chore(deps): update dependency vitest to v4 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
vitest (source)	^3.2.0 → ^4.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

When Vitest UI server is listening, arbitrary file can be read and executed

CVE-2026-47429 / GHSA-5xrq-8626-4rwp

More information

Details

Summary

Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network.

Impact

Only users that match either of the following conditions are affected:

• explicitly exposes the Vitest UI server to the network (using --api.host or api.host config option)
• running the Vitest UI or Browser Mode on Windows

Details

The API handler for /__vitest_attachment__ uses the deprecated isFileServingAllowed incorrectly.
https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77
The function expects the passed value to use cleanUrl after the check before file system related operation.
Because of this, it is possible to bypass the check by \\?\\..\\. This is not possible on Linux as Linux errors if a directory named ? does not exist.

A similar problem exists in other places as well.

• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L103-L105
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L119-L121
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/commands/fs.ts#L10-L11
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/plugin.ts#L194-L196
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/rpc.ts#L115-L121

That said, this isFileServingAllowed check does not actually prevent the API to be abused. Since the API has rerun feature and file write feature, it's possible to run arbitrary script by writing a script as a test file using saveTestFile and running it using rerun. This means exposing the API / Vitest UI is equivalent to giving script execution access.
On the browser mode side, there're readFile / writeFile / saveSnapshotFile. So exposing the browser mode is equivalent to giving file read / write access.

PoC

1. Run Vitest UI
2. Get the API token by curl http://localhost:51204/__vitest__/
3. Run curl "http://localhost:51204/__vitest_attachment__?path=C:\\path\\to\\project\\?\\..\\..\\secret.txt&contentType=text/plain&token=$TOKEN" (TOKEN is the API token)
4. curl shows the content of secret.txt that is outside the project directory

Mitigations

Vitest now ships two configuration flags, allowWrite and allowExec, that gate the privileged operations exploited by this vulnerability. Both are disabled by default whenever the API server is bound to a non-localhost host, ensuring that exposing the server to the network no longer implicitly grants write or execute capabilities to remote clients.

When these flags are disabled, the UI also enters a read-only mode: in-browser code editing and test file execution are turned off, removing the attack surface that allowed remote code execution. Many Browser Mode features are also disabled, like attachments, artifacts or snapshots. See browser.api.

Users who require the full interactive UI on a networked host must explicitly opt in by setting allowWrite and/or allowExec to true.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://github.com/vitest-dev/vitest/security/advisories/GHSA-5xrq-8626-4rwp
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/commands/fs.ts#L10-L11
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/plugin.ts#L194-L196
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/rpc.ts#L115-L121
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L103-L105
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L119-L121
• https://github.com/advisories/GHSA-5xrq-8626-4rwp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vitest-dev/vitest (vitest)

