chore(deps): update dependency @vitejs/plugin-react to v6

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@vitejs/plugin-react (source)	^5.0.1 → ^6.0.0

---

Release Notes

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v6.0.2

Compare Source

Allow all options in reactCompilerPreset (#​1189)

This is a type only change. Only compilationMode and target options were available for reactCompilerPreset.

v6.0.1

Compare Source

Expand @rolldown/plugin-babel peer dep range (#​1146)

Expanded @rolldown/plugin-babel peer dep range to include ^0.2.0.

v6.0.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying control-layer with    Cloudflare Pages

Latest commit:	0378a74
Status:	🚫  Build failed.

View logs

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0. However, this update introduces a critical compatibility issue: plugin-react v6 explicitly drops support for Vite 7, requiring Vite 8+ instead. Since the dashboard currently uses Vite 7.3.2, this dependency update will cause the build to fail or behave unpredictably.

Verdict: BLOCKED - This PR cannot be merged as-is. Either revert this update or pair it with a Vite 8 upgrade.

Research notes

I fetched the official release notes for plugin-react v6.0.0:

Key breaking changes in v6.0.0:

1. Drop Vite 7 and below support - "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."

2. Remove Babel Related Features - Babel is no longer a dependency. Vite 8+ handles React Refresh Transform by Oxc natively. Users needing Babel must now use @rolldown/plugin-babel as a separate plugin.

3. New peer dependencies:

   peerDependencies:
     vite: ^8.0.0
     @rolldown/plugin-babel: ^0.1.7 || ^0.2.0 (optional)
     babel-plugin-react-compiler: ^1.0.0 (optional)
   

Current project state:

The dashboard's package.json (line 91) specifies:

"vite": "^7.3.2"

This is incompatible with @vitejs/plugin-react@6.0.0 which requires vite: ^8.0.0.

Suggested next steps

1. Option A (Recommended): Revert this dependency update until the team is ready to upgrade to Vite 8. Keep using @vitejs/plugin-react@^5.0.1 which supports Vite 7.

2. Option B: If upgrading to Vite 8 is desired, this PR should be combined with:

   • Update vite to ^8.0.0 (check for breaking changes in Vite 8)
   • Review if any custom Babel configuration exists (the release notes mention Babel features were removed)
   • Test the full build pipeline after upgrade

3. Run pnpm install and verify if pnpm throws a peer dependency warning/error (it should, since v6 requires Vite 8).

General findings

Removed overrides in pnpm-lock.yaml

The diff shows the following pnpm overrides were removed from the lockfile:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

These overrides still exist in package.json (lines 103-107), so they should be preserved in the lockfile. Their removal from the lockfile may indicate a regeneration issue or that pnpm is not respecting them anymore. Verify these security overrides are still being applied.

[doubleword-code]

Blocking: This version of @vitejs/plugin-react (v6.0.0) is incompatible with the current Vite version (v7.3.2).

Why it matters: According to the official v6.0.0 release notes:

Drop Vite 7 and below support

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

The peer dependency was changed to require vite: ^8.0.0. Using this with Vite 7.3.2 will cause peer dependency resolution failures or runtime issues.

Suggested fix: Either:

1. Revert to "@vitejs/plugin-react": "^5.0.1" (supports Vite 7), OR
2. Upgrade Vite to "^8.0.0" and test thoroughly for breaking changes

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0. However, this major version upgrade introduces a critical compatibility issue that blocks merging.

Verdict: Blocked - Requires either (a) upgrading Vite to v8+, or (b) keeping plugin-react at v5.x.

Research notes

I consulted the official vite-plugin-react release notes and CHANGELOG:

@vitejs/plugin-react v6.0.0 Breaking Changes:

1. Drop Vite 7 and below support - Vite 8+ is now required. From the release notes:

   Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

2. Remove Babel Related Features - Babel is no longer bundled. Users needing Babel plugins must install @rolldown/plugin-babel separately.

3. New peer dependency requirements:

   peerDependencies:
     vite: ^8.0.0
   

Current Project State:

The project currently uses Vite 7.3.2 ("vite": "^7.3.2" in package.json), which is explicitly unsupported by plugin-react v6.

Suggested next steps

1. Option A (Recommended): Upgrade Vite to v8+ alongside this plugin update. This requires:

   • Update "vite": "^8.0.0" in package.json
   • Test the dev server and build pipeline thoroughly
   • Verify all Vite plugins remain compatible with Vite 8

2. Option B: Keep @vitejs/plugin-react at v5.x (e.g., "^5.0.1") until the team is ready to upgrade Vite to v8.

3. Fix pnpm-lock.yaml: The lockfile shows the overrides section was removed from the top level. While overrides are still present in package.json, ensure pnpm properly respects them by regenerating the lockfile after resolving the Vite compatibility issue.

General findings

• The pnpm-lock.yaml diff shows removal of several @babel/* packages, which is expected since v6 removes Babel dependencies. However, if the project relies on any custom Babel plugins, they would need to be re-added via @rolldown/plugin-babel.
• The lockfile shows version: 6.0.1(vite@7.3.2...) indicating pnpm installed v6 alongside Vite 7.3.2, violating the peer dependency. This may work in some cases but is unsupported and could cause runtime issues.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0. However, this update introduces a critical compatibility issue: @vitejs/plugin-react v6 requires Vite 8+, but this project currently uses Vite 7.3.2.

Verdict: Blocked - Cannot merge without either (a) upgrading Vite to v8, or (b) keeping @vitejs/plugin-react at v5.

Research notes

Fetched the official CHANGELOG and README from the vite-plugin-react repository:

• CHANGELOG highlights for v6.0.0 (source):

  • "Drop Vite 7 and below support" - Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.
  • "Remove Babel Related Features" - Babel is no longer a dependency; users needing Babel must install @rolldown/plugin-babel separately.
  • Peer dependency changed from vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0 to vite: ^8.0.0

• Current project state:

  • dashboard/package.json line 91: "vite": "^7.3.2" ❌
  • This version constraint allows v7.x but NOT v8.x

Suggested next steps

1. Blocking: Decide on the migration path:

   • Option A (Recommended): Upgrade Vite to v8+ alongside this plugin update. This requires changing "vite": "^7.3.2" to "vite": "^8.0.0" (or latest) in package.json and verifying the build works.
   • Option B: Keep @vitejs/plugin-react at v5.x if Vite 8 upgrade is not ready. Change the specifier back to "^5.0.1".

