Skip to content

Resolve Vitest security alerts#1550

Merged
stephentoub merged 2 commits into
mainfrom
stephentoub/fix-dependabot-vulnerabilities
Jun 2, 2026
Merged

Resolve Vitest security alerts#1550
stephentoub merged 2 commits into
mainfrom
stephentoub/fix-dependabot-vulnerabilities

Conversation

@stephentoub
Copy link
Copy Markdown
Collaborator

@stephentoub stephentoub commented Jun 2, 2026

Dependabot reported critical Vitest alerts in the Node SDK and shared test harness lockfiles. This updates the resolved Vitest versions above the patched 4.1.0 release while leaving the existing package.json ranges unchanged.

The large lockfile diff is caused by Vitest's newer dependency graph: Vite moves to 8.x, which replaces many optional Rollup platform packages with Rolldown packages. No source files or manifest ranges changed.

Validation performed:

  • npm audit --audit-level=moderate in nodejs
  • npm run typecheck in nodejs
  • npx vitest run test\session-event-codegen.test.ts in nodejs
  • npm audit --audit-level=moderate in test\harness
  • npm test in test\harness

Generated by Copilot

@stephentoub
Resolve Vitest security alerts
39e470e 
Update the npm lockfile resolutions for Vitest and its internal packages to 4.1.8, which is above the patched 4.1.0 version required by the open Dependabot alerts.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@stephentoub stephentoub requested a review from a team as a code owner June 2, 2026 14:05
Copilot AI review requested due to automatic review settings June 2, 2026 14:05
Copilot AI reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (2)
  • nodejs/package-lock.json: Language not supported
  • test/harness/package-lock.json: Language not supported

Comment thread nodejs/package-lock.json
Comment thread test/harness/package-lock.json
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 2, 2026

Cross-SDK Consistency Review ✅

This PR only updates package-lock.json files to resolve Vitest security vulnerabilities — no SDK source code or public API surface is changed. This is a Node.js/test-harness-specific dependency update with no equivalent required in the Python, Go, or .NET SDKs.

No cross-SDK consistency issues identified.

Generated by SDK Consistency Review Agent for issue #1550 · ● 862.1K ·

@stephentoub
Align Node engine requirements with Vite
01be8b7 
Update the Node SDK and test harness engine metadata to match the Node versions required by the patched Vitest dependency graph, and document the supported Node range for the Node SDK.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions Bot mentioned this pull request Jun 2, 2026
Open
@stephentoub stephentoub merged commit 4b29473 into main Jun 2, 2026
42 of 43 checks passed
@stephentoub stephentoub deleted the stephentoub/fix-dependabot-vulnerabilities branch June 2, 2026 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stephentoub