Skip to content

Bump vitest to 4.1.0 to resolve Dependabot alerts#85

Merged
dantraynor merged 1 commit into
mainfrom
fix-dependabot-vulns
Jun 4, 2026
Merged

Bump vitest to 4.1.0 to resolve Dependabot alerts#85
dantraynor merged 1 commit into
mainfrom
fix-dependabot-vulns

Conversation

@dantraynor

@dantraynor dantraynor commented Jun 4, 2026

Copy link
Copy Markdown
Owner

Summary

Upgrades vitest from ^3.0.0 to ^4.1.0 in the shared and extension packages, resolving the 3 open critical Dependabot alerts (#14, #15, #16 — all vitest < 4.1.0).

vite is already pinned to ^7.3.2 via the root pnpm.overrides, so vitest 4 (which requires vite 6/7) is compatible.

Test changes for vitest 4

The major bump required two small adjustments to the test code:

  • Mocked constructors must use a regular function implementation. When a mock is invoked with new, vitest 4 constructs via the implementation, and an arrow function isn't constructable. Switched the FirefoxProxyManager mock implementation to a function.
  • vi.fn() now infers a constructable signature, so a bare vi.fn() no longer satisfies a plain call-signature type. Typed the native-host handler mocks explicitly (Mock<NativeMessageHandler> / Mock<NativeStateChangeHandler>) and cast the chrome.* API stub assignments (matching the existing connectNative cast style).

Verification

  • pnpm -r test → 339 tests passing (293 shared + 46 extension) on vitest 4.1.8
  • pnpm -r typecheck → clean

@dantraynor
chore(deps): bump vitest to ^4.1.0 to resolve Dependabot alerts
a1cf6c1 
Upgrades vitest from ^3.0.0 to ^4.1.0 across the shared and extension
packages, resolving the critical Dependabot alerts (#14, #15, #16).

Adjusts tests for vitest 4 behavior changes:
- Mocked constructors must use a regular function implementation
  (arrow functions are not constructable when invoked with `new`).
- vi.fn() now infers a constructable signature, so handler mocks are
  typed explicitly and chrome API stub assignments are cast.
@dantraynor dantraynor merged commit 90ad3ea into main Jun 4, 2026
5 checks passed
@dantraynor dantraynor deleted the fix-dependabot-vulns branch June 4, 2026 04:28
@dantraynor dantraynor mentioned this pull request Jun 4, 2026
Merged
@dantraynor dantraynor added the dependencies Pull requests that update a dependency file label Jun 4, 2026
dantraynor added a commit that referenced this pull request Jun 4, 2026
@dantraynor
chore: release 0.1.11 (#87)
5913aa0 
Bump version to 0.1.11. Windows helper update fix (#86); vitest 4.1.0 + Dependabot security updates (#85, #82); store listing moved into docs/ (#81).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dantraynor