Update @vitest/coverage-v8 4.1.5 → 4.1.6 (patch) by depfu[bot] · Pull Request #123 · guibranco/gstraccini-bot-portal

depfu · 2026-05-12T15:55:32Z

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ @vitest/coverage-v8 (4.1.5 → 4.1.6) · Repo

Release Notes

4.1.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

✳️ vite (8.0.9 → 8.0.12) · Repo · Changelog

Release Notes

8.0.12

8.0.11

8.0.10

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 44 commits:

✳️ vitest (4.1.5 → 4.1.6) · Repo

Release Notes

4.1.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

↗️ @emnapi/core (indirect, 1.9.2 → 1.10.0) · Repo

Release Notes

1.10.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

↗️ @emnapi/runtime (indirect, 1.9.2 → 1.10.0) · Repo

Release Notes

1.10.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

↗️ @tybys/wasm-util (indirect, 0.10.1 → 0.10.2) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ @vitest/expect (indirect, 4.1.5 → 4.1.6) · Repo

Release Notes

4.1.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

↗️ @vitest/mocker (indirect, 4.1.5 → 4.1.6) · Repo

Release Notes

4.1.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

↗️ @vitest/pretty-format (indirect, 4.1.5 → 4.1.6) · Repo

Release Notes

4.1.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

↗️ @vitest/runner (indirect, 4.1.5 → 4.1.6) · Repo

Release Notes

4.1.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

↗️ @vitest/snapshot (indirect, 4.1.5 → 4.1.6) · Repo

Release Notes

4.1.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

↗️ @vitest/spy (indirect, 4.1.5 → 4.1.6) · Repo

Release Notes

4.1.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

↗️ @vitest/utils (indirect, 4.1.5 → 4.1.6) · Repo

Release Notes

4.1.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

↗️ rolldown (indirect, 1.0.0-rc.16 → 1.0.0) · Repo · Changelog

Release Notes

1.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 @esbuild/netbsd-arm64 (added, 0.28.0)

🆕 @esbuild/openbsd-arm64 (added, 0.28.0)

🆕 @esbuild/openharmony-arm64 (added, 0.28.0)

🆕 @esbuild/aix-ppc64 (added, 0.28.0)

🆕 @esbuild/android-arm (added, 0.28.0)

🆕 @esbuild/android-arm64 (added, 0.28.0)

🆕 @esbuild/android-x64 (added, 0.28.0)

🆕 @esbuild/darwin-arm64 (added, 0.28.0)

🆕 @esbuild/darwin-x64 (added, 0.28.0)

🆕 @esbuild/freebsd-arm64 (added, 0.28.0)

🆕 @esbuild/freebsd-x64 (added, 0.28.0)

🆕 @esbuild/linux-arm (added, 0.28.0)

🆕 @esbuild/linux-arm64 (added, 0.28.0)

🆕 @esbuild/linux-ia32 (added, 0.28.0)

🆕 @esbuild/linux-loong64 (added, 0.28.0)

🆕 @esbuild/linux-mips64el (added, 0.28.0)

🆕 @esbuild/linux-ppc64 (added, 0.28.0)

🆕 @esbuild/linux-riscv64 (added, 0.28.0)

🆕 @esbuild/linux-s390x (added, 0.28.0)

🆕 @esbuild/linux-x64 (added, 0.28.0)

🆕 @esbuild/netbsd-x64 (added, 0.28.0)

🆕 @esbuild/openbsd-x64 (added, 0.28.0)

🆕 @esbuild/sunos-x64 (added, 0.28.0)

🆕 @esbuild/win32-arm64 (added, 0.28.0)

🆕 @esbuild/win32-ia32 (added, 0.28.0)

🆕 @esbuild/win32-x64 (added, 0.28.0)

🆕 esbuild (added, 0.28.0)

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

Go to the Depfu Dashboard to see the state of your dependencies and to customize how Depfu works.

github-actions · 2026-05-12T15:56:01Z

Infisical secrets check: ✅ No secrets leaked!

