Skip to content

feat: upgrade vite to v8, plugin-react to v6, vite-node to v6#1150

Draft
stipsan wants to merge 11 commits into
mainfrom
chore/upgrade-vite-8-magic-string
Draft

feat: upgrade vite to v8, plugin-react to v6, vite-node to v6#1150
stipsan wants to merge 11 commits into
mainfrom
chore/upgrade-vite-8-magic-string

Conversation

@stipsan
Copy link
Copy Markdown
Member

@stipsan stipsan commented Jun 2, 2026

Description

Builds upon #698

FIXES SDK-1254
FIXES SAPP-3887

What to review

Testing

@claude
Copy link
Copy Markdown

claude Bot commented Jun 2, 2026
edited
Loading

Claude finished @stipsan's task in 3m 20s —— View job

Review

  • Read PR diff and changed files
  • Review code quality, bugs, and tests
  • Verify changeset
  • Post review

Issues that need fixing

1. Failing test — getViteConfig.test.ts:191 still expects 'esbuild'

getViteConfig.ts:200 was changed to minify: minify ? 'oxc' : false, but the test still asserts:

expect(config.build).toMatchObject({
  
  minify: 'esbuild',})

This will fail CI for the should create production config with minification test.

-      minify: 'esbuild',
+      minify: 'oxc',

Fix this →

2. fixtures/nextjs-app/tsconfig.json changed jsx from "preserve" to "react-jsx"

This looks unintentional. Next.js apps almost always set jsx: "preserve" so the SWC/Next compiler handles the JSX transform; switching to react-jsx makes TS emit _jsx(...) calls and can break Next's own pipeline assumptions (and any consumer relying on next dev/next build reading this file).

If the goal was just to pick up new .next/types/** files in include, restore the jsx value.

-    "jsx": "react-jsx",
+    "jsx": "preserve",

3. fixtures/nextjs-app/tsconfig.json reformatting noise

The bulk of the diff is an auto-formatter expanding every array/object to one-element-per-line (e.g. "lib": ["dom", "dom.iterable", "esnext"] → multi-line). Either revert the formatting, or apply that formatter consistently across the repo's other tsconfigs in a separate PR. Mixing a real change with whole-file reformatting hides the actual change.

Notes (not blockers)

  • promisifyWorker.ts:38-43: the timeout path calls worker.terminate() + removeAllListeners() inline but bypasses cleanup(), so it skips the unref() + deferred-terminate safety net that the rest of the handlers use. Functionally fine (terminate is sufficient on timeout), but it's a small inconsistency — calling cleanup() after terminate() (or extracting the unref/listener-removal into a shared helper) would keep the four exit paths uniform.
  • Vendor named-exports plugin and getCjsNamedExports are well-scoped, well-tested, and the rationale comments explain the Rolldown/Vite 8 constraints clearly. The fail-loud behavior on Rolldown codegen drift is the right call.
  • New cjs-module-lexer dependency is justified — it's the same lexer Node uses for CJS↔ESM interop, and there's no equivalent existing dep.
  • Changeset (.changeset/pr-698.md) is present and minor is appropriate for the bump.
    · Branch

@stipsan stipsan force-pushed the chore/upgrade-vite-8-magic-string branch from 2c96444 to 0d6218a Compare June 2, 2026 10:51
@stipsan
feat(cli-build): enhance vendor build with CommonJS named exports sup…
8ed1449 
…port

- Added support for exposing named exports from CommonJS modules in the vendor build process.
- Introduced `getCjsNamedExports` utility to extract named exports without executing the module.
- Implemented `injectNamedExports` to append named exports to the output of CommonJS-derived chunks.
- Created a Vite plugin, `createVendorNamedExportsPlugin`, to integrate the named exports functionality into the build process.
- Updated tests to verify the correct extraction and injection of named exports for various modules, including `react` and `styled-components`.
- Added new dependencies: `cjs-module-lexer` and `magic-string` for handling CommonJS exports and string manipulation.
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jun 2, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​oclif/​plugin-not-found@​3.2.86991006997100
Addednpm/​@​rolldown/​plugin-babel@​0.2.37310010090100
Addednpm/​typescript-eslint@​8.59.41001007498100
Addednpm/​vitest@​4.1.7961007999100
Addednpm/​tsx@​4.22.31001008294100
Addednpm/​@​vitest/​coverage-istanbul@​4.1.7991008298100
Addednpm/​react@​19.2.51001008497100
Addednpm/​cjs-module-lexer@​2.2.09910010085100
Addednpm/​eslint@​10.4.08910010096100
Addednpm/​vite-node@​6.0.010010010092100
Addednpm/​@​vitejs/​plugin-react@​6.0.210010010092100
Addednpm/​@​swc/​core@​1.15.409210010095100
Addednpm/​@​eslint/​compat@​2.1.010010010092100
Addednpm/​react-dom@​19.2.51001009298100
Addednpm/​knip@​6.14.2991009596100
Addednpm/​@​sanity/​vision@​5.28.0981009698100
Addednpm/​nock@​14.0.159810010096100
Addednpm/​@​inquirer/​prompts@​8.4.3991009897100
Addednpm/​@​sanity/​pkg-utils@​10.5.19710010097100
Addednpm/​react-is@​19.2.610010010098100

