I'd just spent an afternoon wrestling ESLint's flat config into shape. Again. The old .eslintrc format was deprecated, the new eslint.config.js kept conflicting with other tools, and half the plugins hadn't caught up yet. This was on my own website (the one you're reading right now). I had the same mess brewing in a compliance tool I build for my clients.
Then VoidZero released Vite+ in alpha, and within a week both projects were running on it. Not because I love shiny tools. Because the tooling your team uses quietly shapes how secure the code ends up, and I was tired of fighting config files instead of shipping checks.
Fast enough that people actually run their checks
Vite+ is built on Rust. Oxlint benchmarks at 50 to 100x faster than ESLint. But I don't care about the benchmarks for their own sake.
What I care about: when your test suite takes minutes, developers skip it. They comment out the slow checks, or push straight to CI and let the pipeline deal with it. Security linting, static analysis, type checking. None of it works if nobody runs it locally. Shave that feedback loop down to seconds and something shifts. People leave the checks on. You might even get away with adding a few more. Same developer time, more security coverage.
The default is now the secure path
This is the part that really sold me. On the compliance tool, I had a sprawling ESLint config, a separate formatter setup, and a tsconfig that nobody had touched in months. After running vp migrate, that collapsed into a few lines in vite.config.ts. Oxlint with 600+ rules, formatting via Oxfmt, type checking through tsgolint (powered by Microsoft's tsgo, the Go port of the TypeScript compiler). All enabled by default.
I think most teams don't skip security tooling out of apathy. They skip it because someone needed to configure it and nobody did. Vite+ just removes that step. Run vp check and you get linting, formatting, and type checking in one pass, zero setup. The path of least resistance and the secure path become the same thing, which is exactly where you want defaults to sit.
vp migrate handles existing projects on Vite 8+ and Vitest 4.1+. vp create scaffolds new ones with everything already wired up. I had both my projects converted within a few days, and most of that time was deleting old configs I no longer needed. (Oddly satisfying, that.)
What one CLI covers
What makes vp interesting isn't any single command. It's the breadth. vp check runs linting, formatting, and type checking in one pass. vp build produces production bundles through Rolldown. vp env handles your Node version so you're not juggling nvm on top of everything else. The docs cover the full list, but the real point: one tool, one config file, one dependency to audit. Compare that to the usual devDependencies graveyard, where thirty packages you've never audited each pull in their own dependency trees.
Your build tool is a security decision
Nobody frames their build tool choice this way. But the tools your team reaches for every day determine whether checks actually get run, whether linting rules stay enforced, and how much of your dependency tree you're implicitly trusting.
Next time someone proposes switching build tools, don't treat it as a pure developer experience decision. Ask what it does to your check coverage. Ask how many transitive dependencies you'd be signing up to trust. The answer might matter more than the benchmark numbers.
If you're on Vite already, take a look at viteplus.dev or the GitHub repo.
Related
- Portless: Named URLs for Local Dev for stable named URLs in local development