💻 Scan logs

2026-05-12T15:55:59Z INF scanning for exposed secrets...
3:55PM INF 112 commits scanned.
2026-05-12T15:55:59Z INF scan completed in 241ms
2026-05-12T15:55:59Z INF no leaks found

sonarqubecloud · 2026-05-12T15:56:02Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

socket-security · 2026-05-12T15:57:00Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	vitest@4.1.5 ⏵ 4.1.6	⁺³		⁺¹
	@vitest/coverage-v8@4.1.5 ⏵ 4.1.6

View full report

socket-security · 2026-05-12T15:57:02Z

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm `@emnapi/core` is 100.0% likely to have a medium risk anomaly Notes: No explicit evidence of overt malware (network exfiltration, credential theft, backdoors, or filesystem/process activity) appears in this fragment. However, the module contains high-sensitivity dynamic execution capabilities: napi_run_script performs eval-like execution of a JavaScript string obtained from WebAssembly, and emnapiCreateFunction can use the Function constructor for wrapper generation. Combined with wasm-driven indirect callback dispatch and reflective object mutation, this runtime is security-sensitive and should only be used with fully trusted WebAssembly and tightly controlled inputs. Confidence: 1.00 Severity: 0.60 From: package-lock.json → `npm/vitest@4.1.6` → `npm/@emnapi/core@1.10.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@emnapi/core@1.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `@emnapi/core` is 100.0% likely to have a medium risk anomaly Notes: Primary concern is direct dynamic code execution. `napi_run_script` uses eval() on a string originating from wasm-provided input, and `ee` uses new Function(...) to construct wrapper functions. If the wasm module or its inputs are attacker-controlled, this provides JavaScript code execution in the host context. Aside from these dynamic execution sinks, the remaining code mainly performs wasm memory/table management and worker async orchestration typical of such runtimes, with no clear hardcoded exfiltration or backdoor behavior in this fragment. Confidence: 1.00 Severity: 0.60 From: package-lock.json → `npm/vitest@4.1.6` → `npm/@emnapi/core@1.10.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@emnapi/core@1.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `@emnapi/core` is 100.0% likely to have a medium risk anomaly Notes: This module appears to be a legitimate wasm-to-JS/Node-API bridge/runtime, but it contains high-impact dynamic execution capabilities: napi_run_script uses eval() on a string originating from the WASM/handle side, and the binding layer can generate functions via new Function(). It also performs indirect host callback invocation based on runtime handles selected by worker/work-queue control. No explicit exfiltration/backdoor behavior is visible in the provided fragment, so malware likelihood is low, but security risk is moderate-to-high due to host-context code execution if the WASM module or its inputs are not fully trusted. Confidence: 1.00 Severity: 0.60 From: package-lock.json → `npm/vitest@4.1.6` → `npm/@emnapi/core@1.10.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@emnapi/core@1.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `@rolldown/binding-wasm32-wasi` is 100.0% likely to have a medium risk anomaly Notes: A JS loader bootstraps a WASI-enabled WebAssembly module and forwards the full host process.env into the WASI environment and worker contexts while preopening the host filesystem root. This design enables an untrusted or tampered WASM binary to read environment variables and access numerous files, potentially exfiltrating data through any available host or network channel. Treat the module as high-risk unless the WASM artifact is from a trusted source; mitigate by restricting preopens to specific directories, avoiding full process.env exposure, and validating the integrity of the WASM binary. Confidence: 1.00 Severity: 0.60 From: package-lock.json → `npm/vitest@4.1.6` → `npm/@rolldown/binding-wasm32-wasi@1.0.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `@rolldown/binding-wasm32-wasi` is 100.0% likely to have a medium risk anomaly Notes: This loader establishes a Node.js WASI/worker environment that: 1) passes the entire host process.env into the WASI instance (exposing all environment variables, including secrets, to loaded modules); 2) preopens the filesystem root (granting broad file read/write access under the host’s root directory); and 3) implements importScripts via synchronous fs.readFileSync + eval (allowing any local JS file to be executed in the loader context). If an untrusted or compromised WASM module or script is provided, it can read sensitive environment variables, access or modify arbitrary files, and execute arbitrary JavaScript—posing a moderate security risk. Recommended mitigations: restrict WASI preopens to a minimal directory, limit or sanitize environment variables passed into WASI, and replace or sandbox the eval-based importScripts mechanism. Confidence: 1.00 Severity: 0.60 From: package-lock.json → `npm/vitest@4.1.6` → `npm/@rolldown/binding-wasm32-wasi@1.0.