chore: upgrade all vitest to 4.1.0+ (GHSA-5xrq-8626-4rwp)#603
Merged
Conversation
…bility - Create separate vitest.config.ts with globals, jsdom environment, and setup file - Move test config out of vite.config.ts to avoid conflicts with production build - Import @vitest/web-worker in setup to register Worker in test environment Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
- Upgrade vitest from ^1.6.1 to ^4.1.0 (patches path traversal vuln) - Upgrade @vitest/coverage-v8 and @vitest/web-worker to ^4.1.0 - Add vite 6 for vitest 4 compatibility, keep vite5 alias for production builds - Update build scripts to use vite5 binary for production builds Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
Contributor
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
The 'processes messages sent after Reset' test has a race condition with vitest 4's @vitest/web-worker where the worker module loading is non-deterministic after repeated vi.resetModules() calls. Add retry: 2 to vitest config and increase vi.waitFor timeout for the affected test. Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
Update rrweb submodule to include vitest 4.1.0+ upgrade and CI fixes. Add workspace-level vitest resolution to force all vitest instances to ^4.1.0, remediating GHSA-5xrq-8626-4rwp across the entire monorepo including the rrweb submodule. Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
Vadman97
approved these changes
Jun 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrades all vitest instances across the monorepo from vulnerable versions (< 4.1.0) to ^4.1.0, fully remediating the critical path traversal vulnerability GHSA-5xrq-8626-4rwp.
Changes:
highlight-run: dual vite strategy —vite5alias for production builds (CJS compat), vitest 4 uses its own bundled vite 6rrwebsubmodule: updated ref with vitest ^4.1.0 across all 7 sub-packages, plus CI workflow fixes (see rrweb PR #28)vitestresolution to force all transitive instances to ^4.1.0How did you test this change?
yarn installresolves all vitest to 4.1.8 (verified viayarn.lock)Are there any deployment considerations?
No — vitest is a devDependency only.
Link to Devin session: https://app.devin.ai/sessions/53f550284d9d4468b1941a28d0312b41
Requested by: @pkaeding