v4.1.0

Compare Source

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

   🚀 Features

• Return a disposable from doMock()  -  by @​kirkwaiblinger in #​9332 (e3e65)
• Added chai style assertions  -  by @​ronnakamoto and @​sheremet-va in #​8842 (841df)
• Update to sinon/fake-timers v15 and add setTickMode to timer controls  -  by @​atscott and @​sheremet-va in #​8726 (4b480)
• Expose matcher types  -  by @​sheremet-va in #​9448 (3e4b9)
• Add toTestSpecification to reported tasks  -  by @​sheremet-va in #​9464 (1a470)
• Show a warning if vi.mock or vi.hoisted are declared outside of top level of the module  -  by @​sheremet-va in #​9387 (5db54)
• Track and display expectedly failed tests (.fails) in UI and CLI  -  by @​Copilot, sheremet-va and @​sheremet-va in #​9476 (77d75)
• Support tags  -  by @​sheremet-va in #​9478 (de7c8)
• Implement aroundEach and aroundAll hooks  -  by @​sheremet-va in #​9450 (2a8cb)
• Stabilize experimental features  -  by @​sheremet-va in #​9529 (b5fd2)
• Accept new or all in --update flag  -  by @​sheremet-va in #​9543 (a5acf)
• Support meta in test options  -  by @​sheremet-va in #​9535 (7d622)
• Support type inference with a new test.extend syntax  -  by @​sheremet-va in #​9550 (e5385)
• Support vite 8 beta, fix type issues in the config with different vite versions  -  by @​sheremet-va in #​9587 (99028)
• Add assertion helper to hide internal stack traces  -  by @​hi-ogawa and Claude Opus 4.6 in #​9594 (eeb0a)
• Store failure screenshots using artifacts API  -  by @​macarie in #​9588 (24603)
• Allow vitest list to statically collect tests instead of running files to collect them  -  by @​sheremet-va in #​9630 (7a8e7)
• Add --detect-async-leaks  -  by @​AriPerkkio in #​9528 (c594d)
• Implement mockThrow and mockThrowOnce  -  by @​thor-juhasz and @​sheremet-va in #​9512 (61917)
• Support update: "none" and add docs about snapshots behavior on CI  -  by @​hi-ogawa in #​9700 (05f18)
• Support playwright launchOptions with connectOptions  -  by @​hi-ogawa in #​9702 (f0ff1)
• Add page/locator.mark API to enhance playwright trace  -  by @​hi-ogawa in #​9652 (d0ee5)
• api:
  • Support tests starting or ending with test in experimental_parseSpecification  -  by @​jgillick and Jeremy Gillick in #​9235 (2f367)
  • Add filters to createSpecification  -  by @​sheremet-va in #​9336 (c8e6c)
  • Expose runTestFiles as alternative to runTestSpecifications  -  by @​sheremet-va in #​9443 (43d76)
  • Add allowWrite and allowExec options to api  -  by @​sheremet-va in #​9350 (20e00)
  • Allow passing down test cases to toTestSpecification  -  by @​sheremet-va in #​9627 (6f17d)
• browser:
  • Add userEvent.wheel API  -  by @​macarie in #​9188 (66080)
  • Add filterNode option to prettyDOM for filtering browser assertion error output  -  by @​Copilot, sheremet-va and @​sheremet-va in #​9475 (d3220)
  • Support playwright persistent context  -  by @​hi-ogawa, Claude Opus 4.6 and @​sheremet-va in #​9229 (f865d)
  • Added detailsPanelPosition option and button  -  by @​shairez in #​9525 (c8a31)
  • Use BlazeDiff instead of pixelmatch  -  by @​macarie in #​9514 (30936)
  • Add findElement and enable strict mode in webdriverio and preview  -  by @​sheremet-va in #​9677 (c3f37)
• cli:
  • Add @​bomb.sh/tab completions  -  by @​AmirSa12 and @​sheremet-va in #​8639 (200f3)
• coverage:
  • Support ignore start/stop ignore hints  -  by @​AriPerkkio in #​9204 (e59c9)
  • Add coverage.changed option to report only changed files  -  by @​kykim00 and @​AriPerkkio in #​9521 (1d939)
• experimental:
  • Add onModuleRunner hook to worker.init  -  by @​sheremet-va in #​9286 (e977f)
  • Option to disable the module runner  -  by @​sheremet-va and @​AriPerkkio in #​9210 (9be61)
  • Add importDurations: { limit, print } options  -  by @​hi-ogawa, Claude Opus 4.6 and @​sheremet-va in #​9401 (7e10f)
  • Add print and fail thresholds for importDurations  -  by @​hi-ogawa and Claude Opus 4.6 in #​9533 (3f7a5)
• fixtures:
  • Pass down file context to beforeAll/afterAll  -  by @​sheremet-va in #​9572 (c8339)
• reporters:
  • Add agent reporter to reduce ai agent token usage  -  by @​cpojer in #​9779 (3e9e0)
• runner:
  • Enhance retry options  -  by @​MazenSamehR, Matan Shavit, @​AriPerkkio and @​sheremet-va in #​9370 (9e4cf)
• ui:
  • Allow run individual test/suites  -  by @​userquin in #​9465 (73b10)
  • Add project filter/sort support  -  by @​userquin in #​8689 (0c7ea)
  • Add duration sorting to explorer  -  by @​julianhahn and @​cursoragent in #​9603 (209b1)
  • Implement filter for slow tests  -  by @​DerYeger and @​userquin in #​9705 (8880c)
• vitest:
  • Add run summary in GitHub Actions Reporter  -  by @​macarie and jhnance in #​9579 (96bfc)

