chore(deps): bump vitest 2 → 4 + force vite 8 to clear OSV findings (#199) #200

Merged
james merged 1 commit from 199-bump-vitest-vite into main 2026-06-21 11:37:05 +00:00
Owner

Summary

Closes #199. Clears the two OSV findings:

Severity ID Package Fix
critical GHSA-5xrq-8626-4rwp vitest@2.1.9 4.1.0+
high GHSA-fx2h-pf6j-xcff vite@5.4.21 8.0.16+

Single commit (0ebe643):

  • vitest ^2.1.0 → ^4.1.9 in apps/api, packages/api-client, apps/client.
  • @vitest/coverage-v8 ^2.1.9 → ^4.1.9 in apps/api.
  • vite ^8.0.16 added as a root devDep — see below.

Why vite at the root

Vitest 4 declares vite as a peer with range ^6.0.0 || ^7.0.0 || ^8.0.0. Without a direct request anywhere in the graph, pnpm's peer resolver hung onto the cached vite@5.4.21 from the pre-bump lockfile (peer satisfaction is opportunistic — it picks an existing version that fits, not necessarily the latest). The override-style fix didn't take either because pnpm only applies overrides when something actually requests the package.

Adding vite to the workspace root as a devDep gives the resolver a direct request to bind on; with vitest 4's peer constraint in force, pnpm picks the latest matching version (8.0.16). The root devDep isn't consumed by any code — it's a hint for the resolver.

Test plan

  • pnpm install --frozen-lockfile clean.
  • pnpm -F @carol/api typecheck/lint/test green (515 tests + 107 skipped).
  • pnpm -F @carol/api-client typecheck/lint/test/check green (16 tests).
  • pnpm -F @carol/client typecheck/lint/test green (8 tests).
  • pnpm -F @carol/api openapi:check + openapi:coverage green (54 routes).
  • pnpm -F @carol/client export:web succeeds — Expo bundle still builds.
  • Full pipeline reproduced in a Node 22.23.0 container matching CI — set -e chain, all gates passed.
  • On the merged commit, CI's OSV-Scanner step no longer flags either advisory.

Out of scope

  • Migrating away from vitest. The advisories are about runtime behaviour, not the library itself.
  • Bumping unrelated devDeps in the same PR.

Closes #199.

## Summary Closes #199. Clears the two OSV findings: | Severity | ID | Package | Fix | | --- | --- | --- | --- | | critical | [GHSA-5xrq-8626-4rwp](https://github.com/advisories/GHSA-5xrq-8626-4rwp) | `vitest@2.1.9` | `4.1.0+` | | high | [GHSA-fx2h-pf6j-xcff](https://github.com/advisories/GHSA-fx2h-pf6j-xcff) | `vite@5.4.21` | `8.0.16+` | Single commit (`0ebe643`): - `vitest` ^2.1.0 → ^4.1.9 in `apps/api`, `packages/api-client`, `apps/client`. - `@vitest/coverage-v8` ^2.1.9 → ^4.1.9 in `apps/api`. - `vite` ^8.0.16 added as a root devDep — see below. ## Why `vite` at the root Vitest 4 declares `vite` as a peer with range `^6.0.0 || ^7.0.0 || ^8.0.0`. Without a direct request anywhere in the graph, pnpm's peer resolver hung onto the cached `vite@5.4.21` from the pre-bump lockfile (peer satisfaction is opportunistic — it picks an existing version that fits, not necessarily the latest). The override-style fix didn't take either because pnpm only applies overrides when something actually requests the package. Adding `vite` to the workspace root as a devDep gives the resolver a direct request to bind on; with vitest 4's peer constraint in force, pnpm picks the latest matching version (8.0.16). The root devDep isn't consumed by any code — it's a hint for the resolver. ## Test plan - [x] `pnpm install --frozen-lockfile` clean. - [x] `pnpm -F @carol/api typecheck/lint/test` green (515 tests + 107 skipped). - [x] `pnpm -F @carol/api-client typecheck/lint/test/check` green (16 tests). - [x] `pnpm -F @carol/client typecheck/lint/test` green (8 tests). - [x] `pnpm -F @carol/api openapi:check` + `openapi:coverage` green (54 routes). - [x] `pnpm -F @carol/client export:web` succeeds — Expo bundle still builds. - [x] Full pipeline reproduced in a Node 22.23.0 container matching CI — `set -e` chain, all gates passed. - [ ] On the merged commit, CI's OSV-Scanner step no longer flags either advisory. ## Out of scope - Migrating away from vitest. The advisories are about runtime behaviour, not the library itself. - Bumping unrelated devDeps in the same PR. Closes #199.
chore(deps): bump vitest 2 → 4 + force vite 8 to clear OSV findings (#199)
Some checks failed
Commits / Conventional Commits (pull_request) Successful in 7s
PR / OSV-Scanner (pull_request) Successful in 2m19s
PR / Static analysis (pull_request) Successful in 2m37s
PR / Client (web export smoke) (pull_request) Successful in 2m51s
PR / OpenAPI (pull_request) Successful in 3m1s
PR / pnpm audit (pull_request) Successful in 3m34s
PR / Lint (pull_request) Successful in 3m44s
PR / Typecheck (pull_request) Successful in 3m50s
PR / Package age policy (soft) (pull_request) Successful in 1m6s
PR / Build (pull_request) Successful in 4m9s
PR / Test (sqlite) (pull_request) Successful in 4m9s
Secrets / gitleaks (pull_request) Successful in 1m7s
PR / Test (postgres) (pull_request) Successful in 4m9s
PR / Coverage (soft) (pull_request) Successful in 1m40s
PR / Trivy (image) (pull_request) Failing after 2m26s
0ebe6430cf
OSV-Scanner flagged two CVEs in the dev-dependency tree:

