build(deps-dev): bump vite from 8.0.13 to 8.0.16 in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: vite.

Updates vite from 8.0.13 to 8.0.16

Release notes

Sourced from vite's releases.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

v8.0.14

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.16 (2026-06-01)

Bug Fixes

• deps: reject UNC paths for launch-editor-middleware (#22571) (50b9512)
• reject windows alternate paths (#22572) (dc245c7)

8.0.15 (2026-06-01)

Features

• send 408 on request timeout (#22476) (c85c9ee)
• update rolldown to 1.0.3 (#22538) (646dbed)

Bug Fixes

• capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
• deps: update all non-major dependencies (#22511) (2686d7d)
• dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
• glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
• optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
• resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22566) (3052a67)

Code Refactoring

• correct logic in collectAllModules function (#22562) (6978a9c)

8.0.14 (2026-05-21)

Features

• update rolldown to 1.0.2 (#22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#22471) (98b8163)
• dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#22310) (0ae2844)

... (truncated)

Commits

• f94df87 release: v8.0.16
• dc245c7 fix: reject windows alternate paths (#22572)
• 50b9512 fix(deps): reject UNC paths for launch-editor-middleware (#22571)
• 8d1b019 release: v8.0.15
• 2686d7d fix(deps): update all non-major dependencies (#22511)
• 3052a67 chore(deps): update rolldown-related dependencies (#22566)
• e3cfb9d fix(optimizer): close the rolldown bundle when write() rejects (#22528)
• 6978a9c refactor: correct logic in collectAllModules function (#22562)
• 646dbed feat: update rolldown to 1.0.3 (#22538)
• 85a0eff fix: capitalize error messages and remove spurious space in parse error (#22488)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: addbcff657

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Update the pnpm lockfile with the Vite bump

This updates the manifest to vite 8.0.16, but pnpm-lock.yaml still records the root importer vite specifier and resolved version as 8.0.13 (pnpm-lock.yaml:87-89). I checked the CI workflow and it runs pnpm install --frozen-lockfile (.github/workflows/ci.yml:48); pnpm's --frozen-lockfile install semantics fail when the lockfile is out of sync with the manifest, so this dependency bump will block CI installs until the lockfile is regenerated and committed.

Useful? React with 👍 / 👎.

[clawsweeper]

Codex review: needs changes before merge. Reviewed June 16, 2026, 6:14 PM ET / 22:14 UTC.

Summary
The PR bumps the root devDependency vite from 8.0.13 to 8.0.16 in package.json.

Reproducibility: yes. for the patch defect by source inspection: the PR-head manifest requests Vite 8.0.16 while the PR-head lockfile still records Vite 8.0.13 and CI uses frozen pnpm installs. I did not run install commands because this review is read-only.

Review metrics: 2 noteworthy metrics.

• Dependency files changed: 1 manifest changed, 0 lockfile changes. A pnpm dependency bump is only effective when the lockfile graph is updated with the manifest.
• Vite version state: PR head: package.json 8.0.16, pnpm-lock.yaml 8.0.13. The committed dependency graph still points at the old Vite version.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🌊 off-meta tidepool
Patch quality: 🧂 unranked krab
Result: blocked by patch quality or review findings.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Regenerate and commit pnpm-lock.yaml for Vite 8.0.16.
• [P2] Validate with the repository pnpm 10.33.2 frozen install and pnpm check path.

Risk before merge

• [P1] Merging as-is would commit package metadata claiming Vite 8.0.16 while the lockfile-backed dependency graph still resolves Vite 8.0.13.
• [P1] Green CI would not prove this dependency bump because the workflow installs from the unchanged frozen lockfile.