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm `@vitest/mocker` URLs: https://github.com/stacktracejs/error-stack-parser, https://vitest.dev/guide/mocking/modules#how-it-works, https://vitest.dev/api/vi.html#vi-mock Location: Package overview From: package-lock.json → `npm/vitest@4.1.6` → `npm/@vitest/mocker@4.1.6` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@vitest/mocker@4.1.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `esbuild` is 100.0% likely to have a medium risk anomaly Notes: This package runs a local install.js during postinstall, which is typical for esbuild to download/verify platform binaries. The presence of binary hash fingerprints is a positive signal (integrity checks). Still, executing a postinstall script is an elevated action: you should inspect install.js before trusting the package in high-security environments to ensure it only downloads the declared binaries, verifies hashes, and does not perform unexpected actions (exfiltration, arbitrary command execution, persistence, or telemetry). Overall this looks like a standard esbuild installer rather than blatant malware, but it carries a moderate security risk until install.js is reviewed or run in a controlled environment. Confidence: 1.00 Severity: 0.60 From: package-lock.json → `npm/vitest@4.1.6` → `npm/esbuild@0.28.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/esbuild@0.28.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm `esbuild` URLs: https://stackoverflow.com/questions/49580725, https://esbuild.github.io/api/#build, https://esbuild.github.io/api/#transform, https://esbuild.github.io/api/#analyze, https://esbuild.github.io/api/#browser, https://yarnpkg.com/configuration/yarnrc/#supportedArchitectures, https://nodejs.org/en/download/., https://nodejs.org/api/worker_threads.html, https://snapcraft.io/, https://nodejs.org/dist/, https://github.com/evanw/esbuild/issues/1711#issuecomment-1027554035, https://registry.npmjs.org/ Location: Package overview From: package-lock.json → `npm/vitest@4.1.6` → `npm/esbuild@0.28.0` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/esbuild@0.28.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `rolldown` is 100.0% likely to have a medium risk anomaly Notes: No direct indicators of overt malware (e.g., exfiltration or credential theft) are present in this loader snippet. The primary security concerns are supply-chain and execution-surface risks: (1) an environment variable is used directly as a require() path (dangerous if env can be influenced), and (2) the WebContainer fallback may run `pnpm i` at runtime and then load the installed binding from /tmp. These behaviors warrant review/monitoring in hardened or untrusted/CI environments. Confidence: 1.00 Severity: 0.60 From: package-lock.json → `npm/vitest@4.1.6` → `npm/rolldown@1.0.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/rolldown@1.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm `rolldown` URLs: https://github.com/streamich/memfs, https://developer.mozilla.org/en-US/docs/Glossary/IIFE, https://github.com/umdjs/umd, https://github.com/tc39/ecma426/blob/main/proposals/debug-id.md, https://cdn.jsdelivr.net/npm/d3@7, comments.legal, https://rolldown.rs/in-depth/directives, https://rolldown.rs/guide/troubleshooting#avoiding-direct-eval, https://rolldown.rs/reference/OutputOptions.globals, https://rolldown.rs/reference/OutputOptions.name, https://rolldown.rs/reference/OutputOptions.exports, https://rolldown.rs/in-depth/non-esm-output-formats#import-meta, https://rolldown.rs/reference/OutputOptions.cleanDir, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Property_accessors, output.name, https://oxc.rs/docs/guide/usage/transformer/global-variable-replacement.html#inject, https://rolldown.rs/apis/plugin-api/hook-filters, https://rolldown.rs/apis/plugin-api/inter-plugin-communication#custom-resolver-options, https://oxc.rs/docs/guide/usage/minifier/dead-code-elimination#define-pure-functions, https://oxc.rs/docs/guide/usage/minifier/dead-code-elimination#ignoring-global-variable-access