Replace rollup-plugin-license with rolldown-license-plugin#37130
Merged
silverwind merged 22 commits intogo-gitea:mainfrom Apr 9, 2026
Merged
Replace rollup-plugin-license with rolldown-license-plugin#37130silverwind merged 22 commits intogo-gitea:mainfrom
rollup-plugin-license with rolldown-license-plugin#37130silverwind merged 22 commits intogo-gitea:mainfrom
Conversation
Remove the `rollup-plugin-license` dependency and replace it with a lightweight inline Vite plugin that walks bundle chunks to collect third-party license info. This eliminates `lodash` and `moment` as transitive production dependencies (~10MB), and the custom plugin also discovers 7 additional bundled packages that the old plugin was missing. Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
GiteaBot
added
the
lgtm/need 2
Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes the rollup-plugin-license dependency and replaces it with a small inline Vite plugin that scans the build bundle to generate licenses.txt, aiming to reduce dependency surface area and address reported security issues in the rollup-based solution.
Changes:
- Removed
rollup-plugin-licensefrompackage.jsonand lockfile. - Added a custom
licensesPlugin()invite.config.tsthat walks bundle modules, finds package roots, and writespublic/assets/licenses.txt. - Updated
pnpm-lock.yamlto reflect dependency graph changes after removing the rollup plugin (and related transitive updates).
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
vite.config.ts |
Replaces rollup-based license generation with a custom Vite plugin that collects license text from bundled node_modules and Go license JSON. |
package.json |
Drops the rollup-plugin-license dependency. |
pnpm-lock.yaml |
Removes rollup-related packages and updates transitive dependencies after lockfile re-resolution. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Extract to constant and align with Go regex `licenseRe` in build/generate-go-licenses.go. Also matches UNLICENSE and COPYING. Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
silverwind
force-pushed
the
remove-rollup-plugin-license
branch
from
1840301 to
d068779
Compare
Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
lunny
approved these changes
Apr 7, 2026
GiteaBot
added
lgtm/need 1
Member
Author
|
I'm considering extracting this to its own repo/npm module, given that I also have the same need in other projects and there's no suitable 0-dependency module available yet. |
Replace inline license collection and wrap-ansi with rolldown-license-plugin which provides async parallel I/O and a built-in word-wrap function. This reduces license build time by ~40% (370ms vs 640ms). Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
silverwind
changed the title
rollup-plugin-license with custom Vite pluginrollup-plugin-license with rolldown-license-plugin
Member
Author
|
Done, extracted https://github.com/silverwind/rolldown-license-plugin. Build time is ~60% faster then on main branch, while producing more licenses in the output. Notably, modules where no license files was found still render with empty text into |
Add license validation matching main branch behavior. Use wrap() directly in onDone callback instead of wrapText option. Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
silverwind
commented
Apr 8, 2026
Signed-off-by: silverwind <me@silverwind.io>
Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
Update to 2.2.0 which adds failOnViolation and failOnUnlicensed options and warns on violations via console.warn (matching rollup-plugin-license behavior). Remove anchors from allow regex that rejected compound SPDX expressions like (MIT OR Apache-2.0). Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
…license * origin/main: Update go dependencies (go-gitea#37141) Update javascript dependencies (go-gitea#37142) Bump min go version to 1.26.2 (go-gitea#37139) Add bulk repository deletion for organizations (go-gitea#36763) [skip ci] Updated translations via Crowdin # Conflicts: # package.json # pnpm-lock.yaml
Member
Author
|
Fixed the regex and implemented license violation options in the plugin. Did not enable them, so violations will only produce warnings like it did before in webpack and with the previous plugin. |
wxiaoguang
approved these changes
Apr 9, 2026
GiteaBot
added
lgtm/done
silverwind
added
reviewed/wait-merge
Member
Author
|
Backport so we eliminate the rollup dependency (less dependency vulns). |
GiteaBot
removed
the
reviewed/wait-merge
Collaborator
|
I was unable to create a backport for 1.26. @silverwind, please send one manually. 🍵 |
GiteaBot
added
the
backport/manual
Copilot AI
added a commit
that referenced
this pull request
Apr 9, 2026
Backport of #37130 to v1.26. Co-Authored-By: Copilot <175728472+Copilot@users.noreply.github.com> Co-Authored-By: Claude Sonnet 4 (claude-sonnet-4) Co-authored-by: silverwind <115237+silverwind@users.noreply.github.com>
10 tasks
silverwind
added a commit
to silverwind/gitea
that referenced
this pull request
Apr 9, 2026
…tea#37130) Cherry-pick of 04fb6f1. Co-Authored-By: silverwind <me@silverwind.io> Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Apr 10, 2026
* main: Make Markdown fenced code block work with more syntaxes (go-gitea#37154) Remove unneeded doctor sub-commands (go-gitea#37156) Report structurally invalid workflows to users (go-gitea#37116) Replace `rollup-plugin-license` with `rolldown-license-plugin` (go-gitea#37130) Clean up and improve non-gitea js error filter (go-gitea#37148)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace
rollup-plugin-licenseandwrap-ansiwithrolldown-license-plugin, a zero-dependency plugin with async parallel I/O and built-in word wrapping.rollup-plugin-license(pulls inlodash,moment) andwrap-ansifrom the dependency treelicenses.txtThis PR was written with the help of Claude Opus 4.6