2. Non-blocking: Review the pnpm-lock.yaml changes - the overrides section was removed from the lockfile but still exists in package.json. This appears to be a lockfile regeneration artifact, but verify the overrides are still being applied correctly after running pnpm install.

General findings

No other issues identified. The lockfile changes appear to be standard dependency tree updates from the plugin version change (removing Babel-related packages, adding platform-specific rollup binaries).

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5 to v6, but introduces a blocking compatibility issue: @vitejs/plugin-react v6 requires Vite 8+, while this project currently uses Vite 7.3.2. The PR should not be merged without also upgrading Vite.

Research notes

Fetched official release notes from vitejs/vite-plugin-react releases:

v6.0.0 breaking changes:

• Dropped Vite 7 support: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8." (#1124)
• Removed Babel integration: Babel is no longer a dependency; custom Babel config via react({ babel: {...}}) is removed. Users must use @rolldown/plugin-babel separately if needed.
• New peer dependencies: vite: ^8.0.0, @rolldown/plugin-babel: ^0.1.7 || ^0.2.0 (optional), babel-plugin-react-compiler: ^1.0.0 (optional)

The pnpm lockfile shows the package resolves despite the peer mismatch:

'@vitejs/plugin-react@6.0.1(vite@7.3.2(...))'

But the declared peer dependency is vite: ^8.0.0.

Suggested next steps

1. Decide on Vite version: Either upgrade Vite to ^8.0.0 to match the plugin requirement, or keep @vitejs/plugin-react at ^5.x
2. If upgrading to Vite 8: Check Vite 8 migration guide for breaking changes that may affect the dashboard build
3. If staying on Vite 7: Update the Renovate config to constrain @vitejs/plugin-react to major version 5

General findings

No other issues found. The pnpm-lock.yaml changes are consistent with the version bump (removing old Babel packages, adding new rolldown dependencies, updating native binary packages for rollup).

Note: The pnpm overrides section was removed from the lockfile (rollup: npm:@rollup/wasm-node, lodash, mdast-util-to-hast). This appears to be an unintended side effect - the overrides are still present in package.json but were stripped from the lockfile structure.

[doubleword-code]

Blocking: This version requires Vite 8+, but the project uses Vite 7.3.2 (line 91).

Why it matters: According to the official v6.0.0 release notes, Vite 7 and below are no longer supported. The peer dependency is vite: ^8.0.0. Using this with Vite 7 may cause runtime errors or missing functionality since v6 removed Babel-based transforms that Vite 7 relied on.

Suggested fix: Either:

1. Downgrade to "@vitejs/plugin-react": "^5.2.0" (latest v5) to stay compatible with Vite 7
2. Or upgrade Vite: "vite": "^8.0.0" (and test thoroughly for Vite 8 breaking changes)

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5 to v6 and regenerates the pnpm lockfile. However, there is a critical compatibility issue that blocks this PR from being merged:

Verdict: BLOCKED - Requires Vite 8 upgrade before this can be merged.

Research notes

I fetched the official release notes for @vitejs/plugin-react v6.0.0 from GitHub Releases:

Drop Vite 7 and below support (#1124)

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

The current project uses Vite ^7.3.2 (specified in dashboard/package.json line 91), which is incompatible with @vitejs/plugin-react@6.x.

Additionally, the pnpm lockfile has lost its overrides section that was present in the original lockfile. The package.json still specifies these overrides:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

But the regenerated pnpm-lock.yaml no longer includes them, which means:

• Security override for lodash (patching known vulnerabilities) is not being enforced
• The WASM version of Rollup is no longer being used
• The mdast-util-to-hast fix is not being applied

Suggested next steps

1. Blocking: Either:

   • Upgrade Vite to v8+ (pnpm add -D vite@^8.0.0), OR
   • Pin @vitejs/plugin-react to ^5.2.0 (the latest v5 version that supports Vite 7)

2. Non-blocking: Regenerate the lockfile properly to preserve the pnpm overrides, or explicitly remove them from package.json if they're no longer needed (with justification).

General findings

Major breaking change in plugin-react v6

The v6 release removes Babel-related features. From the release notes:

Vite 8+ can handle React Refresh Transform by Oxc and doesn't need Babel for it. To reduce the installation size of this plugin, babel is no longer a dependency of this plugin and the related features are removed.

If this project was using any custom Babel configuration via the plugin's babel option, that configuration will stop working. The migration path requires installing @rolldown/plugin-babel separately. Current usage in vite.config.ts is just react() with no options, so this shouldn't impact this project directly.

Dependency tree changes

The lockfile diff shows significant changes to the Babel-related packages - many are being removed as expected since v6 no longer depends on Babel. This reduces bundle size but requires Vite 8.

General findings (auto-demoted from inline due to pre-validation)

• Non-blocking dashboard/pnpm-lock.yaml:1 — Missing pnpm overrides section.
  • (demoted: line 1 (side=RIGHT) is not part of any diff hunk in dashboard/pnpm-lock.yaml)

[doubleword-code]

Blocking: Incompatible Vite version.

Why it matters: @vitejs/plugin-react@6.x explicitly drops support for Vite 7 and below (requires Vite 8+ per release notes). This project uses Vite ^7.3.2 (line 91), which will cause the plugin to fail at runtime or during build.

From the official release notes:

Drop Vite 7 and below support

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

Suggested fix: Either:

1. Upgrade Vite: pnpm add -D vite@^8.0.0 (and verify all plugins are Vite 8 compatible)
2. Or pin this to v5: "@vitejs/plugin-react": "^5.2.0"

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5 to v6. However, there's a critical compatibility issue: @vitejs/plugin-react v6.x requires Vite 8+, but this project is still using Vite 7.3.2. Additionally, the PR removes important pnpm overrides that were in place for security reasons.

Verdict: Blocked - Requires either upgrading Vite to v8 or keeping @vitejs/plugin-react at v5 until Vite is upgraded.

