Bump @vitest/ui from 4.0.18 to 4.1.6

[dependabot]

Bumps @vitest/ui from 4.0.18 to 4.1.6.

Release notes

Sourced from @​vitest/ui's releases.

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in vitest-dev/vitest#10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in vitest-dev/vitest#10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in vitest-dev/vitest#10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in vitest-dev/vitest#10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in vitest-dev/vitest#10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in vitest-dev/vitest#8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in vitest-dev/vitest#8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in vitest-dev/vitest#10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in vitest-dev/vitest#10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in vitest-dev/vitest#10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in vitest-dev/vitest#9927 and vitest-dev/vitest#10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in vitest-dev/vitest#10154 (6abd5)

    View changes on GitHub

v4.1.4

   🚀 Experimental Features

• coverage:
  • Default to text reporter skipFull if agent detected  -  by @​hi-ogawa in vitest-dev/vitest#10018 (53757)
• experimental:
  • Expose assertion as a public field  -  by @​sheremet-va in vitest-dev/vitest#10095 (a120e)
  • Support aria snapshot  -  by @​hi-ogawa, Claude Opus 4.6 (1M context), @​AriPerkkio, Codex and @​sheremet-va in vitest-dev/vitest#9668 (d4fbb)
• reporter:
  • Add filterMeta option to json reporter  -  by @​nami8824 and @​sheremet-va in vitest-dev/vitest#10078 (b77de)

   🐞 Bug Fixes

• Use "black" foreground for labeled terminal message to ensure contrast  -  by @​hi-ogawa in vitest-dev/vitest#10076 (203f0)
• Make expect(..., message) consistent as error message prefix  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10068 (a1b5f)

... (truncated)

Commits

• a8fd24c chore: release v4.1.6
• e399846 chore: release v4.1.5
• 596f739 fix: project color label on html reporter (#10142)
• f1b1f6c fix(ui): fix jsx/tsx syntax highlight (#10152)
• ac04bac chore: release v4.1.4
• d4fbb5c feat(experimental): support aria snapshot (#9668)
• 2dc0d62 chore: release v4.1.3
• 89ca0e2 feat(experimental): add TestAttachment.bodyEncoding (#9969)
• fdff1bf fix(ui): don't leak vite types (#10005)
• fc6f482 chore: release v4.1.2
• Additional commits viewable in compare view

[dependabot]

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​vitest/​ui@​4.0.18 ⏵ 4.1.6			-6	+1
	vitest@​4.0.18 ⏵ 4.1.6			+1
	@​vitest/​coverage-v8@​4.0.18 ⏵ 4.1.6			+11

