chore(deps): bump vite and vitest#43
Conversation
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) to 8.0.10 and updates ancestor dependency [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). These dependencies need to be updated together. Updates `vite` from 5.4.21 to 8.0.10 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.10/packages/vite) Updates `vitest` from 1.6.1 to 4.1.5 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.5/packages/vitest) --- updated-dependencies: - dependency-name: vite dependency-version: 8.0.10 dependency-type: indirect - dependency-name: vitest dependency-version: 4.1.5 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
Bot
added
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Greptile SummaryThis dependabot PR bumps Confidence Score: 4/5Safe to merge — changes are limited to devDependencies and the lockfile; no production or plugin code is touched. Only devDependencies are updated; the 3-major-version vitest jump could expose breaking test API changes, but those are isolated to the development environment and don't affect published package consumers. No files require special attention beyond ensuring the test suite passes with vitest 4.x after merging. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[package.json devDependencies] --> B[vitest ^1.0.0 → ^4.1.5]
B --> C[vite 5.4.21 → 8.0.10\ntransitive via vitest]
C --> D[esbuild platform pkgs\ndev:true removed in lockfile]
B --> E[New optional deps\n@emnapi/core, @emnapi/runtime\n@emnapi/wasi-threads]
F[peerDependencies] --> G[vite >=4.0.0\nunchanged — still satisfied by v8]
Reviews (1): Last reviewed commit: "chore(deps): bump vite and vitest" | Re-trigger Greptile |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Triple major-version jump for both vitest (1→4) and vite (5→8) in dev/test tooling — worth a quick human glance to confirm CI is green and the vitest config still works under v4.
Extended reasoning...
Overview
This is a Dependabot PR bumping two devDependencies: vitest from ^1.0.0 to ^4.1.5 (three major versions) and vite from 5.4.21 to 8.0.10 (three major versions, transitive via vitest). Only package.json and package-lock.json change; no source, config, or peer dependency declarations are touched. The repo's own vite peerDependency range (>=4.0.0) is unchanged.
Security risks
None directly introduced by this PR. The bumps are dev-only and do not affect anything shipped to consumers of the package. The newer versions of vitest/vite generally include security fixes (e.g. v8.0.9 hardens HMR patch file handling) so this is net-positive on that axis, assuming tests still pass.
Level of scrutiny
Low-to-moderate. This is tooling-only, but a 3-major jump on the test runner is unusual — vitest 2/3/4 each had breaking API and config changes. The repo has 20 test files and a custom vitest.config.ts; if any test or matcher relies on something removed/renamed between v1 and v4 (e.g. snapshot defaults, mocker behavior, chai-style assertion internals via the dropped assertion-error/check-error chain), it would surface as a CI failure rather than a logic bug. The bug hunter doesn't run tests, so it can't catch that.
Other factors
The bug hunting system flagged nothing, which is consistent with there being no source code changes to analyze. CI is the natural gate for this kind of PR — a quick human check that the test job is green on this branch, plus a glance at the new vitest.config.ts semantics under v4, is enough.
Bumps vite to 8.0.10 and updates ancestor dependency vitest. These dependencies need to be updated together.
Updates
vitefrom 5.4.21 to 8.0.10Release notes
Sourced from vite's releases.
... (truncated)
Changelog
Sourced from vite's changelog.
... (truncated)
Commits
32c2978release: v8.0.10a4d06d9feat: update rolldown to 1.0.0-rc.17 (#22299)a4d828ffix:hmrClient.logger.debugandhmrClient.logger.errorlooked different f...83f0a78fix(css): show filename in CSS minification warnings for.css?inline(#22292)b8a21ccfix: remove format sniffing module resolution from JS resolver (#22297)40a0847refactor: typecheck client directory (#22284)5c7cec6fix(optimizer): allow user transform.target to override default in optimizeDe...9437518refactor: enable some typecheck rules (#22278)ce729f5release: v8.0.9605bb97docs: update build CLI defaults (#22261)Updates
vitestfrom 1.6.1 to 4.1.5Release notes
Sourced from vitest's releases.
... (truncated)
Commits
e399846chore: release v4.1.57dc6d54Revert "fix: respect diff config options in soft assertions (#8696)"9787dedfix: respect diff config options in soft assertions (#8696)325463afix(ast-collect): recognize _vi_import prefix in static test discovery (#10...0e0ff41feat(coverage): istanbul to supportinstrumenteroption (#10119)663b99ffix: aliasagentreporter tominimal(#10157)122c25bfix: fixvi.defineHelpercalled as object method (#10163)6abd557feat(api): make test-specification options writable (#10154)596f739fix: project color label on html reporter (#10142)9423dc0fix: --project negation excludes browser instances (#10131)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.