   🐞 Bug Fixes

• Deprecate several vitest/* entry points  -  by @​sheremet-va in #​9347 (fd459)
• Use meta.url in createRequire  -  by @​sheremet-va in #​9441 (e3422)
• Preact browser mode init example of render function not async  -  by @​WuMingDao in #​9375 (2bea5)
• Deprecate unused types in matcher context  -  by @​sheremet-va in #​9449 (20f87)
• Handle external/noExternal during configEnvironment hook  -  by @​hi-ogawa and Claude Opus 4.6 in #​9508 (59ea2)
• Replace default ssr environment runner with Vitest server module runner  -  by @​hi-ogawa and Claude Opus 4.6 in #​9506 (cd5db)
• Propagate experimental CLI options to child projects  -  by @​hi-ogawa and Claude Opus 4.6 in #​9531 (b624f)
• Show a warning when browser.isolate is used  -  by @​sheremet-va in #​9410 (3d48e)
• Fix vi.mock({ spy: true }) node v8 coverage  -  by @​hi-ogawa, hi-ogawa and Claude Opus 4.6 in #​9541 (687b6)
• Don't show internal ssr handler in errors  -  by @​sheremet-va in #​9547 (76c43)
• Close vitest if it failed to start  -  by @​sheremet-va in #​9573 (728ba)
• Fix ssr environment runner in project  -  by @​hi-ogawa in #​9584 (09006)
• Trim trailing white spaces in code block  -  by @​hi-ogawa in #​9591 (f78be)
• Support inline snapshot inside test.for/each  -  by @​hi-ogawa in #​9590 (615fd)
• Apply source maps for external module stack trace  -  by @​hi-ogawa in #​9152 (79e20)
• Remove the .name from statically collected test  -  by @​sheremet-va in #​9596 (b66ff)
• Don't suppress warnings on pnp  -  by @​sheremet-va in #​9602 (89cbd)
• Support snapshot with expect.soft  -  by @​iumehara, @​hi-ogawa and Claude Opus 4.6 in #​9231 (3eb2c)
• Log seed when only sequence.shuffle.tests is enabled  -  by @​kaigritun, Kai Gritun and @​sheremet-va in #​9576 (8182b)
• Externalize expect/src/utils from vitest  -  by @​hi-ogawa in #​9616 (48739)
• Ignore test.override during static collection  -  by @​sheremet-va in #​9620 (09174)
• Increase stacktrace limit for --detect-async-leaks  -  by @​AriPerkkio in #​9638 (9fd4c)
• Hanging-reporter link in cli  -  by @​flx-sta in #​9649 (7c103)
• Fix teardown timeout of aroundEach/All when inner aroundEach/All throws  -  by @​hi-ogawa in #​9657 (4ec6c)
• Fix ui mode / html reporter and coverage integration  -  by @​hi-ogawa and Claude Opus 4.6 in #​9626 (86fad)
• Don't continue when aroundEach/All setup timed out  -  by @​hi-ogawa in #​9670 (bb013)
• Align VitestRunnerConfig optional fields with SerializedConfig  -  by @​hi-ogawa in #​9661 (79520)
• Handle Symbol values in format utility  -  by @​nami8824 in #​9658 (0583f)
• Deprecate toBe* spy assertions in favor of toHaveBeen* (and toThrowError)  -  by @​sheremet-va in #​9665 (4d390)
