chore(deps): bump vitest 2 → 4 + force vite 8 to clear OSV findings (#199) #200
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!200
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "199-bump-vitest-vite"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Closes #199. Clears the two OSV findings:
vitest@2.1.94.1.0+vite@5.4.218.0.16+Single commit (
0ebe643):vitest^2.1.0 → ^4.1.9 inapps/api,packages/api-client,apps/client.@vitest/coverage-v8^2.1.9 → ^4.1.9 inapps/api.vite^8.0.16 added as a root devDep — see below.Why
viteat the rootVitest 4 declares
viteas a peer with range^6.0.0 || ^7.0.0 || ^8.0.0. Without a direct request anywhere in the graph, pnpm's peer resolver hung onto the cachedvite@5.4.21from the pre-bump lockfile (peer satisfaction is opportunistic — it picks an existing version that fits, not necessarily the latest). The override-style fix didn't take either because pnpm only applies overrides when something actually requests the package.Adding
viteto the workspace root as a devDep gives the resolver a direct request to bind on; with vitest 4's peer constraint in force, pnpm picks the latest matching version (8.0.16). The root devDep isn't consumed by any code — it's a hint for the resolver.Test plan
pnpm install --frozen-lockfileclean.pnpm -F @carol/api typecheck/lint/testgreen (515 tests + 107 skipped).pnpm -F @carol/api-client typecheck/lint/test/checkgreen (16 tests).pnpm -F @carol/client typecheck/lint/testgreen (8 tests).pnpm -F @carol/api openapi:check+openapi:coveragegreen (54 routes).pnpm -F @carol/client export:websucceeds — Expo bundle still builds.set -echain, all gates passed.Out of scope
Closes #199.
📊 Test coverage
Patch coverage: no testable lines changed.
Overall (
app/,lib/,db/, excluding UI per ADR-0019):Soft thresholds per ADR-0019. Coverage is informational and does not block merge.
Trivy (container image)
Threshold:
high· Total findings: 121 · At/above threshold: 16.27.0, 7.28.0, 8.5.0