View full report

@stipsan stipsan force-pushed the chore/upgrade-vite-8-magic-string branch from 0d6218a to 8ed1449 Compare June 2, 2026 10:51
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jun 2, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Medium
Install-time scripts: npm @swc/core during postinstall

Install script: postinstall

Source: node postinstall.js

From: packages/@sanity/cli-build/package.jsonnpm/@swc/core@1.15.40

ℹ Read more on: This package | This alert | What is an install script?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@swc/core@1.15.40. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 2, 2026
edited
Loading

📦 Bundle Stats — @sanity/cli

Compared against main (52a0c789)

@sanity/cli

Metric Value vs main (52a0c78)
Internal (raw) 2.1 KB -
Internal (gzip) 799 B -
Bundled (raw) 11.13 MB -
Bundled (gzip) 2.09 MB -
Import time 908ms -5ms, -0.6%

bin:sanity

Metric Value vs main (52a0c78)
Internal (raw) 1023 B -
Internal (gzip) 486 B -
Bundled (raw) 9.87 MB -
Bundled (gzip) 1.77 MB -
Import time 2.03s -25ms, -1.2%

🗺️ View treemap · Artifacts

Details
  • Import time regressions over 10% are flagged with ⚠️
  • Sizes shown as raw / gzip 🗜️. Internal bytes = own code only. Total bytes = with all dependencies. Import time = Node.js cold-start median.

📦 Bundle Stats — @sanity/cli-core

Compared against main (52a0c789)

Metric Value vs main (52a0c78)
Internal (raw) 97.1 KB +819 B, +0.8%
Internal (gzip) 23.0 KB +302 B, +1.3%
Bundled (raw) 21.69 MB +819 B, +0.0%
Bundled (gzip) 3.44 MB +222 B, +0.0%
Import time 818ms +6ms, +0.7%

🗺️ View treemap · Artifacts

Details
  • Import time regressions over 10% are flagged with ⚠️
  • Sizes shown as raw / gzip 🗜️. Internal bytes = own code only. Total bytes = with all dependencies. Import time = Node.js cold-start median.

📦 Bundle Stats — create-sanity

Compared against main (52a0c789)

Metric Value vs main (52a0c78)
Internal (raw) 908 B -
Internal (gzip) 483 B -
Bundled (raw) 931 B -
Bundled (gzip) 491 B -
Import time ❌ ChildProcess denied: node -
Details
  • Import time regressions over 10% are flagged with ⚠️
  • Sizes shown as raw / gzip 🗜️. Internal bytes = own code only. Total bytes = with all dependencies. Import time = Node.js cold-start median.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 2, 2026
edited
Loading

Preview this PR with pkg.pr.new

Run the Sanity CLI

npx https://pkg.pr.new/sanity-io/cli/@sanity/cli@478995d <command>

...Or upgrade project dependencies

📦 @sanity/cli
pnpm install https://pkg.pr.new/@sanity/cli@478995d
📦 @sanity/cli-build
pnpm install https://pkg.pr.new/@sanity/cli-build@478995d
📦 @sanity/cli-core
pnpm install https://pkg.pr.new/@sanity/cli-core@478995d
📦 @sanity/cli-test
pnpm install https://pkg.pr.new/@sanity/cli-test@478995d
📦 @sanity/eslint-config-cli
pnpm install https://pkg.pr.new/@sanity/eslint-config-cli@478995d

View Commit (478995d)

@stipsan stipsan force-pushed the chore/upgrade-vite-8-magic-string branch from 1e206f5 to ea75c49 Compare June 2, 2026 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

trigger: preview

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stipsan @binoy14