chore: migrate from Vite v7 to v8 (Rolldown/Oxc)#919
Merged
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring alerts on:
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
sirtimid
force-pushed
the
sirtimid/vite-v8-migration
branch
from
7cadb23 to
aec2e3c
Compare
Contributor
Author
|
@SocketSecurity ignore-all |
Vite 8 replaces Rollup+esbuild with Rolldown+Oxc. This commit adapts
the codebase to the breaking changes in the migration guide.
Key changes:
- Rename `rollupOptions` → `rolldownOptions` across all vite/vitest configs
- Update `bundle-vat.ts` to use `RolldownOutput`/`OutputChunk` types from
`rolldown` and `output.codeSplitting: false` instead of
`inlineDynamicImports: true`
- Add `removeDynamicImportsPlugin` in `bundle-vat.ts` to replace runtime
`import()` calls (viem lazy-loads crypto/WebSocket/CCIP utilities) with
`Promise.resolve({})` so Rolldown accepts the IIFE output format
- Serialize concurrent `bundleVat()` calls via a module-level promise
queue to prevent Rolldown global-state corruption under `Promise.all`
- Add `exports: {}` endowment to `bundle-loader.ts` Compartment so that
Rolldown's unconditional `Object.defineProperty(exports, Symbol.toStringTag)`
preamble does not throw in SES compartments
- Replace `vite-tsconfig-paths` plugin with `resolve.tsconfigPaths: true`
(native Vite 8 feature) in root `vitest.config.ts`
- Replace deprecated `customResolver` alias with a `resolveId` plugin hook
for the `@metamask/kernel-shims/endoify` redirect
- Update `vite-plugin-static-copy` targets with `rename: { stripBase: true }`
to suppress the directory-structure-preserving behavior introduced in v4
- Remove `_commonjsHelpers` chunk-name special-case — Rolldown handles CJS
natively, this chunk no longer appears
- Fix `stringify.test.ts` whitespace: Oxc serialises functions with tabs,
so compare to `String(fn)` rather than a hardcoded string literal
- Update `js-trusted-prelude.ts` to read `rolldownOptions?.input` instead
of `rollupOptions.input`
- Add `rolldown` and update `vite` peer dep in `kernel-utils/package.json`
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…s regex
The early-return guard `code.includes('import(')` required the token
`import` and `(` to be adjacent, but the replacement regex allows
optional whitespace (`\bimport\s*\(`). A source file containing
`import ('specifier')` (space before the paren) would have been skipped
by the guard and left untransformed, causing Rolldown to reject the
IIFE build despite the plugin's purpose being to prevent that.
Replace the string fast-path with the equivalent regex test so both
paths agree on which files contain dynamic imports.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…olldown CJS compat
Rolldown-generated IIFE bundles include CJS helper code that uses
`var localThis = globalThis` to access intrinsics, and some bundled
libraries (e.g. lodash) detect the global object via
`typeof global == "object" && global` or `Function("return this")()`.
In a SES Compartment:
- `global` and `self` are not named bindings
- `Function("return this")()` returns undefined in strict mode
Inject `globalThis` and `global` on the compartment's own global after
construction so these patterns resolve to the compartment's global object
(which exposes all the hardened intrinsics).
Also fix the openclaw-plugin integration test to call `register.register()`
rather than treating the PluginEntry object itself as a function.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
sirtimid
force-pushed
the
sirtimid/vite-v8-migration
branch
from
b5a15c4 to
59f8fcc
Compare
- Export and add unit tests for removeDynamicImportsPlugin (16 tests)
- Add this.warn() when dynamic imports cannot be replaced
- Replace definite-assignment mutex with makePromiseKit
- Move exports: {} after endowment spreads to prevent accidental override
- Fix inaccurate comments (remove self, clarify ESM interop trigger)
- Add bundle-loader endowment tests for exports, globalThis, global
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… SES lockdown The build tooling in bundle-vat.ts runs outside lockdown (e.g. during `vite build`), so importing @endo/promise-kit fails with "harden is not defined". Revert to the manual promise pattern. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The build tsconfig (with strict mode) requires the `!` assertion on `releaseLock` since TypeScript cannot verify that the Promise constructor callback runs synchronously. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…in static copy Aligns the dead-code string-target branch with the object entries and with extension/omnium-gatherum configs, preventing a subtle breakage if a string target is re-added later. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Coverage Report
File Coverage
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit d2ee212. Configure here.
grypez
previously requested changes
Apr 8, 2026
Contributor
grypez
left a comment
grypez
left a comment
There was a problem hiding this comment.