Research notes

I consulted the official @vitejs/plugin-react v6.0.0 release notes, which clearly states:

Drop Vite 7 and below support (#1124)

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

The v6 release also removes Babel-related features, relying on Oxc for React Refresh Transform in Vite 8+. While this project doesn't use custom Babel plugins (good), the Vite version requirement is the blocking factor.

From the CHANGELOG:

• v6.0.0 dropped Vite 7 support
• v5.2.0 added Vite 8 support while maintaining Vite 7 compatibility

Suggested next steps

1. Option A (Recommended): Upgrade Vite to v8 alongside this change:

   • Update "vite": "^8.0.0" in package.json
   • Test thoroughly for any breaking changes from Vite 7 → 8

2. Option B: Keep @vitejs/plugin-react at v5.x until ready to upgrade Vite:

   • Change specifier to "^5.0.1" (or "^5.2.0" for latest v5)

3. Restore pnpm overrides: Re-add the removed overrides section to maintain security patches for lodash and mdast-util-to-hast

General findings

Removed pnpm overrides (security concern)

The PR removes the following pnpm overrides from package.json:

"overrides": {
  "rollup": "npm:@rollup/wasm-node",
  "lodash": "^4.18.0",
  "mdast-util-to-hast": "^13.2.1"
}

While the current lockfile resolves to safe versions (lodash@4.18.1, mdast-util-to-hast@13.2.1), removing these explicit overrides means future installations could pull in vulnerable versions. The lodash override was likely addressing CVE-2021-23337 (prototype pollution in <4.17.21), and mdast-util-to-hast had its own security fixes in v13.2.1.

Rollup implementation change

The rollup: npm:@rollup/wasm-node override ensured consistent behavior across platforms by using the WASM build. Removing it switches to native Rollup, which may behave differently on various architectures. This isn't necessarily wrong, but should be intentional.

[doubleword-code]

Summary

This PR upgrades @vitejs/plugin-react from v5.0.1 to v6.0.0 as part of Renovate's automated dependency updates. However, this upgrade introduces a breaking compatibility issue that blocks merging.

Verdict: ❌ BLOCKED - Requires Vite 8+ upgrade first

Research notes

I fetched the official CHANGELOG for @vitejs/plugin-react v6.0.0 and found:

Breaking Changes in v6.0.0:

1. Drop Vite 7 and below support (#1124): Vite 8+ is now required. The peerDependencies changed from vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 to vite: ^8.0.0.

2. Remove Babel Related Features (#1123): Babel is no longer a dependency. JSX transforms are handled by Oxc. If custom Babel plugins are needed, users must install @rolldown/plugin-babel separately.

3. New optional peer dependencies:

   • @rolldown/plugin-babel: ^0.1.7 || ^0.2.0 (optional)
   • babel-plugin-react-compiler: ^1.0.0 (optional)

Current Project State:

• Vite version: ^7.3.2 (package.json line 91)
• Plugin configuration: react() with no custom Babel options (vite.config.ts)
• Good news: The project doesn't use any custom Babel configuration, so the Babel removal wouldn't affect functionality IF Vite were upgraded.

Suggested next steps

1. BLOCKING: Upgrade Vite from ^7.3.2 to ^8.0.0 (or latest v8) in dashboard/package.json
2. Run pnpm install to update the lockfile with compatible versions
3. Test the dev server and build to ensure Vite 8 compatibility
4. Once Vite 8 is confirmed working, this plugin upgrade can proceed

General findings

pnpm overrides removal concerns

The diff shows removal of the pnpm.overrides section that previously pinned:

• rollup: npm:@rollup/wasm-node
• lodash: ^4.18.0 (security fix for prototype pollution)
• mdast-util-to-hast: ^13.2.1

The lodash override was likely added to address CVE-2021-23337 or similar prototype pollution vulnerabilities. Removing this override could reintroduce security vulnerabilities if transitive dependencies pull in vulnerable lodash versions. Consider keeping these overrides or verifying that all dependencies now resolve to safe versions.

General findings (auto-demoted from inline due to pre-validation)

• Non-blocking dashboard/package.json:102 — Removal of pnpm overrides section - verify security implications.
  • (demoted: line 102 (side=LEFT) is not part of any diff hunk in dashboard/package.json)

[doubleword-code]

Blocking: This version requires Vite 8+ but the project uses Vite ^7.3.2 (line 91).

Why it matters: According to the v6.0.0 release notes, this version dropped support for Vite 7 and below. The peerDependencies now specify vite: ^8.0.0. Installing this with Vite 7 will cause peer dependency warnings and potential runtime incompatibilities since the plugin expects Vite 8+ APIs.

Suggested fix: First upgrade Vite to v8+:

"vite": "^8.0.0",

Then verify the dev server and production build work correctly before merging this plugin upgrade.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from ^5.0.1 to ^6.0.0 in the dashboard. While this is a routine dependency update, there is a critical compatibility issue that blocks merging.

Verdict: 🛑 BLOCKED - Requires Vite version upgrade alongside this change.

Research notes

I fetched the CHANGELOG.md for @vitejs/plugin-react and found the following breaking changes in v6.0.0:

1. Drop Vite 7 and below support (#1124): "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."

2. Remove Babel Related Features (#1123): Babel is no longer a dependency. The plugin now uses Oxc for React refresh transform. Users who need custom Babel plugins must use @rolldown/plugin-babel alongside this plugin.

3. Node.js requirement: Node 20.19+ or 22.12+ (already satisfied by this project's engines field)

The current project uses vite@^7.3.2 (see dashboard/package.json line 91), which is incompatible with @vitejs/plugin-react@6.x.

Suggested next steps

1. Upgrade Vite to v8 alongside this plugin update. Check the Vite 8 migration guide for breaking changes.

2. Verify the pnpm overrides behavior: The overrides section was removed from pnpm-lock.yaml but remains in package.json. After upgrading Vite, run pnpm install to regenerate the lockfile and ensure the rollup/lodash/mdast-util-to-hast overrides are properly applied.

3. Test the build: Since v6 removes Babel, verify that any custom JSX transforms or Babel plugins (if used) are migrated to use @rolldown/plugin-babel as shown in the changelog examples.

4. Run frontend tests: After upgrading both Vite and the plugin, run just test ts to ensure no regressions.

General findings

Bundle size improvement (Positive)

The diff shows significant reduction in Babel-related packages in the lockfile (@babel/core, @babel/parser, @babel/traverse, etc. are removed). This is a beneficial side effect of v6's shift to Oxc-based transforms.

