fix: move vitest from dependencies to devDependencies in compiler package

[devin-ai-integration]

fix: move vitest from dependencies to devDependencies in compiler package

Summary

Fixed issue #1115 by moving vitest from production dependencies to dev dependencies in the @lingo.dev/_compiler package. The vitest package was incorrectly listed as a production dependency, which introduced a security vulnerability through its dependency chain (vulnerable esbuild version via vitest@2.1.9 → vite@5.4.19 → esbuild@0.21.5).

After analyzing the codebase, I confirmed that vitest is only used in test files (*.spec.ts, *.test.ts) and the vitest.config.ts configuration file, making it safe to move to devDependencies.

Changes:

• Moved vitest: "^2.1.4" from dependencies to devDependencies in packages/compiler/package.json
• Updated pnpm-lock.yaml to reflect the new dependency structure

Review & Testing Checklist for Human

• Verify vitest usage scope: Double-check that vitest is only used in test files and configuration by reviewing the search results and confirming no runtime code depends on it
• Test downstream consumer impact: Verify that projects consuming @lingo.dev/_compiler as a dependency still work correctly (the most critical test)
• Confirm security fix: Verify that the vulnerable esbuild version is no longer pulled into the dependency tree for production installations

Recommended Test Plan:

1. Install the compiler package in a fresh project and verify it works correctly
2. Check the dependency tree (npm ls or pnpm ls) to confirm vitest and its vulnerable dependencies are not included in production installs
3. Run the existing test suite to ensure vitest still works correctly as a dev dependency

---

Diagram

%%{ init : { "theme" : "default" }}%%
flowchart TD
    subgraph "Compiler Package"
        PJ["packages/compiler/<br/>package.json"]:::major-edit
        VC["vitest.config.ts"]:::context
        Tests["*.spec.ts & *.test.ts<br/>files"]:::context
    end
    
    subgraph "Root"
        Lock["pnpm-lock.yaml"]:::minor-edit
    end
    
    subgraph "Security Issue"
        Vitest["vitest@2.1.4"]:::context
        Vite["vite@5.4.19"]:::context
        Esbuild["esbuild@0.21.5<br/>(vulnerable)"]:::context
    end
    
    PJ -->|"moved to devDependencies"| Vitest
    Vitest --> Vite
    Vite --> Esbuild
    Tests -->|"imports from"| Vitest
    VC -->|"configures"| Vitest
    PJ -->|"updated"| Lock
    
    subgraph Legend
        L1[Major Edit]:::major-edit
        L2[Minor Edit]:::minor-edit  
        L3[Context/No Edit]:::context
    end

classDef major-edit fill:#90EE90
classDef minor-edit fill:#87CEEB
classDef context fill:#f9f9f9

Loading

Notes

• All tests (369 tests across 33 files) passed successfully after the change
• Core packages built successfully, confirming vitest works correctly as a dev dependency
• This change only affects the @lingo.dev/_compiler package and should not impact other packages in the monorepo
• The fix aligns with standard practice where testing frameworks should be dev dependencies

Session Info:

• Link to Devin run: https://app.devin.ai/sessions/7f297acc17b64ce4955f52dfec1e4057
• Requested by: @davidturnbull

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring