Bump vitest (and transitive vite) to fix OSV findings — GHSA-5xrq-8626-4rwp + GHSA-fx2h-pf6j-xcff #199
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#199
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
OSV-Scanner flagged two CVEs in the dev-dependency tree on the latest CI run. Both ship as transitives of vitest, present in three workspaces (
apps/api,packages/api-client,apps/client).vitest@2.1.94.1.0+vite@5.4.218.0.16+Scope
Bump
vitestin every workspace that pins it. Vite is a transitive of vitest; bumping vitest from^2.1.0to^4.1.0pulls a vite version compatible with the latest peer (^6 || ^7 || ^8), resolving both findings in one move.The latest stable on npm at the time of writing is
vitest@4.1.9+vite@8.0.16.Affected workspaces:
apps/api— vitest is the runner for the dual-engine (SQLite + Postgres) suite. ~515 tests.packages/api-client— vitest covers the client/error/keys layers. ~16 tests.apps/client— vitest covers the i18n resolver. ~8 tests.Expected breakage
vitest 2 → 4 is two major bumps. Known API changes since 2.x:
workspaceconfig replaced byprojects(we don't use workspace config — should be a no-op for us).vi.mocked()return types.Each workspace's existing
vitest.config.tsis small; expect minor adjustments at most.Acceptance criteria
vitest≥4.1.0in every workspace'spackage.json.viteresolves to8.0.16+inpnpm-lock.yaml.pnpm -F @carol/api test,pnpm -F @carol/api-client test,pnpm -F @carol/client testall pass.pnpm -F @carol/api build) and Expo web export (pnpm -F @carol/client export:web) both succeed.Out of scope