chore: bump the npm-patch-minor group with 3 updates

[dependabot]

Bumps the npm-patch-minor group with 3 updates: @vitest/coverage-v8, knip and vite-plus.

Updates @vitest/coverage-v8 from 4.1.5 to 4.1.7

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

Commits

• a09d472 chore: release v4.1.7
• a8fd24c chore: release v4.1.6
• See full diff in compare view

Updates knip from 6.14.0 to 6.14.1

Release notes

Sourced from knip's releases.

Release 6.14.1

• Detect dynamic imports in Svelte compiler (#1747) (e1c1b1705f96ed7d6ac537a7969cbd07d238246a) - thanks @​jinhyuk9714!
• Detect dynamic import attributes; share import matcher with Astro-MDX (9dae64166bbc45be1abeb8d741127d109d48d351)
• Work the docs (close #1746) (919cba2f11d1979b854c7abaaca8992ee8b08e23)

Commits

• b99f1a5 Release knip@6.14.1
• 919cba2 Work the docs (close #1746)
• 9dae641 Detect dynamic import attributes; share import matcher with Astro-MDX
• e1c1b17 Detect dynamic imports in Svelte compiler (#1747)
• See full diff in compare view

Updates vite-plus from 0.1.20 to 0.1.22

Release notes

Sourced from vite-plus's releases.

vite-plus v0.1.22

A critical Vitest browser-mode security fix, parallel vp add -g installs, a built-in oxlint rule to prefer vite-plus imports, and a new --git switch for vp create.

Highlights

• Security: bundled vitest bumped to 4.1.6 to address GHSA-2h32-95rg-cppp (Critical, CVSS 9.6), an XSS to RCE chain via the otelCarrier query parameter in Vitest browser mode (#1633)
• Parallel global install: vp add/install/update -g now installs packages concurrently with a progress bar and a --concurrency flag (default 5) (#1597)
• Prefer vite-plus imports: new bundled oxlint rule rewrites vite/vitest imports to vite-plus, enabled by default in generated and migrated lint configs (#1408)
• Git init on scaffold: vp create learns --git/--no-git (interactive prompt; auto-commits "Initial commit from Vite+") (#1484)

Features

• Spawn npm for global installation in parallel with a progress bar and a --concurrency option (#1597), by @​liangmiQwQ
• Add bundled oxlint rule to prefer vite-plus imports over vite/vitest (#1408), by @​Han5991
• vp create: initialize a git repository and create an initial commit on scaffold (#1484), by @​ryohidaka
• vp create: rename underscore-prefixed files (_gitignore, _npmrc, _yarnrc.yml) to dotfiles for @org/create bundled templates (#1574), by @​jong-kyung
• Add VP_PR_VERSION env var to install unreleased PR builds via pkg.pr.new (#1578), by @​fengmk2

Fixes & Enhancements

• Skip merging standalone .oxfmtrc/.oxlintrc config when the fmt:/lint: key is already declared in vite.config.ts (fixes duplicate-block regression in vp create fate) (#1601), by @​fengmk2
• Suppress the VITE+ - The Unified Toolchain for the Web banner for vp lint --lsp, vp fmt --lsp, and vp fmt --stdin-filepath so stdout stays a pure LSP / formatter stream (#1619), by @​fengmk2
• vp create: detect output directory when running in the current directory (#1606), by @​jong-kyung
• vp update -g: skip installs when the recorded global package version already matches the npm-resolved version, and tolerate string/array outputs from npm view ... version --json (#1596), by @​leno23
• vp create: preserve single-segment project path in updateWorkspaceConfig (#1582), by @​jong-kyung
• vp env use: keep the change session-scoped on Windows (#1577), by @​fengmk2
• vp rebuild: accept positional package names (#1564), by @​fengmk2
• Adopt the new vite-task error formatter; errors now print as error: <top-level> plus * <source> chain lines, with bold-red highlight on a TTY (vite-task#390), by @​branchseer
• vite-task: forward LOCALAPPDATA so Node's compile cache stays outside the workspace on Windows (vite-task#389), by @​branchseer
• Bump vite-task to c945cc0 (#1628), by @​branchseer

Refactor

• Revert vp pm plugin command (per discussion in #1038) (#1623), by @​jong-kyung

Docs

• Add vitepress-plugin-llms to the docs site so the published docs include LLM-friendly outputs (/llms.txt) (#1625), by @​jong-kyung
• Refresh home stats for oxlint, vite, and vitest (#1512), by @​nozomee
• Mention vp env doctor in agent instructions (#1603), by @​leno23

Chore

• Consolidate the upstream build chain into a single pnpm build script (justfile recipe now just calls pnpm build) (#1626), by @​fengmk2
• Fix bootstrap-cli on Windows (#1583), by @​fengmk2
• Refresh trusted stack stats (#1573, #1616), by @​voidzero-guard[bot]
• Update GitHub Actions (#1611, #1612), by @​renovate[bot]
• Address zizmor findings in composite actions and the release workflow; drop unused actions-cool/issues-helper (#1630), by @​Boshen
• Switch plain checkouts to taiki-e/checkout-action (#1620), by @​Boshen
• Switch release to a version-bump PR + push trigger flow (#1575), by @​Boshen

... (truncated)

Commits

• 12368da release: v0.1.22 (#1637)
• 2a44bce chore: bump vite-task to c945cc0 (#1628)
• f0ae621 feat(cli): spawn npm for global installation in parallel and refine output (#...
• e80e241 revert: remove vp pm plugin command (#1623)
• 3dc7c75 docs: mention env doctor in agent instructions (#1603)
• 9e44db1 fix(cli): skip merging standalone oxfmt/oxlint config when key already in vit...
• 9f718e7 fix(cli): detect create output in current directory (#1606)
• 99d3e41 feat(cli): add oxlint rule to prefer vite-plus imports (#1408)
• 5d68116 feat(cli): Initialize a git repository and create an initial commit on scaffo...
• 023e700 test(cli): add --help case to config snap tests for npm10/yarn1/yarn4 (#1585)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

---

Summary by cubic

Bump @vitest/coverage-v8 to 4.1.7, knip to 6.14.1, and vite-plus to 0.1.21 to pull in patch fixes and improve dev tooling stability.

• Dependencies
  • @vitest/coverage-v8: 4.1.5 → 4.1.7 — fixes runner concurrency; minor browser and perf updates.
  • knip: 6.14.0 → 6.14.1 — better detection for dynamic imports (Svelte, import attributes).
  • vite-plus: 0.1.20 → 0.1.21 — patch updates to CLI/test tooling.

^{Written for commit af396f6. Summary will update on new commits. Review in cubic}

[cubic-dev-ai]

No issues found across 2 files

<sub>Tip: cubic could auto-approve low-risk PRs like this, if it thinks it's safe to merge. Learn more

Re-trigger cubic</sub>