Peer dependency change

The plugin now lists @rolldown/plugin-babel and babel-plugin-react-compiler as optional peer dependencies instead of bundling Babel directly. This is fine since the project doesn't appear to use custom Babel plugins.

Rollup resolution change

The lockfile now resolves rollup-plugin-visualizer@7.0.1 with explicit (rollup@4.60.3) peer dependency. The @rollup/wasm-node override in package.json should still apply, but this should be verified after running pnpm install with the updated versions.

General findings (auto-demoted from inline due to pre-validation)

• Non-blocking dashboard/pnpm-lock.yaml:4 — The overrides section was removed from the lockfile but remains in package.json
  • (demoted: code self-check failed at dashboard/pnpm-lock.yaml:4: diff has autoInstallPeers: true, model claimed overrides:)

[doubleword-code]

Blocking: Incompatible Vite version - @vitejs/plugin-react@6.x requires Vite 8+

Why it matters: According to the official changelog, version 6.0.0 explicitly dropped support for Vite 7 and below. The project currently uses vite@^7.3.2 (line 91 of this file). Installing this version will result in an unsatisfied peer dependency warning and potential runtime failures.

Suggested fix: Upgrade Vite to v8 alongside this plugin update:

"vite": "^8.0.0",

Or pin the plugin to v5 if Vite upgrade needs to be deferred:

"@vitejs/plugin-react": "^5.0.1",

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5 to v6. This update cannot be merged as-is due to a critical peer dependency incompatibility.

Verdict: Blocked - requires either downgrading the plugin or upgrading Vite to v8+.

Research Notes

I fetched the official CHANGELOG.md for @vitejs/plugin-react. Key findings from version 6.0.0:

1. Drop Vite 7 and below support - "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."
2. Remove Babel Related Features - Babel is no longer bundled; users needing custom Babel plugins must install @rolldown/plugin-babel separately
3. New peer dependencies: vite: ^8.0.0 (required), @rolldown/plugin-babel: ^0.1.7 || ^0.2.0 (optional), babel-plugin-react-compiler: ^1.0.0 (optional)

Suggested Next Steps

Choose one of these paths:

1. If you want to stay on Vite 7: Keep @vitejs/plugin-react at v5.x (revert this change)
2. If you want to upgrade to plugin-react v6: Also upgrade Vite to v8+ ("vite": "^8.0.0") and verify all Vite 8 breaking changes are compatible with your setup

General Findings

Lockfile Overrides Section Removed

The overrides: section at the top of pnpm-lock.yaml was removed. The overrides still exist in package.json under pnpm.overrides, but this structural change in the lockfile format should be verified to ensure the overrides (especially rollup: npm:@rollup/wasm-node) are still being applied correctly.

Rollup Package Structure Changed

The lockfile now includes explicit platform-specific Rollup packages (@rollup/rollup-linux-x64-gnu, @rollup/rollup-darwin-arm64, etc.) instead of the generic @rollup/wasm-node package. This is consistent with Rollup's newer distribution model, but combined with the removed overrides section, you should verify the build works correctly on all target platforms.

General findings (auto-demoted from inline due to pre-validation)

• Blocking dashboard/package.json:91 — Peer dependency version mismatch.
  • (demoted: line 91 (side=RIGHT) is not part of any diff hunk in dashboard/package.json)

[doubleword-code]

Blocking: Major version upgrade without corresponding Vite upgrade.

Why it matters: This line changes the plugin from v5 to v6, but v6 has incompatible peer dependency requirements. Per the changelog:

• Requires vite: ^8.0.0 (project has ^7.3.2)
• Removes Babel as a bundled dependency (uses Oxc for React Refresh transform)
• New optional peer deps: @rolldown/plugin-babel, babel-plugin-react-compiler

Since the project uses react() with default options (no custom Babel config in vite.config.ts), the Babel removal won't break functionality, but the Vite version mismatch will.

Suggested fix: Either revert to ^5.0.1 or also upgrade Vite to ^8.0.0.

[doubleword-code]

Non-blocking: The overrides: section was removed from the lockfile root.

Why it matters: The previous lockfile had:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

These overrides still exist in package.json under pnpm.overrides, so they should still apply. However, the lockfile format change means you should verify after installation that:

1. The rollup: npm:@rollup/wasm-node override is still respected
2. Security patches for lodash and mdast-util-to-hast are still applied

Suggested fix: Run pnpm install and verify pnpm list rollup shows the WASM version as expected.

Caveat: This may be an intentional pnpm lockfile format change rather than a bug—newer pnpm versions may store overrides differently.

[doubleword-code]

Summary

This PR attempts to upgrade @vitejs/plugin-react from v5.0.1 to v6.0.0. However, this upgrade is incompatible with the current Vite version and introduces several breaking changes that will cause build failures.

Verdict: BLOCKED - This PR cannot be merged as-is. It requires either:

1. A simultaneous upgrade of Vite to v8+, OR
2. Pinning @vitejs/plugin-react to a v5.x version

Research Notes

Based on the official CHANGELOG:

v6.0.0 Breaking Changes (2026-03-12):

1. Drop Vite 7 and below support - "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."
2. Remove Babel Related Features - Babel is no longer a dependency; custom Babel plugins must now use @rolldown/plugin-babel separately
3. Peer dependency: vite: ^8.0.0 (confirmed in pnpm-lock.yaml)

Current Project State:

• vite: ^7.3.2 in package.json (incompatible with plugin-react v6)
• No custom Babel configuration currently used (simple react() setup in vite.config.ts)

Additional Issue - Overrides Removal:

The pnpm-lock.yaml shows the overrides section was removed from the lockfile header. While the overrides remain in package.json:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

The lockfile no longer reflects these overrides at the top level. The rollup override specifically changed from @rollup/wasm-node@4.60.3 to platform-specific @rollup/rollup-* packages, which may affect cross-platform builds.

Suggested Next Steps

1. HIGH PRIORITY: Decide on the upgrade path:

   • Option A: Upgrade Vite to v8 alongside this plugin (requires testing for Vite v8 breaking changes)
   • Option B: Pin @vitejs/plugin-react to ^5.2.0 (latest v5) to maintain compatibility

2. MEDIUM PRIORITY: Verify the pnpm overrides are being correctly applied after the dependency update. Run pnpm install and confirm the lockfile preserves the overrides section.

