vite-plus v0.2.0

Vite+ now consumes upstream Vitest directly (no wrapper), raises the minimum supported Node.js version to 22.18.0, and ships corepack and devEngines support.

Highlights

• vp test now runs upstream Vitest directly (breaking): Vite+ used to ship @voidzero-dev/vite-plus-test, a rebundled copy of Vitest that lagged upstream releases. That package is removed; vp test now runs the real upstream vitest, which is installed automatically as a dependency of vite-plus (you no longer add vitest or @vitest/* yourself, and vite still resolves to @voidzero-dev/vite-plus-core via package-manager overrides). Your import ... from 'vite-plus/test' code keeps working unchanged and vp migrate updates existing projects (#1588), by @Brooooooklyn
• Minimum supported Node.js version raised to ^22.18.0 || >=24.11.0 (breaking): Node 20 reached end-of-life and the bundled tsdown already required ^22.18.0, so the published engines range now matches what vp pack can actually deliver; vp exec / vp run / vp dlx reject projects resolving an older Node with the existing incompatibility error (#1813), by @fengmk2
• Corepack now works under Vite+: corepack now set up by default, so corepack enable and the pnpm/yarn launchers just work, even on Node 25+ which no longer ships it. (#1808), by @fengmk2
• devEngines support for runtime and package-manager selection: Vite+ reads devEngines.runtime (ranked above engines.node) and devEngines.packageManager; auto-pin and vp migrate write devEngines.packageManager, vp env pin / unpin target devEngines.runtime, and vp env doctor reports conflicts instead of silently resolving them (#1760), by @fengmk2

Features

• vp pm approve-builds: forward to npm's new approve-scripts / deny-scripts (npm >= 11.16.0) instead of the previous no-op, matching pnpm approve-builds / bun pm trust; mixed approve+deny is rejected with actionable guidance and npm's advisory-only caveat is surfaced (#1733), by @fengmk2
• vp create: support local monorepo templates declared in create.templates in vite.config.ts; vp create vite:generator scaffolds a Bingo generator and auto-registers it in the picker, replacing the old package.json-keyword inference (#1777), by @fengmk2
• vp create: detect direct dependencies whose build scripts the package manager gated (e.g. native builds like better-sqlite3) and act on them; prompt to approve each (default off) interactively, point at vp pm approve-builds non-interactively, or build them with --approve-builds (#1828), by @fengmk2
• vp config: add --no-hooks and --no-agent opt-outs to skip git-hook installation and coding-agent instruction updates (#1842), by @leno23
• vp list -g: sort the global package list output so entries appear in a stable order (#1748), by @liangmiQwQ
• Upgrade upstream dependencies: rolldown 1.0.3 -> 1.1.1, tsdown 0.22.1 -> 0.22.3, oxlint 1.67.0 -> 1.70.0, oxfmt 0.52.0 -> 0.55.0, vitest 4.1.8 -> 4.1.9, and the oxc toolchain 0.133.0 -> 0.136.0 (#1749, #1767, #1812, #1834, #1855), by @voidzero-guard[bot]

