Skip to content

chore: update @vitejs/plugin-rsc to 0.5.26#1293

Merged
james-elicx merged 1 commit into
cloudflare:mainfrom
GHX5T-SOL:chore/plugin-rsc-0.5.26
May 18, 2026
Merged

chore: update @vitejs/plugin-rsc to 0.5.26#1293
james-elicx merged 1 commit into
cloudflare:mainfrom
GHX5T-SOL:chore/plugin-rsc-0.5.26

Conversation

@GHX5T-SOL
Copy link
Copy Markdown
Contributor

@GHX5T-SOL GHX5T-SOL commented May 17, 2026
edited
Loading

Summary

Updates the repo-wide @vitejs/plugin-rsc catalog entry from ^0.5.23 to ^0.5.26, raises the optional peer dependency floor in vinext, and refreshes the lockfile so all workspace consumers resolve to 0.5.26.

This picks up the upstream fix for the public React Server Components advisory covered by @vitejs/plugin-rsc@0.5.26.

Validation

  • pnpm install --no-frozen-lockfile --ignore-scripts
  • pnpm why @vitejs/plugin-rsc reports a single version: 0.5.26
  • pnpm test:unit tests/init.test.ts tests/app-router.test.ts tests/request-pipeline.test.ts tests/check.test.ts (246 unit tests; app-router.test.ts is not in the unit project)
  • pnpm test:integration tests/app-router.test.ts (315 integration tests)
  • PATH=/Users/mx/.nvm/versions/node/v24.7.0/bin:$PATH pnpm run fmt:check
  • PATH=/Users/mx/.nvm/versions/node/v24.7.0/bin:$PATH pnpm run lint
  • pnpm install --frozen-lockfile --ignore-scripts
  • pnpm build
  • git diff --check
  • gitleaks dir /Users/mx/Money/worktrees/hackerone-cloudflare/vinext --no-banner --redact --exit-code 1
  • osv-scanner --lockfile=pnpm-lock.yaml --format=json | jq ... confirmed there are no remaining @vitejs/plugin-rsc advisories

Local note: I used Node v24.7.0 for lint and format because my default Node v22.16.0 could not load the TypeScript Vite config. No code changes were needed for that.

@james-elicx
Copy link
Copy Markdown
Collaborator

james-elicx commented May 18, 2026

/bigbonk review

ask-bonk[bot]
ask-bonk Bot approved these changes May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ask-bonk ask-bonk Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean dependency bump. All three touch points are consistent:

  1. pnpm-workspace.yaml catalog: ^0.5.23 -> ^0.5.26
  2. packages/vinext/package.json peer dep floor: ^0.5.23 -> ^0.5.26
  3. pnpm-lock.yaml: all 22 workspace consumers resolve to the single 0.5.26 snapshot; zero stale 0.5.23 references remain.

Transitive dep bumps (@rolldown/pluginutils 1.0.0-rc.13 -> rc.18, es-module-lexer 2.0.0 -> 2.1.0) look expected for this release.

LGTM — let CI confirm the full suite passes.

@ask-bonk
Copy link
Copy Markdown
Contributor

ask-bonk Bot commented May 18, 2026

Review submitted. This is a clean, consistent dependency bump across all three files (pnpm-workspace.yaml, packages/vinext/package.json, pnpm-lock.yaml). No stale 0.5.23 references remain, the lockfile resolves to a single 0.5.26 version, and the transitive dep updates (@rolldown/pluginutils, es-module-lexer) are expected. Approved, pending CI confirmation.

github run

@james-elicx james-elicx enabled auto-merge (squash) May 18, 2026 08:25
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 18, 2026

Open in StackBlitz

npm i https://pkg.pr.new/vinext@1293

commit: 91ee764

@james-elicx james-elicx merged commit 85f2c10 into cloudflare:main May 18, 2026
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ask-bonk ask-bonk[bot] ask-bonk[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GHX5T-SOL @james-elicx