feat(check): redefine --no-lint for type-check-only workflow

[jong-kyung]

Summary

Redefines vp check --no-lint so it runs Oxlint's --type-check-only path when
lint.options.typeCheck is enabled in vite.config.ts, and makes
vp check --no-fmt --no-lint the natural type-check-only invocation.

Replaces the abandoned PR #1417 approach (sidecar .mjs + --no-type-check
CLI flag), which conflicts with upstream PR #1378 handing config resolution
back to oxlint/oxfmt.

Related: closes #1275 for the lint-rule-noise-free type-error triage workflow.

Behavior matrix

Command	Behavior
vp check --no-lint (typeCheck=true)	Runs --type-check-only; lint rules suppressed
vp check --no-lint (typeCheck=false/missing)	Skips lint phase entirely (existing behavior)
vp check --no-fmt --no-lint (typeCheck=true)	Type-check only
vp check --no-fmt --no-lint (typeCheck=false)	error: No checks enabled with remediation hint
vp check --fix --no-lint (typeCheck=true)	fmt --fix + read-only type-check diagnostics

--no-type-check CLI flag is not introduced — deferred to a follow-up once
oxlint exposes a symmetric OFF-direction flag for type-check.

Key design notes

• typeAware prerequisite. Type-check only runs when both
  lint.options.typeAware and lint.options.typeCheck are true, matching the
  --type-check / --type-aware flag dependency in rfcs/check-command.md
  ("If --no-type-aware is set, --type-check is also implicitly disabled").
• --fix --no-lint on a typeCheck-enabled project runs fmt --fix and
  then type-check as read-only diagnostics. On type error, fmt's completion
  pass line is still surfaced so lint-staged / pre-commit flows can tell the
  working tree was mutated before the failure (previously swallowed).
• No sidecar. Config resolution is left to oxlint/oxfmt per PR fix(cli)!: stop injecting -c config so oxlint/oxfmt pick up nested vite.config.ts #1378.

[netlify]

✅ Deploy Preview for viteplus-preview ready!

Name	Link
🔨 Latest commit	0030c91
🔍 Latest deploy log	https://app.netlify.com/projects/viteplus-preview/deploys/69e8e595e2688600082c85f2
😎 Deploy Preview	https://deploy-preview-1444--viteplus-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	acorn-import-assertions@​1.9.0
	@​type-challenges/​utils@​0.1.1
	@​babel/​plugin-transform-dynamic-import@​7.27.1
	@​types/​connect@​3.4.38
	@​types/​convert-source-map@​2.0.3
	@​types/​etag@​1.8.4
	@​types/​serve-static@​2.2.0
	@​types/​strip-comments@​2.0.4
	@​tsdown/​exe@​0.21.9
	@​typescript/​native-preview@​7.0.0-dev.20260122.2
	@​types/​escape-html@​1.0.4
	@​clack/​core@​1.2.0
	@​oxc-project/​types@​0.127.0
	@​types/​less@​3.0.8
	@​vitest/​spy@​4.1.5
	@​babel/​preset-typescript@​7.28.5
	@​vitest/​pretty-format@​4.1.5
	@​types/​ws@​8.18.1
	@​types/​picomatch@​4.0.3
	babel-plugin-polyfill-regenerator@​0.6.8
	@​arethetypeswrong/​core@​0.18.2
	@​types/​semver@​7.7.1
	@​tsdown/​css@​0.21.9
	@​oxc-project/​runtime@​0.127.0
	@​types/​babel__core@​7.20.5
	@​babel/​plugin-transform-modules-systemjs@​7.29.0
	@​vitejs/​devtools@​0.1.14
	@​vitest/​ui@​4.1.5
	buble@​0.20.0
	connect@​3.7.0
	@​vitest/​mocker@​4.1.5
	@​types/​stylus@​0.48.43
See 63 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: Basic FTP has Path Traversal Vulnerability in its downloadToDir() method in npm basic-ftp CVE: GHSA-5rq4-664w-9x2c Basic FTP has Path Traversal Vulnerability in its downloadToDir() method (CRITICAL) Affected versions: < 5.2.0 Patched version: 5.2.0 From: pnpm-lock.yaml → npm/basic-ftp@5.0.5 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/basic-ftp@5.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @voidzero-dev/vite-plus-core is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/@voidzero-dev/vite-plus-core@0.1.13 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@voidzero-dev/vite-plus-core@0.1.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @voidzero-dev/vite-plus-core is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/@voidzero-dev/vite-plus-core@0.1.19 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@voidzero-dev/vite-plus-core@0.1.19. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[jong-kyung]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 👍

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[camc314]

"by forwarding Oxlint's --type-check-only flag — useful for triaging type errors without lint noise."

This, to me feels like unnecessary info - it doesn't really mater how it works.

Interested to here @ fengmk2 @ cpojer 's thoughts

[camc314]

LGTM 👍