3. Test the frontend build (pnpm run build) and dev server (pnpm run dev) to ensure no regressions.

General Findings

Blocking Issues

1. Vite Version Mismatch: The upgraded @vitejs/plugin-react@6.0.2 requires vite@^8.0.0 as a peer dependency, but the project uses vite@^7.3.2. This will cause peer dependency warnings and potential runtime/build failures.

2. Lockfile Overrides Removed: The security-related pnpm overrides (particularly lodash and mdast-util-to-hast patches) appear to have been dropped from the lockfile structure, which could reintroduce known vulnerabilities.

Non-blocking Observations

1. The simplified plugin architecture in v6 (removing Babel) would actually benefit this project since the current vite.config.ts uses a basic react() configuration without any custom Babel plugins.

2. The Node.js engine requirement (^20.19.0 || >=22.12.0) remains compatible with the project's existing engine specification.

[doubleword-code]

Blocking: Incompatible peer dependency - @vitejs/plugin-react@6.x requires vite@^8.0.0, but this project uses vite@^7.3.2 (line 91).

Why it matters: Per the official CHANGELOG, v6.0.0 explicitly "Drop Vite 7 and below support". The pnpm-lock.yaml confirms the peer dependency: vite: ^8.0.0. This mismatch will cause peer dependency violations and likely break the build or dev server.

Suggested fix: Either:

1. Upgrade Vite: Change line 91 to "vite": "^8.0.0" (requires testing for Vite v8 breaking changes)
2. Or pin the plugin: Change this line to "@vitejs/plugin-react": "^5.2.0" to stay on the compatible v5.x branch

[doubleword-code]

Blocking: The pnpm overrides section was removed from the lockfile header. This section previously contained security-critical overrides:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

Why it matters: These overrides were added for specific reasons:

• lodash: ^4.18.0 - Security patch for lodash CVEs
• mdast-util-to-hast: ^13.2.1 - Security/bugfix patch
• rollup: npm:@rollup/wasm-node - Cross-platform compatibility

While the overrides still exist in package.json, their absence from the lockfile header suggests they may not be properly enforced. The diff shows rollup changed from @rollup/wasm-node to platform-specific @rollup/rollup-* packages, confirming the override isn't being applied.

Suggested fix: Re-run pnpm install to regenerate the lockfile with overrides properly applied, or investigate if there's a pnpm version mismatch causing this behavior.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from ^5.0.1 to ^6.0.0. However, this is a breaking change that introduces a version incompatibility: @vitejs/plugin-react v6.0.0 explicitly drops support for Vite 7 and below and requires Vite 8+, while this project currently uses Vite ^7.3.2.

Verdict: Blocked - This PR cannot be merged as-is because it creates an incompatible dependency chain.

Research Notes

From the official v6.0.0 release notes:

Drop Vite 7 and below support (#1124)

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

The peer dependencies for @vitejs/plugin-react@6.0.2 (latest v6) now require:

• vite: ^8.0.0 (previously ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0 in v5)

Additionally, v6 removes Babel-related features since Vite 8+ handles React Refresh Transform via Oxc natively. Users who need Babel must now install @rolldown/plugin-babel as a separate dependency.

Suggested Next Steps

1. Option A (Recommended): Update both Vite and the plugin together in a single PR:

   • Upgrade vite from ^7.3.2 to ^8.0.0 (check Vite 8 migration guide for breaking changes)
   • Then upgrade @vitejs/plugin-react to ^6.0.0
   • Test thoroughly since Vite major versions may have breaking changes

2. Option B: Keep @vitejs/plugin-react at v5.x if Vite 7 must be maintained

General Findings

pnpm Overrides Removed

The diff shows that the following pnpm overrides were removed from package.json:

"overrides": {
  "rollup": "npm:@rollup/wasm-node",
  "lodash": "^4.18.0",
  "mdast-util-to-hast": "^13.2.1"
}

These overrides appear in the old lockfile but not in the updated one. If these overrides were added intentionally to address security vulnerabilities or compatibility issues, they should be preserved. Please verify:

• Was the rollup WASM override needed for a specific platform compatibility?
• Was the lodash override for security patching?
• Was the mdast-util-to-hast override for markdown processing compatibility?

If any of these are still needed, they should be re-added to the pnpm config section.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5 to v6, which is a major version upgrade with breaking changes. However, this upgrade introduces a critical peer dependency mismatch that will prevent the project from building successfully.

Verdict: Blocked - Requires Vite 8 upgrade before this dependency update can be applied.

Research notes

I fetched the official CHANGELOG for @vitejs/plugin-react and found:

1. v6.0.0 breaking change: "Drop Vite 7 and below support" - Vite 8+ is now required
2. Peer dependencies changed: v6 requires vite: ^8.0.0, but this project uses vite: ^7.3.2
3. Babel removed: v6 removes Babel-related features; projects using custom Babel plugins must now use @rolldown/plugin-babel alongside this plugin

The current project configuration:

• vite: ^7.3.2 (in package.json line 91)
• @vitejs/plugin-react: ^6.0.0 (after this PR)

This creates an unsatisfiable peer dependency situation.

Suggested next steps

1. First, upgrade Vite from v7 to v8 (update package.json to "vite": "^8.0.0" or later)
2. Then, re-run pnpm install to regenerate the lockfile with compatible versions
3. Verify the build works after the Vite upgrade before merging this PR
4. Check if any custom Babel plugins are in use (they would need @rolldown/plugin-babel added)

General findings

pnpm overrides discrepancy: The pnpm-lock.yaml shows the overrides section was removed (previously had rollup, lodash, mdast-util-to-hast overrides), but these overrides still exist in package.json. This suggests the lockfile may not have been properly regenerated with pnpm install after the dependency change. The overrides should either be consistently present in both files or intentionally removed with explanation.

[doubleword-code]

Blocking: This major version upgrade introduces a peer dependency conflict.

Why it matters: @vitejs/plugin-react@6.x requires vite: ^8.0.0 as a peer dependency, but this project currently has vite: ^7.3.2 (line 91). According to the official CHANGELOG, v6.0.0 explicitly dropped support for Vite 7 and below:

"Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."