Maintainer options:

1. Regenerate the lockfile before merge (recommended)
   Update pnpm-lock.yaml so the override, importer, and dependent graph resolve Vite 8.0.16, then rerun the frozen install/check path.
2. Let Dependabot recreate the bump
   If maintainers prefer not to repair a bot branch, close this PR and let Dependabot open a fresh update that includes the lockfile.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Regenerate `pnpm-lock.yaml` for the existing Vite 8.0.16 package.json bump, keep the change limited to the dependency graph needed for Vite, and validate with the repository pnpm 10.33.2 frozen install/check path.

Next step before merge

• [P2] The remaining blocker is a narrow mechanical lockfile repair that automation can attempt without a product decision.

Security
Cleared: No concrete security or supply-chain regression was found in the one-line manifest bump; the blocker is that the lockfile makes the update ineffective.

Review findings

• [P1] Update the lockfile so Vite is actually bumped — package.json:98

Review details

Best possible solution:

Regenerate and commit pnpm-lock.yaml for Vite 8.0.16, then validate the existing pnpm 10.33.2 frozen install and check path before merge.

Do we have a high-confidence way to reproduce the issue?

Yes for the patch defect by source inspection: the PR-head manifest requests Vite 8.0.16 while the PR-head lockfile still records Vite 8.0.13 and CI uses frozen pnpm installs. I did not run install commands because this review is read-only.

Is this the best way to solve the issue?

No as submitted. The narrow maintainable fix is to update the pnpm lockfile with the dependency bump, not to merge a manifest-only change.

Full review comments:

• [P1] Update the lockfile so Vite is actually bumped — package.json:98
  The PR head changes package.json to Vite 8.0.16, but pnpm-lock.yaml still pins the override/importer graph to Vite 8.0.13. Because CI uses frozen pnpm installs, merging this would leave installs on the old Vite version despite the manifest change.
  Confidence: 0.97

Overall correctness: patch is incorrect
Overall confidence: 0.97

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 37391ce70b3f.

Label changes

Label justifications:

• P2: This is a normal dependency-maintenance PR with a concrete merge blocker and limited blast radius.
• merge-risk: 🚨 compatibility: Merging would leave package metadata inconsistent with the lockfile-backed dependency graph used by frozen installs.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🌊 off-meta tidepool and patch quality is 🧂 unranked krab.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: This is a Dependabot bot dependency PR, so contributor real-behavior proof is not required by the external-contributor proof gate.

Evidence reviewed

Acceptance criteria:

• [P1] corepack enable.
• [P1] corepack prepare [email protected] --activate.
• [P1] pnpm install --frozen-lockfile.
• [P1] pnpm check.

What I checked:

• Repository policy read: AGENTS.md was read in full; its pnpm-only and green-gate guidance applies to this dependency-lockfile review. (AGENTS.md:1, 37391ce70b3f)
• PR diff changes only the manifest: The PR diff contains one changed file and only replaces the Vite devDependency specifier in package.json. (package.json:98, addbcff65796)
• PR-head manifest requests Vite 8.0.16: At the PR head, package.json line 98 requests vite: 8.0.16. (package.json:98, addbcff65796)
• PR-head lockfile still pins Vite 8.0.13: At the PR head, pnpm-lock.yaml still has the Vite override and root importer specifier/version on 8.0.13, including the Vitest graph referencing Vite 8.0.13. (pnpm-lock.yaml:11, addbcff65796)
• CI uses frozen pnpm installs: The CI workflow runs pnpm install --frozen-lockfile, so the committed lockfile controls the dependency graph used by CI. (.github/workflows/ci.yml:48, 37391ce70b3f)
• Release checklist expects lockfile refresh: The release checklist says to run pnpm install to refresh the lockfile when dependencies change. (docs/RELEASE.md:25, 37391ce70b3f)

Likely related people:

• Peter Steinberger: Blame and log history attribute the current package.json, pnpm-lock.yaml, and CI workflow baseline to the 0.12.0 release-preparation commit. (role: introduced current dependency baseline; confidence: medium; commits: 023314cf31cd; files: package.json, pnpm-lock.yaml, .github/workflows/ci.yml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[dependabot]

Looks like vite is no longer updatable, so this is no longer needed.