Fixes & Enhancements

• Security: resolve open Rust Dependabot advisories by bumping transitive openssl 0.10.76 -> 0.10.80 (openssl-sys 0.9.112 -> 0.9.116), fixing five high-severity rust-openssl issues (buffer overflows in key derivation, AES key wrap, and digest finalization; an unchecked PSK/cookie trampoline length leaking adjacent memory; and OCSP-responder undefined behavior: GHSA-pqf5-4pqq-29f5, GHSA-8c75-8mhr-p7r9, GHSA-ghm9-cr32-g9qj, GHSA-hppc-g8h3-xhp3, GHSA-xp3w-r5p5-63rr), and drop the unmaintained, unsound libyml (GHSA-gfxp-f68g-8x78, high) by removing dead serde_yml code (#1742), by @fengmk2
• Security (docs site): update mermaid 11.13.0 -> 11.15.0 to fix improper classDef sanitization in state diagrams that allowed HTML injection (CVE-2026-41149 / GHSA-ghcm-xqfw-q4vr, medium severity; <script> tags are stripped so it does not reach XSS) (#1745), by @renovate[bot]
• vp check --fix / vp staged: create/migrate now wrap inline Vite plugins: [...] arrays with lazyPlugins(...) so plugin factories aren't eagerly executed (and don't hang on open handles) during lint/format/check config loading (#1752), by @jong-kyung
• vp migrate: complete pending migration work for projects that already have vite-plus installed (scripts, imports, tsconfig types, ESLint/Prettier, legacy hooks, package-manager settings) instead of treating vite-plus as migration-complete; fully migrated projects stay idempotent (#1821), by @jong-kyung
• vp create / vp migrate: detect shorthand fmt, / lint, config keys so a duplicate inline block is no longer injected (#1843), by @fengmk2
• IDE oxlint/oxfmt wrappers: set VP_COMMAND so lazyPlugins() skips framework plugins during LSP config reads, preventing a stray .svelte-kit (and similar) directory at the monorepo root (#1764), by @jong-kyung
• vp lint / vp run -r lint on Windows: keep the absolute tsgolint path for workspace lint runs instead of downgrading it to a wrong cwd-relative path (#1758), by @semimikoh
• oxlint wrapper: set the tsgolint path so type-aware lint resolves it (#1811), by @jong-kyung
• vp install -g: use a unique backup directory and treat stale-backup cleanup as best-effort so a locked Windows binary no longer fails an otherwise successful reinstall (#1753), by @fengmk2
• vp install -g: remove stale managed binary shims when a reinstalled package drops a bin from its package.json#bin (#1765), by @liangmiQwQ
• vp create --git: surface git's actual stdout/stderr when the initial commit fails instead of always blaming user.name / user.email (#1819), by @fengmk2
• vp create vite:generator: reject --git / --no-git, since adding a generator to an existing monorepo does not initialize git (#1788), by @jong-kyung
• Global CLI: harden find_system_tool against a self-exec loop (skip the running executable's own bin directory) and fix two vite_global_cli tests that could hang (#1820), by @fengmk2
• CLI help: unify alias display (#1832), show supported run options (#1797), show --fail-if-no-match in exec help (#1798), add the implode documentation link (#1796), and handle nested-command typo help (#1803), by @jong-kyung

Docs

• Document vp create opt-out options (#1790), by @jong-kyung
• Document vp upgrade options (#1847), by @jong-kyung
• Align the config overview with the sidebar (#1846), by @jong-kyung
• Sync the documented command lists with the help output (#1850), by @jong-kyung
• Clarify lazy plugin side effects (#1841), by @leno23
• Add JongKyung's X profile (#1844) and update Christoph's X profile (#1845) on the team page, by @jong-kyung

Refactor

• Remove the CLI tips system; the shortcuts it printed on vp install are already covered by the help system and added unnecessary complexity (#1799), by @cpojer

Chore

• Re-enable Renovate dependency updates with a targeted ignore-list (#1744), by @fengmk2
• Keep generated NAPI bindings during upgrade-deps (#1759), by @fengmk2
• Remove the vite_glob dependency from vite-plus (#1763), by @wan9chi
• Keep sync-remote from churning pnpm-workspace.yaml (dedupe minimumReleaseAgeExclude, preserve comments) (#1787), by @fengmk2
• Make unix just test runnable (#1755), by @situ2001
• CI: reuse just lint and just test as the single source of truth (#1809), pin cargo-zigbuild to a git rev to fix the aarch64-musl link failure (#1815), and keep upgrade-deps green when rolldown bumps oxc (#1833), by @fengmk2
• Update Rust to nightly-2026-06-10 (#1725), typos to v1.47.1 / v1.47.2 (#1772, #1775), GitHub Actions (#1778, #1829), and npm packages (#1779), by @renovate[bot]
• Bump oxc-project/setup-node to v1.3.1 (#1792), by @Boshen
• Refresh trusted stack stats on the docs homepage (#1786, #1837), by @voidzero-guard[bot]

Bundled Versions

Tool	Version	Source
vite	8.0.16	f94df87
rolldown	1.1.1	d7f919c
tsdown	0.22.3	npm
vitest	4.1.9	npm
oxlint	1.70.0	npm
oxlint-tsgolint	0.23.0	npm
oxfmt	0.55.0	npm

New Contributors

Welcome to our new contributor @situ2001! 🎉

Full Changelog: v0.1.24...v0.2.0

Upgrading from 0.1.x to 0.2.0 Prompt

You are upgrading a project that uses Vite+ (the `vp` CLI) from v0.1.x to v0.2.0.

v0.2.0 has two breaking changes:
1. It consumes upstream Vitest directly. The `@voidzero-dev/vite-plus-test` wrapper package is removed; `vitest` now comes in transitively through `vite-plus`.
2. It raises the minimum Node.js version to `^22.18.0 || >=24.11.0`.

Do not run `vp migrate` for this upgrade; it is not reliable enough yet. Make the changes yourself by editing the project's files, then verify by running the tools.