• Don't propagate nested aroundEach/All errors but aggregate them on runner  -  by @​hi-ogawa in #​9673 (b6365)
• Show a better error if there is a pending dynamic import  -  by @​sheremet-va in #​9676 (7ef5c)
• Preserve stack trace of resolves/rejects chained assertion error  -  by @​hi-ogawa in #​9679 (c6151)
• Handle module-sync condition in vmThreads/vmForks require  -  by @​lesleh in #​9650 and #​9651 (bb203)
• Hooks should respect maxConcurrency  -  by @​hi-ogawa in #​9653 (16d13)
• Recursively autospy module object  -  by @​hi-ogawa in #​9687 (695a8)
• Remove trailing spaces from diff error log  -  by @​hi-ogawa and @​sheremet-va in #​9680 (395d1)
• Respect project resolve.conditions for externals  -  by @​hi-ogawa in #​9717 (1d498)
• Use object for WeakMap instead of a symbol to support webcontainers  -  by @​sheremet-va in #​9731 (c5225)
• Fix re-mocking virtual module  -  by @​hi-ogawa in #​9748 (3cbbb)
• Cancelling should stop current test immediately  -  by @​AriPerkkio in #​9729 (0cb2f)
• Make mockObject change backwards compatible  -  by @​sheremet-va in #​9744 (84c69)
• Fix URL.name on jsdom  -  by @​hi-ogawa in #​9767 (031f3)
• Save and restore module graph in blob reporter  -  by @​hi-ogawa in #​9740 (84355)
• Don't silence reporter errors from test runtime events handler in normal run and --merge-reports  -  by @​hi-ogawa in #​9727 (4072d)
• Fix vi.importActual() for virtual modules  -  by @​hi-ogawa and Claude Opus 4.6 in #​9772 (1e89e)
• Throw FixtureAccessError if suite hook accesses undefined fixture  -  by @​sheremet-va in #​9786 (fc2ce)
• Allow hyphens in project config file name pattern  -  by @​Koutaro-Hanabusa and @​hi-ogawa in #​9760 (33e96)
• Manual and redirect mock shouldn't load or transform original module  -  by @​hi-ogawa and Claude Opus 4.6 in #​9774 (a8216)
• hideSkippedTests should not hide test.todo  -  by @​oilater in #​9562 and #​9781 (8181e)
• Allow catch/finally for async assertion  -  by @​hi-ogawa in #​9827 (031f0)
• Resolve fixture overrides from test's suite in beforeEach hooks  -  by @​hi-ogawa and Claude Opus 4.6 in #​9826 (99e52)
• Use isAgent check, not just TTY, for watch mode  -  by @​sheremet-va in #​9841 (c3cac)
• Use performance.now to measure test timeout duration  -  by @​hi-ogawa and Claude Opus 4.6 in #​9795 (f48a6)
• Correctly identify concurrent test during static analysis  -  by @​sheremet-va in #​9846 (1de0a)
• browser:
  • Avoid updating screenshots when toMatchScreenshot passes  -  by @​macarie in #​9289 (46aab)
  • Hide injected data-testid attributes  -  by @​sheremet-va in #​9503 (c8d2c)
