Use Vitest for browser tests

[Mrtenz]

This migrates all browser tests which were previously run with WebdriverIO to Vitest. WebdriverIO had several issues like flakiness, lack of certain APIs since it uses Mocha, and performance in CI. Vitest does not seem to have these issues.

Long term we can start migrating all tests to Vitest instead of Jest. The APIs are largely the same between the two, so the migration should be relatively straightforward, and it simplifies some of our custom logic like merging coverage.

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@vitest/browser@3.1.1	environment Transitive: filesystem, network	+31	5.81 MB	vitestbot
npm/@vitest/coverage-istanbul@3.0.8	Transitive: environment, eval, filesystem	+11	2.07 MB	vitestbot
npm/@vitest/coverage-v8@3.1.1	Transitive: environment, filesystem	+10	1.3 MB	vitestbot
npm/istanbul-lib-coverage@3.2.0 ➜ 3.2.2	None	0	34.4 kB	oss-bot
npm/istanbul-lib-report@3.0.0 ➜ 3.0.1	None	0	37.6 kB	oss-bot
npm/istanbul-reports@3.1.5 ➜ 3.1.7	None	0	294 kB	oss-bot
npm/make-dir@3.1.0 ➜ 4.0.0	None	0	9.91 kB	sindresorhus
npm/playwright-core@1.49.1	environment, eval, filesystem, network, shell, unsafe	0	7.97 MB	yurys
npm/playwright@1.49.1	None	+1	3.31 MB	yurys
npm/vite-plugin-node-polyfills@0.23.0	None	+10	1.26 MB	davidmyersdev
npm/vitest@3.1.1	Transitive: environment, filesystem, shell, unsafe	+30	1.98 MB

🚮 Removed packages: npm/@jridgewell/gen-mapping@0.3.3, npm/@jridgewell/set-array@1.1.2, npm/@testim/chrome-version@1.1.4, npm/@tootallnate/quickjs-emscripten@0.23.0, npm/@types/yauzl@2.10.0, npm/@wdio/logger@8.16.17, npm/ast-types@0.13.4, npm/axios@1.8.3, npm/basic-ftp@5.0.3, npm/big-integer@1.6.51, npm/binary@0.3.0, npm/bluebird@3.4.7, npm/buffer-crc32@0.2.13, npm/buffer-indexof-polyfill@1.0.2, npm/buffers@0.1.1, npm/chainsaw@0.1.0, npm/chromedriver@135.0.0, npm/compare-versions@6.1.0, npm/data-uri-to-buffer@5.0.1, npm/decamelize@6.0.0, npm/degenerator@5.0.1, npm/extract-zip@2.0.1, npm/fd-slicer@1.1.0, npm/fetch-blob@3.2.0, npm/formdata-polyfill@4.0.10, npm/fs-extra@8.1.0, npm/fstream@1.0.12, npm/geckodriver@4.2.0, npm/get-uri@6.0.1, npm/ip-regex@4.3.0, npm/is-url@1.2.4, npm/is2@2.0.9, npm/jackspeak@2.3.6, npm/jsonfile@4.0.0, npm/listenercount@1.0.1, npm/loglevel-plugin-prefix@0.8.4, npm/loglevel@1.8.1, npm/lru-cache@10.1.0, npm/netmask@2.0.2, npm/node-domexception@1.0.0, npm/node-fetch@3.3.2, npm/pac-proxy-agent@7.0.1, npm/pac-resolver@7.0.1, npm/path-scurry@1.10.1, npm/pend@1.2.0, npm/proxy-agent@6.4.0, npm/proxy-from-env@1.1.0, npm/tcp-port-used@1.0.2, npm/traverse@0.3.9, npm/universalify@0.1.2, npm/unzipper@0.10.14, npm/web-streams-polyfill@3.2.1, npm/webdriverio@8.43.0, npm/yauzl@2.10.0

View full report↗︎

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: npm/tinypool@1.0.2, npm/playwright-core@1.49.1, npm/tinyexec@0.3.2, npm/istanbul-lib-report@3.0.1

View full report↗︎

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

[Mrtenz]

@SocketSecurity ignore npm/istanbul-lib-report@3.0.1

New author is ok.