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Embedded URLs or IPs: npm @vitest/expect URLs: https://github.com/jestjs/jest/blob/905bcbced3d40cdf7aadc4cdf6fb731c4bb3dbe3/packages/expect-utils/src/utils.ts#L509, http://underscorejs.org, https://nodejs.org/docs/latest-v22.x/api/assert.html#comparison-details, https://github.com/facebook/immutable-js, https://github.com/chaijs/loupe/blob/9b8a6deabcd50adc056a64fb705896194710c5c6/src/index.ts#L29, https://github.com/microsoft/TypeScript/issues/61068, https://github.com/vitest-dev/vitest/issues/6618, Object.is Location: Package overview From: package-lock.json → npm/vitest@4.1.6 → npm/@vitest/expect@4.1.6 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vitest/expect@4.1.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm @vitest/mocker URLs: https://github.com/stacktracejs/error-stack-parser, https://vitest.dev/guide/mocking/modules#how-it-works, https://vitest.dev/api/vi.html#vi-mock Location: Package overview From: package-lock.json → npm/vitest@4.1.6 → npm/@vitest/mocker@4.1.6 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vitest/mocker@4.1.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm @vitest/runner URLs: https://vitest.dev/advanced/runner#your-task-function, https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal, https://vitest.dev/guide/test-context#signal, https://vitest.dev/guide/test-context#ontestfailed, https://vitest.dev/guide/test-context#ontestfinished, https://vitest.dev/guide/test-context#skip, https://vitest.dev/guide/test-context#annotate, https://vitest.dev/config/api#api-allowwrite, https://vitest.dev/config/browser/api#api-allowwrite, fixture.name, https://vitest.dev/guide/test-context#suite-level-hooks, https://esbuild.github.io/try/#YgAwLjI0LjAALS1zdXBwb3J0ZWQ6YXN5bmMtYXdhaXQ9ZmFsc2UAZQBlbnRyeS50cwBjb25zdCBvID0gewogIGYxOiBhc3luYyAoKSA9PiB7fSwKICBmMjogYXN5bmMgKGEpID0+IHt9LAogIGYzOiBhc3luYyAoYSwgYikgPT4ge30sCiAgZjQ6IGFzeW5jIGZ1bmN0aW9uKGEpIHt9LAogIGY1OiBhc3luYyBmdW5jdGlvbiBmZihhKSB7fSwKICBhc3luYyBmNihhKSB7fSwKCiAgZzE6IGFzeW5jICgpID0+IHt9LAogIGcyOiBhc3luYyAoeyBhIH0pID0+IHt9LAogIGczOiBhc3luYyAoeyBhIH0sIGIpID0+IHt9LAogIGc0OiBhc3luYyBmdW5jdGlvbiAoeyBhIH0pIHt9LAogIGc1OiBhc3luYyBmdW5jdGlvbiBnZyh7IGEgfSkge30sCiAgYXN5bmMgZzYoeyBhIH0pIHt9LAoKICBoMTogYXN5bmMgKCkgPT4ge30sCiAgLy8gY29tbWVudCBiZXR3ZWVuCiAgaDI6IGFzeW5jIChhKSA9PiB7fSwKfQ, https://vitest.dev/guide/test-tags, https://github.com/vitest-dev/vitest/issues, https://github.com/unocss/unocss/blob/2e74b31625bbe3b9c8351570749aa2d3f799d919/packages/autocomplete/src/parse.ts#L11, vitest.test.id, vitest.test.name, vitest.suite.id, vitest.suite.name Location: Package overview From: package-lock.json → npm/vitest@4.1.6 → npm/@vitest/runner@4.1.6 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vitest/runner@4.1.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm @vitest/snapshot URLs: https://github.com/vitest-dev/vitest/issues/7322, https://github.com/vitejs/vite/issues/8657 Location: Package overview From: package-lock.json → npm/vitest@4.1.6 → npm/@vitest/snapshot@4.1.6 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vitest/snapshot@4.1.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm @vitest/spy URLs: https://vitest.dev/api/mock#mock-invocationcallorder, https://vitest.dev/api/mock#mock-results, https://vitest.dev/api/mock#mock-settledresults, https://vitest.dev/guide/browser/#limitations, https://vitest.dev/api/vi#vi-spyon, https://vitest.dev/api/mock#class-support Location: Package overview From: package-lock.json → npm/vitest@4.1.6 → npm/@vitest/spy@4.1.6 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vitest/spy@4.1.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm @vitest/ui URLs: https://vuejs.org/error-reference/#runtime-, http://www.w3.org/2000/svg, http://www.w3.org/1998/Math/MathML, http://www.w3.org/1999/xlink, https://vitest.dev/guide/test-context#suite-level-hooks, https://vitest.dev/guide/test-tags, https://github.com/vitest-dev/vitest/issues, se.to:se.from,ne?, http://www.w3.org/1999/xhtml, http://www.w3.org/XML/1998/namespace, http://www.w3.org/2000/xmlns/, https://github.com/broofa/mime/blob/main/README.md#custom-mime-instances, https://github.com/w3c/IntersectionObserver/tree/master/polyfill Location: Package overview From: package-lock.json → npm/@vitest/ui@4.1.6 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vitest/ui@4.1.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm ast-v8-to-istanbul URLs: https://github.com/istanbuljs/nyc?tab=readme-ov-file#ignoring-methods Location: Package overview From: package-lock.json → npm/@vitest/coverage-v8@4.1.6 → npm/ast-v8-to-istanbul@1.0.