Skip to content

chore(deps): bump vitest to 3.2.7#740

Merged
osm6495 merged 1 commit into
mainfrom
devin/1783988029-vitest-bump
Jul 14, 2026
Merged

chore(deps): bump vitest to 3.2.7#740
osm6495 merged 1 commit into
mainfrom
devin/1783988029-vitest-bump

Conversation

@kparkinson-ld

@kparkinson-ld kparkinson-ld commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Requirements

  • I have added test coverage for new or changed functionality — N/A (dependency-only bump; existing vitest run suite passes)
  • I have followed the repository's pull request submission guidelines
  • I have validated my changes against all supported platform versions

Related issues

Remediates a CRITICAL Dependabot alert for vitest in internal/dev_server/ui. The installed vitest@2.1.9 is below the first patched version 3.2.6.

Note: the existing Dependabot group PR #727 also bumps vitest (to 4.1.9), but it bundles 10 major-version updates (react-router 8, @launchpad-ui/core 0.59, etc.) and its ci check is red (committed dist/ out of date). This PR is a focused, minimal remediation of just the vitest alert.

Describe the solution you've provided

Bump vitest 2.1.93.2.7 (latest 3.x, ≥ patched 3.2.6) in internal/dev_server/ui, regenerating package-lock.json. Smallest major jump that clears the alert. vite@6.4.1 is already installed, which satisfies vitest 3's peer requirement, so no other dependency changes were needed.

Verified locally in internal/dev_server/ui:

  • npm test → 5 tests passed
  • npm run lint → clean
  • npm run build → succeeds with no changes to the committed dist/ (CI's post-build git diff --exit-code stays green)

Describe alternatives you've considered

Relying on Dependabot group PR #727 (vitest → 4.1.9). Rejected as the primary fix because of its broad, risky scope and failing CI; this focused PR is preferred per the "smallest focused change" guidance.

Additional context

Dependency-only change; no product code touched.

Link to Devin session: https://app.devin.ai/sessions/cdb8e66f36924e6b8ced537487bb1f67
Requested by: @kparkinson-ld


Note

Low Risk
Scope is limited to the dev-server UI test toolchain; production bundles and runtime behavior are unchanged.

Overview
Bumps vitest from 2.1.9 to 3.2.7 in internal/dev_server/ui (package.json and regenerated package-lock.json) to address a Dependabot security alert; the patched floor is 3.2.6.

This is a devDependency-only change—no application or test source edits. The lockfile refresh pulls in Vitest 3’s ecosystem (@vitest/* at 3.2.7, vite-node 3.2.4, updated chai/pathe/tinyrainbow, etc.) and drops nested Vite 5 / esbuild bundles that Vitest 2 had pinned under vite-node and vitest.

Reviewed by Cursor Bugbot for commit 6620529. Bugbot is set up for automated code reviews on this repo. Configure here.

@kparkinson-ld kparkinson-ld self-assigned this Jul 14, 2026
@devin-ai-integration

Copy link
Copy Markdown
Contributor

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@devin-ai-integration devin-ai-integration Bot marked this pull request as ready for review July 14, 2026 00:32
@devin-ai-integration devin-ai-integration Bot requested review from a team July 14, 2026 01:27
@osm6495 osm6495 merged commit 877f4db into main Jul 14, 2026
9 checks passed
@osm6495 osm6495 deleted the devin/1783988029-vitest-bump branch July 14, 2026 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants