#135) that resolves the vitepress build break caused by my unbounded vite override in 0.7.10. Also the live test of npm trusted publishing now that the repo's trusted-publisher config is verified saved on the npm side. See CHANGELOG.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Root cause
In #133 I added a pnpm override to fix the GHSA-4w7w-66w2-5vf9 vite path-traversal alert:
```json
"vite": ">=6.4.2"
```
That's unbounded. pnpm happily resolved it to vite 8.0.14. Vite 8 made esbuild an optional/separate install. Vitepress 1.6.4 still calls `transformWithEsbuild` from its rendering pipeline, so the docs deploy died with:
```
Failed to load 'transformWithEsbuild'. It is deprecated and it now requires esbuild to be installed separately.
ELIFECYCLE Command failed with exit code 1.
```
The Deploy Documentation to GitHub Pages workflow has been failing on every push since.
Fix
Constrain to `^6.4.2` so we stay in vite 6.x — keeps the security patch but doesn't jump majors that vitepress wasn't tested against. Same treatment for esbuild (`^0.25.0`).
Verified locally
🤖 Generated with Claude Code