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ast-v8-to-istanbul@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm expect-type URLs: https://github.com/microsoft/TypeScript/issues/28867, https://github.com/mmkal/expect-type#why-is-my-assertion-failing, https://github.com/mmkal/expect-type/pull/21, https://github.com/mmkal/expect-type/issues/50, https://npmjs.com/package/expect-type#documentation Location: Package overview From: package-lock.json → npm/vitest@4.1.6 → npm/expect-type@1.3.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/expect-type@1.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm vitest URLs: https://bugzilla.mozilla.org/show_bug.cgi?id=745678, http://en.wikipedia.org/wiki/Operator-precedence_parser, https://github.com/acornjs/acorn/issues/575, https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern, https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction, https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion, https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier, https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix, https://www.ecma-international.org/ecma-262/8.0/#sec-term, https://www.ecma-international.org/ecma-262/8.0/#prod-Atom, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier, https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter, https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape, https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter, https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass, https://tc39.es/ecma262/#prod-ClassContents, https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges, https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges, https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash, https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom, https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape, https://tc39.es/ecma262/#prod-ClassSetExpression, https://tc39.es/ecma262/#prod-ClassUnion, https://tc39.es/ecma262/#prod-ClassIntersection, https://tc39.es/ecma262/#prod-ClassSubtraction, https://tc39.es/ecma262/#prod-ClassSetRange, https://tc39.es/ecma262/#prod-ClassSetOperand, https://tc39.es/ecma262/#prod-NestedClass, https://tc39.es/ecma262/#prod-ClassStringDisjunction, https://tc39.es/ecma262/#prod-ClassStringDisjunctionContents, https://tc39.es/ecma262/#prod-ClassString, https://tc39.es/ecma262/#prod-NonEmptyClassString, https://tc39.es/ecma262/#prod-ClassSetCharacter, https://tc39.es/ecma262/#prod-ClassSetReservedDoublePunctuator, https://tc39.es/ecma262/#prod-ClassSetSyntaxCharacter, https://tc39.es/ecma262/#prod-ClassSetReservedPunctuator, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter, https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence, https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits, https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence, https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit, https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits, https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit, https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral, http://marijnhaverbeke.nl/git/acorn, https://github.com/acornjs/acorn.git, https://github.com/acornjs/acorn/issues, 127.0.0.1, https://vitest.dev/config/browser/api, https://vitest.dev/guide/migration#pool-rework, browser.name, https://vitest.dev/config/browser/provider, https://github.com/vitejs/vite/pull/21585, http://foo.com, http://foo.com/, https://github.com/vitejs/vite/blob/95020ab49e12d143262859e095025cf02423c1d9/packages/vite/src/node/server/middlewares/error.ts#L25-L36, https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message, https://github.com/actions/toolkit/blob/f1d9b4b985e6f0f728b4b766db73498403fd5ca3/packages/core/src/command.ts#L80-L85, https://github.com/, https://github.com/vitest-dev/vitest/issues, https://gist.github.com/john-doherty/b9195065884cdbfd2017a4756e6409cc, vitest.runtime.run, vitest.worker.id, vitest.fetched_module.id, https://github.com/vitejs/vite/issues/15438,, https://nodejs.org/api/process.html#signal-events, https://github.com/vitest-dev/vitest/issues/7871, vitest.worker.name, https://github.com/jestjs/jest/blob/25a8785584c9d54a05887001ee7f498d489a5441/packages/jest-worker/src/workers/ChildProcessWorker.ts#L463-L477, https://github.com/tinylibs/tinypool/blob/40b4b3eb926dabfbfd3d0a7e3d1222d4dd1c0d2d/src/runtime/process-worker.ts#L56, https://github.com/vitejs/vite/blob/af2aa