How to run vp: if a global `vp` is available, use it. Otherwise this project only ships the local CLI from the `vite-plus` package, so run vp as the project-local binary (for example via the package manager's exec: pnpm exec, npx, yarn, or bunx). After any install, re-resolve vp so you always run the version currently in the project.

Do the following:

1. Confirm the active Node.js satisfies `^22.18.0 || >=24.11.0`. If it is older (for example Node 20), stop and tell me to switch Node first with the project's version manager. Note that managing the Node runtime, and upgrading a global `vp`, is outside this project when there is no global `vp`.

2. Set the `vite-plus` dependency to the exact version `0.2.0` and reinstall, so the new toolchain is installed and the lockfile moves off 0.1.x. In a monorepo, do this for every workspace package that depends on `vite-plus`. Changing the spec to `0.2.0` is what moves the lockfile off the old resolution; a reinstall that leaves the spec unchanged would keep the old version.

3. Remove the `@voidzero-dev/vite-plus-test` wrapper from the project. Search everywhere it could appear: package.json, the lockfile, any workspace or catalog config (such as pnpm-workspace.yaml or .yarnrc.yml), and the source files. Then:

   - Decide whether the project itself depends on vitest. It does only if a source or test file imports directly from `vitest` or `@vitest/...`, or a `@vitest/*` package is listed in its dependencies (for example a coverage provider). Imports from `vite-plus/test` do NOT count.
   - If the project has no such vitest usage (the common case), remove the vitest configuration entirely. In package.json, delete the `vitest` entry from `dependencies` / `devDependencies` in whatever form it takes (a `@voidzero-dev/vite-plus-test` alias, a `catalog:` reference, or a plain version). Also remove the `vitest` entry from every dependency-resolution mechanism in the project: both `overrides` and `resolutions`, pnpm `overrides`/`catalog` (in package.json or pnpm-workspace.yaml), and any catalog entry. If `vitest` appears in more than one of these, remove all of them. Do not add a pinned `vitest`; it arrives transitively through `vite-plus` and the test command still works.
   - If the project does use vitest directly, pin upstream vitest to the version bundled with vite-plus (4.1.9 for v0.2.0), and upgrade every vitest ecosystem package the project depends on so the whole tree resolves to a single vitest. Set each `@vitest/*` package the project lists (for example `@vitest/coverage-v8`, `@vitest/ui`, `@vitest/browser`) to that same version (4.1.9), since those are pinned to an exact vitest version. Also update any other vitest integration package (such as `vitest-browser-*`) to a release compatible with that vitest version. Leaving an ecosystem package on an older version pulls in a second copy of vitest, which Vitest rejects at runtime.
   - Also delete any dependency-resolution config that existed only to accommodate the wrapper or the old vitest, for example pnpm `peerDependencyRules` entries (`allowedVersions` / `ignoreMissing`) referencing `vitest`, `@vitest/*`, or `@voidzero-dev/vite-plus-test`, and the equivalent peer-tweak config in other package managers (such as yarn `packageExtensions`). Leave rules that are unrelated to vitest or the wrapper untouched.

4. Keep the `vite` -> Vite+ core override (it is still required) and set it to the matching exact version: map `vite` to `npm:@voidzero-dev/vite-plus-core@0.2.0` in whatever override, resolution, or catalog form the project already uses. `@voidzero-dev/vite-plus-core` is released in lockstep with `vite-plus`.

5. Leave imports from `vite-plus/test` (and `vite-plus/test/*`) unchanged; that is the stable public API. Only if a file imports directly from `@voidzero-dev/vite-plus-test`, repoint it to `vite-plus/test`.

6. Reinstall so the lockfile reflects your edits, then verify: confirm that no reference to `@voidzero-dev/vite-plus-test` remains anywhere outside node_modules, confirm the dependency tree resolves to a single `vitest` version (no duplicate copies), run the project's tests and confirm they pass (you will see Vitest's native banner), and run the Vite+ check workflow and confirm it passes.

Constraints:
- Do not run `vp migrate`.
- Do not bypass git hooks. If a pre-existing failure blocks you, report it rather than forcing through.
- Make the smallest set of edits that reaches the end state above; do not reformat unrelated files.
- When done, give me a short summary: old vs new `vite-plus` version, the files you changed, and the test/check results.

Published Packages

• @voidzero-dev/vite-plus-core@0.2.0
• vite-plus@0.2.0

Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Or download and run vp-setup.exe from the assets below.