  • Throw an error if iframe was reloaded  -  by @​sheremet-va in #​9516 (73a81)
  • Encode projectName in browser client URL  -  by @​dkkim0122 in #​9523 (5b164)
  • Don't take failure screenshot if tests have artifacts created by toMatchScreenshot  -  by @​macarie in #​9552 (83ca0)
  • Remove --remote-debugging-address from chrome args  -  by @​hi-ogawa and @​AriPerkkio in #​9712 (f09bb)
  • Make sure userEvent actions support ensureAwaited  -  by @​sheremet-va in #​9732 (97685)
  • Types of getCDPSession and cdp()  -  by @​AriPerkkio in #​9716 (689a2)
  • Skip esbuild.legalComments when using rolldown-vite  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9803 (3505f)
• chai:
  • Don't allow deepEqual in the config because it's not serializable  -  by @​sheremet-va in #​9666 (9ee99)
• coverage:
  • Infer transform mode for uncovered files  -  by @​AriPerkkio in #​9435 (f3967)
  • thresholds.autoUpdate to preserve ending whitespace  -  by @​AriPerkkio in #​9436 (7e534)
• deps:
  • Update all non-major dependencies  -  by @​hi-ogawa in #​9192 (90c30)
  • Update all non-major dependencies  -  in #​9485 (c0118)
  • Update all non-major dependencies  -  in #​9567 (13c9e)
• docs:
  • Fix old /config/#option hash links causing hydration errors  -  by @​hi-ogawa, Claude Opus 4.6 and @​sheremet-va in #​9610 (a603c)
• expect:
  • toMatchObject(Map/Set) should expect Map/Set on left hand side  -  by @​hi-ogawa and Claude Opus 4.6 in #​9532 (381da)
  • Fix objectContaining with proxy  -  by @​hi-ogawa and Claude Opus 4.6 in #​9554 (7ce34)
  • Support arbitrary value equality for toThrow and make Error detection robust  -  by @​hi-ogawa and Claude Opus 4.6 in #​9570 (de215)
• mock:
  • Inject helpers after hashbang if present  -  by @​sheremet-va in #​9545 (65432)
• mocker:
  • Update vite's peer dependency range  -  by @​sheremet-va in #​9808 (36f9a)
• reporter:
  • dot reporter leaves pending tests  -  by @​AriPerkkio in #​9684 (4d793)
• runner:
  • Mark repeated tests as finished on last run  -  by @​AriPerkkio in #​9707 (cc735)
• spy:
  • Support deep partial in vi.mocked  -  by @​j2h30728 in #​8152 and #​9493 (71cb5)
  • Fallback to object accessor if descriptor's value is undefined  -  by @​sheremet-va in #​9511 (6f181)
  • Throw correct errors when shorthand methods are used on a class  -  by @​sheremet-va in #​9513 (5d0fd)
• types:
  • bench.reporters no longer gives type errors when passing file name string paths  -  by @​Bertie690 in #​9695 (093c8)
• ui:
  • Process artifact attachments when generating HTML reporter  -  by @​macarie in #​9472 (96eb9)
  • Don't fail if --ui and --root are specified together  -  by @​sheremet-va in #​9536 (d9305)