Attempting to build with this configuration will result in peer dependency warnings/errors and potential runtime failures.

Suggested fix: Either:

1. Upgrade Vite to v8 first: change line 91 to "vite": "^8.0.0" (or latest v8.x), then run pnpm install to regenerate the lockfile
2. Or pin this dependency to v5.x if Vite 8 upgrade is not yet feasible: "@vitejs/plugin-react": "^5.0.1"

[doubleword-code]

Non-blocking: The pnpm overrides section was removed from the lockfile but still exists in package.json.

Why it matters: The original lockfile had these overrides:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

These same overrides are still present in package.json (lines 103-107). The removal from the lockfile suggests pnpm install may not have been run after the dependency update, or there's a version resolution issue.

Suggested fix: After resolving the Vite version mismatch, run pnpm install to regenerate pnpn-lock.yaml with consistent overrides. Verify the overrides section appears correctly in the regenerated lockfile.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0 in the dashboard. While this appears to be a routine dependency update, there are critical compatibility issues that must be addressed before this can be merged:

1. Peer dependency mismatch: @vitejs/plugin-react@6.x requires vite:^8.0.0, but the project currently uses vite:^7.3.2
2. Removed pnpm overrides: The update removes three important pnpm overrides that were added for security and platform compatibility reasons

Verdict: Blocked until these issues are resolved.

Research notes

• @vitejs/plugin-react v6.0.0 changelog: Version 6.0.0 explicitly dropped support for Vite 7 and below ("Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.")
• Peer dependencies for @vitejs/plugin-react@6.0.2: vite: ^8.0.0, with optional @rolldown/plugin-babel: ^0.1.7 || ^0.2.0 and babel-plugin-react-compiler: ^1.0.0
• The removed pnpm overrides were introduced in commit fa79316 to address Dependabot vulnerabilities (#1045)

Suggested next steps

1. Upgrade Vite to v8 if you want to use @vitejs/plugin-react@6.x, OR downgrade to @vitejs/plugin-react@5.x to maintain compatibility with Vite 7
2. Evaluate the removed pnpm overrides:
   • rollup: npm:@rollup/wasm-node - May have been added for cross-platform compatibility; verify native rollup works on all target platforms
   • lodash: ^4.18.0 - Security override; check if the vulnerability was fixed upstream
   • mdast-util-to-hast: ^13.2.1 - Likely a security or compatibility fix; verify if still needed
3. Run full test suite (just test ts) after making the above changes

General findings

Breaking changes in @vitejs/plugin-react v6

The v6 release includes significant architectural changes:

1. Babel removed as direct dependency: Vite 8+ handles React Refresh Transform via Oxc, so Babel is no longer bundled. If custom Babel plugins are needed in the future, they must use @rolldown/plugin-babel separately.
2. Node.js version requirement: Requires Node ^20.19.0 || >=22.12.0 - verify this matches your deployment targets.
3. React Compiler setup changed: If you plan to use React Compiler in the future, the setup now requires @rolldown/plugin-babel with reactCompilerPreset instead of inline Babel configuration.

The current vite.config.ts uses react() without custom options, so these breaking changes don't immediately impact the existing setup once the Vite version is aligned.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5 to v6, which is a major version upgrade that removes Babel-related features and drops support for Vite 7 and below. However, the PR has critical compatibility issues that need to be addressed before it can be merged.

Verdict: Blocked - Requires Vite 8 upgrade and fix for missing pnpm overrides.

Research notes

I consulted the official CHANGELOG for @vitejs/plugin-react:

• v6.0.0 breaking changes: "Drop Vite 7 and below support" - Vite 7 and below are no longer supported. If using Vite 7, must upgrade to Vite 8.
• v6.0.0 peer dependencies changed: Now requires vite: ^8.0.0 (previously supported ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0)
• Babel removed: v6 removes Babel as a dependency. If custom Babel plugins are needed, must use @rolldown/plugin-babel alongside this plugin.

The current project uses vite@^7.3.2 (from dashboard/package.json line 91), which is incompatible with @vitejs/plugin-react@6.x.

Suggested next steps

1. Blocking: Upgrade vite to ^8.0.0 in dashboard/package.json to satisfy the peer dependency requirement of @vitejs/plugin-react@6.x
2. Blocking: Ensure pnpm overrides (rollup, lodash, mdast-util-to-hast) from package.json are properly reflected in pnpm-lock.yaml - regenerate lockfile with pnpm install
3. Non-blocking: Address the @ungap/structured-clone@1.3.0 deprecation warning (CWE-502 vulnerability) by updating to 1.3.1+

General findings

Missing pnpm overrides in lockfile

The original pnpm-lock.yaml had an overrides section at the top:

overrides:
  rollup: npm:@rollup/wasm-node
  lodash: ^4.18.0
  mdast-util-to-hast: ^13.2.1

These overrides are still present in package.json (lines 103-107) under the pnpm.overrides key, but they're missing from the updated lockfile. This means:

• The security override for lodash (likely addressing a prototype pollution CVE) may not be enforced
• The mdast-util-to-hast compatibility fix may not apply
• The WASM-based Rollup override is lost

Regenerate the lockfile with pnpm install to ensure overrides are properly applied.

Deprecated dependency warning

The new lockfile includes @ungap/structured-clone@1.3.0 with a deprecation notice: "Potential CWE-502 - Update to 1.3.1 or higher". CWE-502 refers to deserialization of untrusted data vulnerabilities. This should be investigated and updated if possible.

[doubleword-code]

Blocking: Peer dependency incompatibility with Vite version.

Why it matters: According to the official CHANGELOG, @vitejs/plugin-react@6.0.0 dropped support for Vite 7 and below: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8." The peer dependency changed from vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0 (v5.x) to vite: ^8.0.0 (v6.x). This project currently uses vite@^7.3.2 (line 91), which violates the peer dependency and will cause build/runtime failures.

Suggested fix: Upgrade Vite to v8: change line 91 from "vite": "^7.3.2" to "vite": "^8.0.0", then run pnpm install to regenerate the lockfile with compatible versions.

[doubleword-code]

Blocking: Missing pnpm overrides section in regenerated lockfile.