Overall a good change. I didn't like the build queue promises until I couldn't think of any better solution. Some tiny changes suggested.
packages/evm-wallet-experiment/test/integration/openclaw-plugin.integration.test.ts
Outdated
Show resolved
Hide resolved
sirtimid
added
the
no-changelog
Export `register` as a named export from the openclaw-plugin to avoid `register.register()` pattern, and improve the dynamic import warning in `removeDynamicImportsPlugin` to also fire when mixed literal/computed imports exist. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Vite 8 replaces Rollup+esbuild with Rolldown+Oxc as its bundler and transformer. This PR adapts the codebase to all relevant breaking changes.
Config changes (all packages)
build.rollupOptions→build.rolldownOptionsin everyvite.config.tsandvitest.config.ts_commonjsHelperschunk-name special-case — Rolldown handles CJS natively and this chunk no longer appearsvite-plugin-static-copytargets withrename: { stripBase: true }to match v4's new directory-structure-preserving behaviourvite-tsconfig-pathsplugin with the nativeresolve.tsconfigPaths: trueoption (Vite 8 built-in)customResolveralias with aresolveIdplugin hook for the@metamask/kernel-shims/endoifyredirectjs-trusted-prelude.tsplugin to readconfig.build.rolldownOptions?.inputbundle-vat.ts(kernel-utils)RolldownOutput/OutputChunktypes fromrolldowninstead ofRollup.*fromviteoutput.inlineDynamicImports: true(Rollup-only) withoutput.codeSplitting: falseremoveDynamicImportsPlugin: Rolldown rejects IIFE format whenever the bundle graph contains anyimport()expression, even withcodeSplitting: false. Some third-party packages (viem,@endo/*) use lazyawait import(x)for utilities that vats never call; the plugin replaces all string-literal dynamic imports withPromise.resolve({})to satisfy Rolldown's constraintbundleVat()calls — Rolldown has global state that is corrupted when multiple IIFE builds run concurrently viaPromise.all(askernel-clidoes when bundling a directory of vats)rolldownas a peer dependency and update thevitepeer dep range to^8.0.6bundle-loader.ts(ocap-kernel)exports: {}to the SES Compartment endowments — Rolldown unconditionally emitsObject.defineProperty(exports, Symbol.toStringTag, ...)in every IIFE bundle preamble, even for modules with no exports; without anexportsendowment this throws inside the Compartmentstringify.test.ts(kernel-utils)String(fn)to stay bundler-agnosticTesting
All 24 build tasks and all 45 test tasks pass (
yarn build+yarn test:dev:quietfrom the monorepo root, both cached and uncached).The key non-obvious behaviour changes are covered by the existing vat integration tests in
@ocap/kernel-test(which build real vat bundles viabundleVatand execute them in SES Compartments) and by theevm-wallet-experimentbuild (which exercises the 4-vatPromise.allpath throughkernel-cli).🤖 Generated with Claude Code
Note
Medium Risk
Medium risk because this upgrades the build/test toolchain (Vite/Vitest/Rolldown) and changes bundling semantics for vats and extension builds, which can cause subtle runtime or packaging regressions.
Overview
Upgrades the monorepo to Vite 8 / Vitest 4.1 (plus related tool bumps like Playwright, jsdom, and static-copy/checker plugins) and updates package configs accordingly.
Migrates build/test configs from
build.rollupOptionstobuild.rolldownOptions, adjusts static asset copy behavior (addsrename.stripBase), and replacesvite-tsconfig-pathswith Vite’s nativeresolve.tsconfigPathsplus a customresolveIdhook for the@metamask/kernel-shims/endoifytest redirect.Updates vat bundling to Rolldown by switching types/output options, adding a
removeDynamicImportsPlugin()workaround for IIFE constraints, and serializingbundleVat()builds to avoid Rolldown concurrency issues;loadBundle()is hardened to support Rolldown-generated IIFE preambles (exports,globalThis,global). Minor follow-ups include exportingregisterfrom the OpenClaw plugin entrypoint and makingstringifyfunction tests bundler-output-agnostic.Reviewed by Cursor Bugbot for commit 3fc36bd. Bugbot is set up for automated code reviews on this repo. Configure here.