- critical GHSA-5xrq-8626-4rwp on vitest@2.1.9 — fix in 4.1.0+
- high GHSA-fx2h-pf6j-xcff on vite@5.4.21 — fix in 8.0.16+

Both ship as transitives of vitest, present in three workspaces.

- vitest: ^2.1.0 → ^4.1.9 in apps/api, packages/api-client, apps/client.
- @vitest/coverage-v8: ^2.1.9 → ^4.1.9 in apps/api.
- vite: pinned to ^8.0.16 as a root devDep so the resolution graph
  has a direct request for it. Vitest 4's peer is ^6 || ^7 || ^8;
  without a direct request pnpm hung onto the cached vite 5.4.21
  even after the vitest bump. Adding vite at the root forces a fresh
  resolution that picks up 8.0.16.

No breaking-change patches needed at the application level — the
existing vitest configs work unchanged across the bump. All 539
existing tests (515 in @carol/api + 16 in @carol/api-client + 8 in
@carol/client) stay green. Typecheck, lint, openapi:check, and the
Expo web export all pass on a fresh container install.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

📊 Test coverage

Patch coverage: no testable lines changed.

Overall (app/, lib/, db/, excluding UI per ADR-0019):

Metric Value Soft target
Lines 68.9% ≥ 50%
Branches 59.7% ⚠️ ≥ 75%
Functions 67.1% informational

Soft thresholds per ADR-0019. Coverage is informational and does not block merge.

<!-- coverage-comment --> ## 📊 Test coverage **Patch coverage:** no testable lines changed. **Overall** (`app/`, `lib/`, `db/`, excluding UI per ADR-0019): | Metric | Value | Soft target | |---|---|---| | Lines | 68.9% ✅ | ≥ 50% | | Branches | 59.7% ⚠️ | ≥ 75% | | Functions | 67.1% | informational | Soft thresholds per [ADR-0019](docs/adr/0019-coverage-soft-targets.md). Coverage is informational and does not block merge.

Trivy (container image)

Threshold: high  ·  Total findings: 121  ·  At/above threshold: 1

critical high medium low
0 1 50 70
severity id package installed / range fix
high CVE-2026-12151 undici 6.25.0 6.27.0, 7.28.0, 8.5.0
<!-- scanner-comment: trivy --> ### Trivy (container image) **Threshold:** `high` &nbsp;·&nbsp; **Total findings:** 121 &nbsp;·&nbsp; **At/above threshold:** 1 | critical | high | medium | low | |---:|---:|---:|---:| | 0 | 1 | 50 | 70 | | severity | id | package | installed / range | fix | |---|---|---|---|---| | high | [CVE-2026-12151](https://avd.aquasec.com/nvd/cve-2026-12151) | undici | 6.25.0 | `6.27.0, 7.28.0, 8.5.0` |
james merged commit f2320c629d into main 2026-06-21 11:37:05 +00:00
james deleted branch 199-bump-vitest-vite 2026-06-21 11:37:05 +00:00
Sign in to join this conversation.
No description provided.