Why it matters: The original lockfile had an overrides section that enforced:

• rollup: npm:@rollup/wasm-node (WASM-based Rollup)
• lodash: ^4.18.0 (security override, likely for CVE-2021-23337 prototype pollution)
• mdast-util-to-hast: ^13.2.1 (compatibility fix)

These overrides are still defined in package.json (lines 103-107) under pnpm.overrides, but they're missing from the updated lockfile. This means the lockfile doesn't reflect the intended security constraints, potentially reintroducing vulnerabilities.

Suggested fix: Run pnpm install in the dashboard/ directory to regenerate pnpm-lock.yaml with the overrides properly included. Verify the overrides: section appears at the top of the regenerated lockfile.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from ^5.0.1 to ^6.0.0 (specifically v6.0.2 per the lockfile). However, this upgrade introduces a breaking compatibility issue: @vitejs/plugin-react v6.0.0 explicitly drops support for Vite 7 and below, requiring Vite 8+, while this project is still using Vite ^7.3.2.

Verdict: Blocked — This PR cannot be merged as-is because it creates an incompatible peer dependency situation. Either Vite must also be upgraded to v8+, or the plugin version specifier should remain at v5.x.

Research notes

I fetched the official changelog and release notes for @vitejs/plugin-react:

• v6.0.0 Release Notes (March 12, 2026): The major change is "Remove Babel Related Features" and "Drop Vite 7 and below support". The release explicitly states:

  Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

• CHANGELOG.md confirms:

  • v6.0.0 requires Vite 8+ (peerDependencies now specify vite: ^8.0.0)
  • Babel is no longer bundled; users needing Babel must install @rolldown/plugin-babel separately
  • The new peer dependencies include optional @rolldown/plugin-babel and babel-plugin-react-compiler

• Current project state: dashboard/package.json shows "vite": "^7.3.2", which is incompatible with @vitejs/plugin-react v6.

Suggested next steps

1. Blocking: Decide on one of two paths:

   • Option A (Recommended): Also upgrade Vite to v8+ in the same PR. This requires updating "vite": "^8.0.0" (or latest) in package.json and verifying that the rest of the build tooling (plugins, Vitest, etc.) is compatible with Vite 8.
   • Option B: Keep @vitejs/plugin-react at v5.x by changing the specifier back to "^5.0.1" if Vite 8 upgrade is not desired at this time.

2. If upgrading to Vite 8: Test the full development and build pipeline (pnpm run dev, pnpm run build, pnpm test) to ensure no regressions from the Vite major version upgrade.

3. If staying on Vite 7: Consider configuring Renovate to exclude this package from major version updates, or pin it to ~5.x to avoid accidental upgrades.

General findings

Important note on pnpm overrides: The current package.json includes pnpm overrides:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

These overrides were present in the old lockfile but were removed from the top-level in the new lockfile. The overrides themselves remain in package.json, so functionality should be preserved, but this is worth verifying during testing.

The lockfile changes show significant restructuring due to the removal of Babel-related dependencies (@babel/core, @babel/parser, @babel/types, etc.) and the addition of platform-specific Rollup binaries. This is expected behavior for the v6 upgrade.

[doubleword-code]

Blocking: Incompatible peer dependency — @vitejs/plugin-react v6 requires Vite 8+, but project uses Vite ^7.3.2.

Why it matters: According to the official v6.0.0 release notes, this major version explicitly "Drop[s] Vite 7 and below support". The peerDependencies now specify vite: ^8.0.0. Using this plugin version with Vite 7 will result in peer dependency warnings and potential runtime/build failures.

From the changelog:

Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8.

Suggested fix: Either:

1. Also upgrade Vite: Change line 91 to "vite": "^8.0.0" (or latest v8 version), then test thoroughly
2. Or pin this plugin to v5.x: Change to "@vitejs/plugin-react": "^5.0.1" if Vite 8 upgrade is not intended

[doubleword-code]

Summary

This PR upgrades @vitejs/plugin-react from ^5.0.1 to ^6.0.0. However, this upgrade introduces a critical compatibility issue: @vitejs/plugin-react v6.0.0 explicitly dropped support for Vite 7 and below (requiring Vite 8+), but the project is still on Vite ^7.3.2. This will cause the build to fail or behave unexpectedly.

Additionally, the pnpm-lock.yaml changes show the overrides section was removed, and the rollup override (npm:@rollup/wasm-node) no longer appears to be applied - the lockfile now resolves to standard rollup@4.60.3 instead.

Verdict: Blocked - requires Vite 8 upgrade alongside this plugin update.

Research notes

• @vitejs/plugin-react v6.0.0 changelog: States "Drop Vite 7 and below support (#1124)" and "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."
• v6.0.0 also removed Babel-related features - Babel is no longer a dependency of this plugin. Projects using custom Babel plugins need to use @rolldown/plugin-babel alongside this plugin.
• The peerDependencies for v6.0.2 specify vite: ^8.0.0

Suggested next steps

1. Blocking: Upgrade Vite from ^7.3.2 to ^8.0.0 (or later) alongside this plugin upgrade, or pin @vitejs/plugin-react to ^5.2.0 if Vite 7 must be retained.
2. Investigation: Verify that pnpm overrides are being applied correctly. The lockfile no longer contains the overrides section, and rollup appears to be resolving to the standard package instead of @rollup/wasm-node. Run pnpm install to regenerate the lockfile with proper overrides.

General findings

• The removal of the overrides section from pnpm-lock.yaml is concerning. While overrides in package.json should propagate to the lockfile, the diff shows rollup resolving to rollup@4.60.3 instead of @rollup/wasm-node@4.60.3. This could indicate the overrides weren't properly applied during lockfile generation.
• If the project relies on the @rollup/wasm-node override for WASM-based Rollup functionality, this change could break builds on certain platforms.

[doubleword-code]

Blocking: This version requires Vite 8+, but the project uses Vite ^7.3.2.

Why it matters: According to the @vitejs/plugin-react v6.0.0 changelog, this version explicitly "Drop[s] Vite 7 and below support" and requires vite: ^8.0.0 as a peer dependency. Using this plugin version with Vite 7 will likely cause build failures or runtime errors.