09575229462635b7cbb6d248ca853057ba2/packages/vite/src/node/plugins/resolve.ts#L1056-L1080, https://github.com/STRML/async-limiter, https://github.com/nodejs/node/issues/8871#issuecomment-250915913, https://github.com/websockets/ws/issues/1202, https://www.cl.cam.ac.uk/%7Emgk25/ucs/utf8_check.c, https://tools.ietf.org/html/rfc6455#section-9.1, https://github.com/websockets/ws/issues/1869., https://github.com/websockets/ws/issues/1940., https://github.com/vitejs/vite/issues/14328, https://github.com/vitejs/vite/blob/main/packages/vite/src/node/logger.ts?rgh-link-date=2024-10-16T23%3A29%3A19Z, https://github.com/vitejs/vite/pull/15184, https://github.com/unjs/mlly/blob/c5bcca0cda175921344fd6de1bc0c499e73e5dac/src/syntax.ts#L51-L98, https://github.com/broofa/mime/blob/main/README.md#custom-mime-instances, https://vitest.dev/guide/projects, https://vitest.dev/guide/reporters.html#hanging-process-reporter, builder.io/qwik, https://playwright.dev, https://webdriver.io, builder.io/qwik/optimizer, qwik.dev/core, https://vitest.dev/config/browser/playwright, https://vitest.dev/config/browser/webdriverio, task.name, https://vitest.dev/guide/coverage.html#including-and-excluding-files-from-coverage-report, https://istanbul.js.org/docs/advanced/alternative-reporters/, https://vitest.dev/api/advanced/vitest#getsourcemodulediagnostic, https://trace.playwright.dev/, https://vitest.dev/api/browser/commands, https://vitest.dev/config/onunhandlederror, https://vitest.dev/config/browser/screenshotdirectory, https://vitest.dev/config/root, https://vitest.dev/api/#test, https://vitest.dev/api/#describe, https://vitest.dev/config/attachmentsdir, https://vitest.dev/api/advanced/test-project, https://superchupu.dev/tinyglobby/comparison, https://vitest.dev/config/include, https://nodejs.org/docs/latest/api/cli.html, https://github.com/nodejs/node/issues/41103, https://vitest.dev/guide/open-telemetry, https://vitest.dev/guide/test-tags#syntax, https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/context/env-carriers.md, vitest.module.id, https://nodejs.org/api/modules.html#built-in-modules-with-mandatory-node-prefix, vitest.mock.id, https://vitest.dev/api/vi#vi-advancetimersbytime, performance.now, Date.now, https://vitest.dev/api/vi#vi-fn, https://vitest.dev/api/mock, https://vitest.dev/api/vi#vi-waitfor, https://vitest.dev/api/vi#vi-mock, https://vitest.dev/guide/snapshot.html, https://github.com/vitejs/vite/pull/20449, https://github.com/nodejs/node/blob/7c3dce0/lib/internal/modules/package_json_reader.js, https://nodejs.org/api/esm.html#https-and-http-imports, 127.0.0.0, 0.0.0.0, process.env.CI, https://vitest.dev/config/coverage#coverage-reporter, https://github.com/istanbuljs/nyc#coverage-thresholds, https://github.com/istanbuljs/nyc#ignoring-methods, https://vitest.dev/guide/coverage#custom-coverage-provider, https://en.wikipedia.org/wiki/Random_seed, https://vitest.dev/config/sequence#sequence-hooks, 127.0.0.1:9229, https://github.com/spf13/cobra/issues/1279, https://html.spec.whatwg.org/#document, https://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-26809268, https://html.spec.whatwg.org/multipage/webappapis.html#pluginarray, https://html.spec.whatwg.org/#htmltabledatacellelement, https://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-82915075, https://html.spec.whatwg.org/#htmltableheadercellelement, http://www.ecma-international.org/ecma-262/6.0/index.html#sec-promise.prototype-@@tostringtag, http://www.ecma-international.org/ecma-262/6.0/index.html#sec-%mapiteratorprototype%-@@tostringtag, http://www.ecma-international.org/ecma-262/6.0/index.html#sec-%arrayiteratorprototype%-@@tostringtag, https://heycam.github.io/webidl/#abstract-opdef-converttoint, https://github.com/sinonjs/sinon/issues/1852#issuecomment-419622780, https://developer.mozilla.org/en-US/docs/Web/API/setTimeout#reasons_for_delays_longer_than_specified, https://stackblitz.com/edit/stackblitz-starters-qtlpcc, https://github.com/sinonjs/fake-timers/issues/250, https://vitest.dev/guide/snapshot.html#custom-snapshot-matchers Location: Package overview From: package-lock.json → npm/vitest@4.1.6 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vitest@4.1.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Infisical secrets check: ✅ No secrets leaked!

💻 Scan logs

2026-05-13T16:33:20Z INF scanning for exposed secrets...
4:33PM INF 645 commits scanned.
2026-05-13T16:33:21Z INF scan completed in 682ms
2026-05-13T16:33:21Z INF no leaks found

[dependabot]

Looks like @vitest/ui is up-to-date now, so this is no longer needed.