   🏎 Performance

• pretty-format: Combine DOMElement plugins  -  by @​sheremet-va in #​9581 (da85a)

    View changes on GitHub

v4.0.18

Compare Source

   🚀 Experimental Features

• experimental: Add onModuleRunner hook to worker.init  -  by @​sheremet-va in #​9286 (ea837)

   🐞 Bug Fixes

• Use meta.url in createRequire  -  by @​sheremet-va in #​9441 (e0572)
• browser: Hide injected data-testid attributes  -  by @​sheremet-va in #​9503 (f8989)
• ui: Process artifact attachments when generating HTML reporter  -  by @​macarie in #​9472 (22543)

    View changes on GitHub

v4.0.17

Compare Source

   🚀 Features

• Support openTelemetry for browser mode  -  by @​hi-ogawa in #​9180 (1ec3a)
• Support TRACEPARENT and TRACESTATE environment variables for OpenTelemetry context propagation  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9295 (876cb)

   🐞 Bug Fixes

• Improve asymmetric matcher diff readability by unwrapping container matchers  -  by @​Copilot, sheremet-va, hi-ogawa and @​hi-ogawa in #​9330 (b2ec7)
• Improve runner error when importing outside of test context  -  by @​sheremet-va in #​9335 (2dd3d)
• Replace crypto.randomUUID to allow insecure environments (fix #​9…  -  by @​plusgut in #​9339 and #​9 (e6a3f)
• Handle null options in addEventHandler #​9371  -  by @​ThibautMarechal in #​9372 and #​9371 (40841)
• Typo in browser.provider error  -  by @​deammer in #​9394 (4b67f)
• browser:
  • Fix process.env and import.meta.env defines in inline project  -  by @​hi-ogawa in #​9239 (b70c9)
  • Fix upload File instance  -  by @​hi-ogawa in #​9294 (b6778)
  • Fix invalid project token for artifacts assets  -  by @​hi-ogawa in #​9321 (caa7d)
  • Log ErrorEvent.message when unhandled ErrorEvent.error is null  -  by @​hi-ogawa in #​9322 (5d84e)
  • Support fileParallelism on an instance  -  by @​sheremet-va in #​9328 (15006)
• coverage:
  • Remove unnecessary istanbul-lib-source-maps usage  -  by @​AriPerkkio in #​9344 (b0940)
  • Apply patch from istanbuljs/istanbuljs#837  -  by @​AriPerkkio and sapphi-red in #​9413 and #​837 (e05ce)
• fsModuleCache:
  • Don't store importers in cache  -  by @​sheremet-va in #​9422 (75136)
  • Add importers alongside importedModules  -  by @​sheremet-va in #​9423 (59f92)
• mocker:
  • Fix mock transform with class  -  by @​hi-ogawa in #​9421 (d390e)
• pool:
  • Validate environment options when reusing the worker  -  by @​sheremet-va in #​9349 (a8a88)
  • Handle worker start failures gracefully  -  by @​AriPerkkio in #​9337 (200da)
• reporter:
  • Report test module if it failed to run  -  by @​sheremet-va in #​9272 (c7888)
• runner:
  • Respect nested test.only within describe.only  -  by @​Ujjwaljain16 in #​9021 and #​9213 (55d5d)
• typecheck:
  • Improve error message when tsc outputs help text  -  by @​Ujjwaljain16 in #​9214 (7b10a)
• ui:
  • Detect gzip by magic numbers instead of Content-Type header in html reporter  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9278 (dd033)
• webdriverio:
  • Fall back to WebDriver Classic #​9244  -  by @​JustasMonkev in #​9373 and #​9244 (c23dd)

    View changes on GitHub

v4.0.16

Compare Source

   🐞 Bug Fixes

• Fix browser mode default testTimeout back to 15 seconds  -  by [@​hi-ogawa](https://redirect.gi

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @vitest/coverage-v8@3.2.4
npm error Found: vitest@4.1.8
npm error node_modules/vitest
npm error   dev vitest@"^4.0.0" from the root project
npm error
npm error Could not resolve dependency:
npm error peer vitest@"3.2.4" from @vitest/coverage-v8@3.2.4
npm error node_modules/@vitest/coverage-v8
npm error   dev @vitest/coverage-v8@"^3.2.0" from the root project
npm error
npm error Conflicting peer dependency: vitest@3.2.4
npm error node_modules/vitest
npm error   peer vitest@"3.2.4" from @vitest/coverage-v8@3.2.4
npm error   node_modules/@vitest/coverage-v8
npm error     dev @vitest/coverage-v8@"^3.2.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-06-02T03_01_10_289Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-06-02T03_01_10_289Z-debug-0.log

File name: pnpm-lock.yaml

Scope: all 22 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 20, reused 0, downloaded 0, added 0

   ╭─────────────────────────────────────────╮
   │                                         │
   │   Update available! 11.0.1 → 11.5.0.    │
   │   Changelog: https://pnpm.io/v/11.5.0   │
   │    To update, run: pnpm add -g pnpm     │
   │                                         │
   ╰─────────────────────────────────────────╯