Suggested fix: Either:

1. Upgrade Vite to ^8.0.0 alongside this plugin upgrade, OR
2. Pin this plugin to "^5.2.0" (the latest v5.x) if staying on Vite 7 is intentional

[doubleword-code]

Non-blocking: The pnpm overrides section was removed from the lockfile, but overrides are still defined in package.json.

Why it matters: The package.json specifies these overrides:

"pnpm": {
  "overrides": {
    "rollup": "npm:@rollup/wasm-node",
    "lodash": "^4.18.0",
    "mdast-util-to-hast": "^13.2.1"
  }
}

However, the lockfile no longer has an overrides section, and examining the resolved dependencies shows rollup@4.60.3 instead of @rollup/wasm-node@4.60.3. This suggests the overrides may not have been properly applied during lockfile generation.

Suggested fix: Run pnpm install in the dashboard directory to regenerate the lockfile with the correct overrides applied. Verify that @rollup/wasm-node is being used if that override is required for your build environment.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from ^5.0.1 to ^6.0.0. However, this major version upgrade introduces breaking changes that make it incompatible with the current project configuration:

1. Peer dependency mismatch: v6 requires vite ^8.0.0, but the project uses vite ^7.3.2
2. Missing overrides in lockfile: The pnpm overrides (including rollup: npm:@rollup/wasm-node) were removed from the lockfile but are still present in package.json
3. Architecture change: v6 switched from Babel-based transforms to Rolldown-specific APIs, marking Rollup as "incompatible"

Verdict: Blocked - This update cannot be applied without also upgrading Vite to v8 and potentially addressing the Rolldown migration.

Research notes

Fetched the official package.json for @vitejs/plugin-react@6.0.2 from the vite-plugin-react repository. Key findings:

• Peer dependencies changed:

  • Old (v5): vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0
  • New (v6): vite: ^8.0.0 only
  • New optional peers: @rolldown/plugin-babel, babel-plugin-react-compiler

• Compatible packages section explicitly states:

  "compatiblePackages": {
    "rolldown": {"type": "compatible", ...},
    "rollup": {"type": "incompatible", "reason": "Uses Rolldown-specific APIs or Vite-specific APIs"}
  }

This confirms v6 is designed for the Rolldown-based Vite 8 ecosystem, not the current Rollup-based Vite 7 setup.

Suggested next steps

1. Do not merge this PR as-is - it will break the build
2. If upgrading to Vite 8 is desired, create a separate PR that:
   • Updates vite to ^8.0.0
   • Updates @vitejs/plugin-react to ^6.0.0
   • Tests the full build pipeline
   • Addresses any Rolldown compatibility issues
3. Alternatively, constrain the Renovate config to only allow @vitejs/plugin-react updates within the v5.x range until Vite 8 migration is planned
4. Investigate why the pnpm overrides were dropped from the lockfile - this should be preserved regardless of the plugin version

General findings

Lockfile inconsistency

The overrides section present in dashboard/package.json (lines 103-107):

"overrides": {
  "rollup": "npm:@rollup/wasm-node",
  "lodash": "^4.18.0",
  "mdast-util-to-hast": "^13.2.1"
}

Was removed from dashboard/pnpm-lock.yaml in this PR. This is likely an artifact of how pnpm regenerated the lockfile, but it means the WASM-based Rollup override is no longer being enforced. This should be investigated - running pnpm install should restore these overrides in the lockfile if they're properly configured.

[doubleword-code]

Summary

This PR updates @vitejs/plugin-react from v5.0.1 to v6.0.0 (resolving to v6.0.2). However, this update introduces a blocking compatibility issue: @vitejs/plugin-react v6.x requires Vite 8.0.0+, but this project is currently using Vite 7.3.2.

Verdict: Blocked - This PR cannot be merged as-is because it violates peer dependency requirements.

Research notes

• Fetched the official CHANGELOG for @vitejs/plugin-react:

  • v6.0.0 (2026-03-12) explicitly dropped support for Vite 7 and below: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8."
  • v6 also removed Babel-related features; users needing Babel must now install @rolldown/plugin-babel separately

• Fetched npm registry metadata:

  • peerDependencies: { "vite": "^8.0.0" }
  • Current project uses "vite": "^7.3.2" in dashboard/package.json:91

Suggested next steps

1. Option A (Recommended): Upgrade Vite to v8.x alongside this plugin update. This requires:

   • Updating "vite": "^8.0.0" (or latest v8) in package.json
   • Verifying no breaking changes affect the build/dev server configuration
   • Running full test suite to ensure compatibility

2. Option B: Keep @vitejs/plugin-react at v5.x until the team is ready to upgrade Vite to v8

General findings

• The pnpm overrides section was removed from pnpm-lock.yaml (rollup: npm:@rollup/wasm-node, lodash, mdast-util-to-hast). Verify these security/version overrides are no longer needed or if they should be preserved in package.json.

• The project does not use any Babel configuration with the react plugin (both vite.config.ts and vitest.config.ts use react() with no options), so the removal of Babel features in v6 does not directly impact current usage.

• Note that @ungap/structured-clone@1.3.0 in the lockfile has a deprecation warning: "Potential CWE-502 - Update to 1.3.1 or higher". This is unrelated to this PR but worth noting.

General findings (auto-demoted from inline due to pre-validation)

• Non-blocking dashboard/package.json:103 — The pnpm overrides section was removed in this PR (previously contained rollup: npm:@rollup/wasm-node, lodash: ^4.18.0, mdast-util-to-hast: ^13.2.1).
  • (demoted: line 103 (side=LEFT) is not part of any diff hunk in dashboard/package.json)

[doubleword-code]

Blocking: This version requires Vite 8.0.0+ as a peer dependency, but the project uses Vite 7.3.2 (line 91).

Why it matters: According to the official CHANGELOG, v6.0.0 explicitly dropped support for Vite 7: "Vite 7 and below are no longer supported. If you are using Vite 7, please upgrade to Vite 8." The npm registry confirms peerDependencies: { "vite": "^8.0.0" }. Installing incompatible peer dependencies can cause runtime errors, build failures, or subtle bugs.

Suggested fix: Either:

1. Upgrade Vite to v8.x: Change line 91 to "vite": "^8.0.0" (verify compatibility first)
2. Or keep this plugin at v5.x: "@vitejs/plugin-react": "^5.0.1" until ready to upgrade Vite