Bump vitest (and transitive vite) to fix OSV findings — GHSA-5xrq-8626-4rwp + GHSA-fx2h-pf6j-xcff #199

Closed
opened 2026-06-21 11:16:59 +00:00 by james · 0 comments
Owner

OSV-Scanner flagged two CVEs in the dev-dependency tree on the latest CI run. Both ship as transitives of vitest, present in three workspaces (apps/api, packages/api-client, apps/client).

Severity ID Package Fix
critical GHSA-5xrq-8626-4rwp vitest@2.1.9 4.1.0+
high GHSA-fx2h-pf6j-xcff vite@5.4.21 8.0.16+

Scope

Bump vitest in every workspace that pins it. Vite is a transitive of vitest; bumping vitest from ^2.1.0 to ^4.1.0 pulls a vite version compatible with the latest peer (^6 || ^7 || ^8), resolving both findings in one move.

The latest stable on npm at the time of writing is vitest@4.1.9 + vite@8.0.16.

Affected workspaces:

  • apps/api — vitest is the runner for the dual-engine (SQLite + Postgres) suite. ~515 tests.
  • packages/api-client — vitest covers the client/error/keys layers. ~16 tests.
  • apps/client — vitest covers the i18n resolver. ~8 tests.

Expected breakage

vitest 2 → 4 is two major bumps. Known API changes since 2.x:

  • workspace config replaced by projects (we don't use workspace config — should be a no-op for us).
  • Stricter type-checking of vi.mocked() return types.
  • Default reporter output changes.

Each workspace's existing vitest.config.ts is small; expect minor adjustments at most.

Acceptance criteria

  • vitest4.1.0 in every workspace's package.json.
  • vite resolves to 8.0.16+ in pnpm-lock.yaml.
  • All existing test suites stay green on both DB engines.
  • pnpm -F @carol/api test, pnpm -F @carol/api-client test, pnpm -F @carol/client test all pass.
  • Container build (pnpm -F @carol/api build) and Expo web export (pnpm -F @carol/client export:web) both succeed.
  • CI's OSV-Scanner step no longer flags either advisory.

Out of scope

  • Migrating away from vitest. The advisories are about runtime behaviour, not the library itself; staying current is the right answer.
  • Bumping unrelated devDeps in the same PR.
OSV-Scanner flagged two CVEs in the dev-dependency tree on the latest CI run. Both ship as transitives of vitest, present in three workspaces (`apps/api`, `packages/api-client`, `apps/client`). | Severity | ID | Package | Fix | | --- | --- | --- | --- | | critical | [GHSA-5xrq-8626-4rwp](https://github.com/advisories/GHSA-5xrq-8626-4rwp) | `vitest@2.1.9` | `4.1.0+` | | high | [GHSA-fx2h-pf6j-xcff](https://github.com/advisories/GHSA-fx2h-pf6j-xcff) | `vite@5.4.21` | `8.0.16+` | ## Scope Bump `vitest` in every workspace that pins it. Vite is a transitive of vitest; bumping vitest from `^2.1.0` to `^4.1.0` pulls a vite version compatible with the latest peer (`^6 || ^7 || ^8`), resolving both findings in one move. The latest stable on npm at the time of writing is `vitest@4.1.9` + `vite@8.0.16`. Affected workspaces: - `apps/api` — vitest is the runner for the dual-engine (SQLite + Postgres) suite. ~515 tests. - `packages/api-client` — vitest covers the client/error/keys layers. ~16 tests. - `apps/client` — vitest covers the i18n resolver. ~8 tests. ## Expected breakage vitest 2 → 4 is two major bumps. Known API changes since 2.x: - `workspace` config replaced by `projects` (we don't use workspace config — should be a no-op for us). - Stricter type-checking of `vi.mocked()` return types. - Default reporter output changes. Each workspace's existing `vitest.config.ts` is small; expect minor adjustments at most. ## Acceptance criteria - [ ] `vitest` ≥ `4.1.0` in every workspace's `package.json`. - [ ] `vite` resolves to `8.0.16+` in `pnpm-lock.yaml`. - [ ] All existing test suites stay green on both DB engines. - [ ] `pnpm -F @carol/api test`, `pnpm -F @carol/api-client test`, `pnpm -F @carol/client test` all pass. - [ ] Container build (`pnpm -F @carol/api build`) and Expo web export (`pnpm -F @carol/client export:web`) both succeed. - [ ] CI's OSV-Scanner step no longer flags either advisory. ## Out of scope - Migrating away from vitest. The advisories are about runtime behaviour, not the library itself; staying current is the right answer. - Bumping unrelated devDeps in the same PR.
james closed this issue 2026-06-21 11:37:05 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
james/carol#199
No description provided.