Progress: resolved 26, reused 0, downloaded 0, added 0
.                                        |  WARN  deprecated rolldown-vite@7.3.1
Progress: resolved 34, reused 0, downloaded 0, added 0
Progress: resolved 39, reused 0, downloaded 0, added 0
 WARN  The metadata of react is missing the "time" field; skipping the minimumReleaseAge check for this package.
 WARN  The metadata of react-dom is missing the "time" field; skipping the minimumReleaseAge check for this package.
 WARN  The metadata of @radix-ui/react-slot is missing the "time" field; skipping the minimumReleaseAge check for this package.
Progress: resolved 52, reused 0, downloaded 0, added 0
Progress: resolved 53, reused 0, downloaded 0, added 0
Progress: resolved 54, reused 0, downloaded 0, added 0
Progress: resolved 60, reused 0, downloaded 0, added 0
 WARN  The metadata of react-aria is missing the "time" field; skipping the minimumReleaseAge check for this package.
packages/drawer                          |  WARN  deprecated @launchpad-ui/progress@0.5.57
Progress: resolved 64, reused 0, downloaded 0, added 0
packages/navigation                      |  WARN  deprecated @launchpad-ui/chip@0.9.58
Progress: resolved 66, reused 0, downloaded 0, added 0
Progress: resolved 73, reused 0, downloaded 0, added 0
Progress: resolved 79, reused 0, downloaded 0, added 0
Progress: resolved 80, reused 0, downloaded 0, added 0
Progress: resolved 82, reused 0, downloaded 0, added 0
 WARN  The metadata of @changesets/types is missing the "time" field; skipping the minimumReleaseAge check for this package.
Progress: resolved 153, reused 0, downloaded 0, added 0
Progress: resolved 179, reused 0, downloaded 0, added 0
Progress: resolved 250, reused 0, downloaded 0, added 0
Progress: resolved 262, reused 0, downloaded 0, added 0
Progress: resolved 280, reused 0, downloaded 0, added 0
 WARN  The metadata of @vitest/expect is missing the "time" field; skipping the minimumReleaseAge check for this package.
Progress: resolved 343, reused 0, downloaded 0, added 0
Progress: resolved 372, reused 0, downloaded 0, added 0
Progress: resolved 394, reused 0, downloaded 0, added 0
Progress: resolved 439, reused 0, downloaded 0, added 0
Progress: resolved 519, reused 0, downloaded 0, added 0
Progress: resolved 570, reused 0, downloaded 0, added 0
Progress: resolved 579, reused 0, downloaded 0, added 0
Progress: resolved 674, reused 0, downloaded 0, added 0
Progress: resolved 707, reused 0, downloaded 3, added 0
Progress: resolved 745, reused 0, downloaded 3, added 0
 WARN  The metadata of react-is is missing the "time" field; skipping the minimumReleaseAge check for this package.
Progress: resolved 837, reused 0, downloaded 3, added 0
Progress: resolved 990, reused 0, downloaded 3, added 0
Progress: resolved 1041, reused 0, downloaded 3, added 0
 WARN  8 deprecated subdependencies found: git-raw-commits@4.0.0, glob@10.4.5, glob@10.5.0, glob@7.2.3, inflight@1.0.6, rimraf@2.7.1, string-at@1.1.0, whatwg-encoding@3.1.1
Progress: resolved 1060, reused 0, downloaded 3, added 0
Progress: resolved 1060, reused 0, downloaded 3, added 0, done
 ERR_PNPM_PEER_DEP_ISSUES  Unmet peer dependencies

hint: Run "pnpm peers check" to list the peer dependency issues.
hint: To disable failing on peer dependency issues, add the following to pnpm-workspace.yaml in your project root:

  strictPeerDependencies: false

[changeset-bot]

⚠️ No Changeset found

Latest commit: f008e05

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit f008e05. Configure here.}

[cursor]

Companion @vitest packages not updated with vitest major bump

High Severity

vitest is bumped to ^4.0.0 but @vitest/coverage-v8 and @vitest/ui remain at ^3.2.0. These companion packages declare vitest: 3.2.0 as a peer dependency, and the workspace enforces strictPeerDependencies: true, so pnpm install will fail with a peer dependency conflict. Both packages need to be updated to ^4.0.0 to match.

Additional Locations (1)

• package.json#L55-L57

 

^{Reviewed by Cursor Bugbot for commit f008e05. Configure here.}