[Mrtenz]

This changed because of a bump in dependencies responsible for source maps.

[Mrtenz]

This number was wrong initially, it seems WDIO just ignores it.

[Mrtenz]

This test was wrong in the first place. The iframe was served from a different origin, and trying to access top.querySelector resulted in:

SecurityError: Failed to read a named property 'querySelector' from 'Window': Blocked a frame with origin "http://localhost:4567/" from accessing a cross-origin frame.

So the snap.document was never reached, and top.querySelector isn't even a function even if it was accessible. 😅

I confirmed that the new test properly tests the sandboxing behaviour, as it's now served from the same origin. Removing the sandbox property from the iframe now results in a test failure.

[Mrtenz]

Moved this to a separate file because Vitest was trying to import Node.js dependencies through ./test-utils/index.ts.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.72%. Comparing base (8e418f6) to head (5f54a7f).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3236      +/-   ##
==========================================
- Coverage   94.88%   94.72%   -0.16%     
==========================================
  Files         518      518              
  Lines       11357    11932     +575     
  Branches     1752     1831      +79     
==========================================
+ Hits        10776    11303     +527     
- Misses        581      629      +48     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Mrtenz]

These plugins seem to be unmaintained, but swapping them out for vite-plugin-node-polyfills like I did in snaps-utils and snaps-controllers doesn't seem to work with SES (because the process is incompatible?). I haven't looked into it much further, but for now we can keep using these here.

[Mrtenz]

Vitest seems to import non-existing types from Vite. This seems like the easiest way to avoid it, and actually speeds up building too.

[Mrtenz]

@SocketSecurity ignore npm/mute-stream@2.0.0
@SocketSecurity ignore npm/@bundled-es-modules/cookie@2.0.1

New author is ok.

@SocketSecurity ignore npm/tinypool@1.0.2
@SocketSecurity ignore npm/tinyexec@0.3.2

Shell access fine.

[hmalik88]

I think it's worth looking into in this PR, especially if we can avoid unnecessary computation.

[Mrtenz]

Seems like either Jest or Vite is inaccurate. I checked the iframe execution service for example: Vite shows it as completely covered, but after merging with Jest, one line is not covered.

The actual computation done here isn't really significant anyway though, and long term we can likely remove this once we migrate all tests to Vitest.

[hmalik88]

If it turns out that we need this logic, then we should probably make this logic re-usable since we also use it in snaps-controllers

[Mrtenz]

We use this in snaps-controllers, snaps-execution-environments, and snaps-utils. I agree it could be reusable, but I would prefer to do that in a separate PR.

[hmalik88]

Why isn't this needed anymore?

[Mrtenz]

I'm not sure why it was necessary in the first place anymore. It works without it now.

[hmalik88]

Maybe we can reuse this config as well?

[Mrtenz]

Long term I want to start migrating more stuff to Vitest, at which point we can use workspace configs. For now I would prefer to keep it like this.

[hmalik88]

Proof of concept for using Vitest for browser tests.

No longer a POC, i think? 😄

[Mrtenz]

@SocketSecurity ignore npm/playwright-core@1.49.1

Network access and shell access are fine.

[FrederikBolding]

How will this work locally? Do you need to run any commands besides yarn and yarn test to run browser tests locally?

[Mrtenz]

Yes, Vitest will tell you to run yarn playwright install on the first time running yarn test.

[FrederikBolding]

What's the reasoning for this and the index.ts exclude?

[Mrtenz]

It caused the coverage merge script to break because Vitest had coverage for these files, but Jest didn't. We call jestMap.fileCoverageFor(file), which throws if the file doesn't exist.