fix(deps): scope the vite < 7 override to vitepress so @angular/build keeps vite 8 #163
Reference in New Issue
Block a user
Delete Branch "fix/scope-vite-override-to-vitepress"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Hotfix on the override added in #161. The unconditional
"vite": ">=6.4.2 <7"was too broad — it downgraded every vite consumer in the workspace to vite 6.4.2, including@angular/build@21.2.11. Angular's dev-server plugin (angular-memory-plugin.js > loadViteClientCode) monkey-patches Vite's client error-overlay code; the patch targets vite 8.x's internal layout, fails against vite 6, and the home page blank-screens with:…on the very first request to
pnpm nx serve portal-shell.Fix
One-line change in
package.json→pnpm.overrides:pnpm's
parent>childselector syntax scopes the override to vitepress's transitive resolution only. Other vite consumers (Angular, Nx, Vitest, the analog plugin) follow their own peer constraints and resolve to vite 8.0.13 again.Resolution after the fix
vitepress 1.6.4@angular/build 21.2.11@nx/vite,@analogjs/vite-plugin-angular, Vitest@vitejs/plugin-basic-ssl(analog transitive)Why this regression didn't surface in #161's CI
The
docs-site.ymlworkflow andpnpm exec nx run-many -t lint test buildexercise the production build paths. Vite 6 ↔ Angular-build 21.2's monkey-patch incompatibility is a dev-server-only failure (the prod Rollup pipeline doesn't go throughloadViteClientCode). CI couldn't have caught it; manualnx serve portal-shellis the only repro path. Lesson logged.Test plan
pnpm install— clean. Lockfile diff confirms: vite 6.4.2 only under vitepress, vite 8.0.13 restored everywhere else.pnpm audit --audit-level=moderate— no known vulnerabilities.pnpm docs:build— ~9.5 s, Mermaid still renders in ADR-0009's HTML (regression fence passes).pnpm exec nx run-many -t lint test build --projects=portal-shell,portal-admin,portal-bff,shared-ui,shared-state,feature-auth— green.pnpm nx serve portal-shell— boots cleanly,curl http://localhost:4200/returns HTTP 200 with the SPA shell, noloadViteClientCodeerror in the dev log. (This is the path that broke.)pnpm nx serve portal-shell, open the home page in a browser, confirm:/accessibility,/profileworks.Notes for the reviewer
"package@<vuln-range>": "patched") is the safest default — it only kicks in for the vulnerable range. The unconditional form ("package": "<range>") is a sledgehammer and should be reserved for cases where the version-selector form genuinely can't express the intent (as was the case in #161 where the resolved version was already past the vulnerable range, so the selector was a no-op). When the unconditional form is needed, always scope to a parent ("parent>package": …) to avoid the workspace-wide blast radius.pnpm.overrides" subsection (from #160) is still accurate. A follow-up edit could add a "scope to a parent when possible" sentence; not blocking.