-side-effects, https://oxc.rs/docs/guide/usage/minifier/dead-code-elimination#ignoring-invalid-import-statement-side-effects, exports.property, https://rolldown.rs/apis/plugin-api, https://api.example.com, https://esbuild.github.io/api/#loader, https://rolldown.rs/in-depth/module-types, https://github.com/rolldown/rolldown/issues/7258, https://github.com/rolldown/rolldown/tree/main/examples/native-magic-string, https://rolldown.rs/in-depth/lazy-barrel-optimization, Function.prototype.name, Class.prototype.name, https://github.com/webpack/enhanced-resolve#resolver-options, https://webpack.js.org/configuration/resolve/, https://github.com/defunctzombie/package-browser-field-spec, https://github.com/webpack/enhanced-resolve/pull/285, https://webpack.js.org/configuration/module/#resolvefullyspecified, https://nodejs.org/api/module.html#modulebuiltinmodules, https://github.com/vitejs/vite/pull/20252, https://github.com/nodejs/node/issues/58827, https://nodejs.org/docs/latest/api/esm.html#resolution-algorithm-specification, https://github.com/dividab/tsconfig-paths-webpack-plugin#options, https://www.typescriptlang.org/tsconfig/#experimentalDecorators, https://www.typescriptlang.org/tsconfig/#emitDecoratorMetadata, https://www.typescriptlang.org/tsconfig/#stripInternal, https://oxc.rs/docs/guide/usage/transformer/jsx, https://github.com/facebook/react/tree/v18.3.1/packages/react-refresh, https://oxc.rs/docs/guide/usage/transformer/plugins#styled-components, https://oxc.rs/docs/guide/usage/transformer/typescript, https://oxc.rs/docs/guide/usage/transformer/lowering#target, https://oxc.rs/docs/guide/usage/transformer/global-variable-replacement#define, https://oxc.rs/docs/guide/usage/transformer/global-variable-replacement#inject, https://oxc.rs/docs/guide/usage/transformer/plugins, https://www.typescriptlang.org/docs/handbook/release-notes/typescript-5-5.html#isolated-declarations, https://www.typescriptlang.org/tsconfig/#declaration, https://rolldown.rs/., https://rollupjs.org/plugin-development/#generatebundle:~:text=DANGER,this.emitFile., https://github.com/npm/cli/issues/4828 Location: Package overview From: package-lock.json → `npm/vitest@4.1.6` → `npm/rolldown@1.0.0` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/rolldown@1.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `vite` is 62.0% likely to have a medium risk anomaly Notes: No clear indicators of covert malware (exfiltration/backdoor/persistence) are visible in this fragment. However, it performs high-impact dynamic code execution of transport-fetched module code (AsyncFunction) and dynamically loads externalized modules (import). It also supports resolver hook registration and processes untrusted HMR/RPC messages. The security posture therefore heavily depends on strict transport authentication/authorization and ensuring only trusted code can reach the evaluator. Review and enforce trust boundaries around transport responses, module specifiers, and any hook-registration mechanism. Confidence: 0.62 Severity: 0.69 From: package-lock.json → `npm/vitest@4.1.6` → `npm/vite@8.0.12` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/vite@8.0.12`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm `vite` URLs: https://github.com/rollup/plugins/tree/master/packages/alias#entries, https://github.com/micromatch/anymatch, https://nodejs.org/api/fs.html#fs_class_fs_stats, example.com, foo.example.com, foo.bar.example.com, http://jsonplaceholder.typicode.com, https://github.com/SuperchupuDev/tinyglobby, https://esbuild.github.io/api/#target, https://esbuild.github.io/content-types/#javascript, license.md, https://rollupjs.org/configuration-options/#watch, http://127.0.0.1:8080, config.server.watch, server.environments.client.hot, import.meta.hot, https://vite.dev/config/server-options.html#server-hmr, http://vite.dev, https://example.com, https://en.wikipedia.org/wiki/Combining_Diacritical_Marks, https://en.wikipedia.org/wiki/Combining_Diacritical_Marks_for_Symbols, https://mathiasbynens.be/notes/javascript-unicode, http://eev.ee/blog/2015/09/12/dark-corners-of-unicode/, https://en.wikipedia.org/wiki/CamelCase, https://en.wikipedia.org/wiki/Latin-1_Supplement_, https://en.wikipedia.org/wiki/Latin_Extended-A, _.map, 127.0.0.1, 0.0.0.0, https://html.spec.whatwg.org/multipage/parsing.html#named-character-reference-state, http://www.w3.org/1999/xhtml, http://www.w3.org/1998/Math/MathML, http://www.w3.org/2000/svg, http://www.w3.org/1999/xlink, http://www.w3.org/XML/1998/namespace, http://www.w3.org/2000/xmlns/, https://dom.spec.whatwg.org/#concept-document-limited-quirks, http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd Location: Package overview From: package-lock.json → `npm/vitest@4.1.6` → `npm/vite@8.0.12` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/vite@8.0.12`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm `vitest` URLs: https://bugzilla.mozilla.org/show_bug.cgi?id=745678, http://en.wikipedia.org/wiki/Operator-precedence_parser, https://github.com/acornjs/acorn/issues/575, https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern, https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction, https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion, https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier, https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix, https://www.ecma-international.org/ecma-262/8.0/#sec-term, https://www.ecma-international.org/ecma-262/8.0/#prod-Atom, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier, https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter, https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape, https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter, https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass, https://tc39.es/ecma262/#prod-ClassContents, https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges, https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges, https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash, https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom, https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape, https://tc39.es/ecma262/#prod-ClassSetExpression, https://tc39.es/ecma262/#prod-ClassUnion, https://tc39.es/ecma262/#prod-ClassIntersection, https://tc39.es/ecma262/#prod-ClassSubtraction, https://tc39.es/ecma262/#prod-ClassSetRange, https://tc39.es/ecma262/#prod-ClassSetOperand, https://tc39.es/ecma262/#prod-NestedClass, https://tc39.es/ecma262/#prod-ClassStringDisjunction, https://tc39.es/ecma262/#prod-ClassStringDisjunctionContents, https://tc39.es/ecma262/#prod-ClassString, https://tc39.es/ecma262/#prod-NonEmptyClassString, https://tc39.es/ecma262/#prod-ClassSetCharacter, https://tc39.es/ecma262/#prod-ClassSetReservedDoublePunctuator, https://tc39.es/ecma262/#prod-ClassSetSyntaxCharacter, https://tc39.es/ecma262/#prod-ClassSetReservedPunctuator, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter, https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence, https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits, https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence, https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit, https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits, https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit, https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral, http://marijnhaverbeke.nl/git/acorn, https://github.com/acornjs/acorn.git, https://github.com/acornjs/acorn/issues, vitest.runtime.run, vitest.worker.id, https://vitest.dev/guide/open-telemetry, https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/context/env-carriers.md, builder.io/qwik, https://playwright.dev, https://webdriver.io, builder.io/qwik/optimizer, qwik.dev/core, https://vitest.dev/config/browser/playwright, https://vitest.dev/config/browser/webdriverio, vitest.module.id, https://nodejs.org/api/modules.html#built-in-modules-with-mandatory-node-prefix, vitest.mock.id, https://github.com/nodejs/node/blob/7c3dce0/lib/internal/modules/package_json_reader.js, https://vitest.dev/guide/snapshot.html, 127.0.0.1, https://vitest.dev/config/browser/api, https://vitest.dev/guide/migration#pool-rework, browser.name, https://vitest.dev/config/browser/provider, task.name, https://vitest.dev/guide/coverage.html#including-and-excluding-files-from-coverage-report, https://istanbul.js.org/docs/advanced/alternative-reporters/, https://vitest.dev/api/advanced/vitest#getsourcemodulediagnostic, https://trace.playwright.dev/, https://vitest.dev/api/browser/commands, https://vitest.dev/config/onunhandlederror, https://vitest.dev/config/browser/screenshotdirectory, https://vitest.dev/config/root, https://vitest.dev/api/#test, https://vitest.dev/api/#describe, https://vitest.dev/config/attachmentsdir, https://vitest.dev/api/advanced/test-project, https://superchupu.dev/tinyglobby/comparison, https://vitest.dev/config/include, https://nodejs.org/docs/latest/api/cli.html, https://github.com/nodejs/node/issues/41103, https://vitest.dev/guide/test-tags#syntax, http://foo.com, http://foo.com/, https://github.com/vitejs/vite/blob/95020ab49e12d143262859e095025cf02423c1d9/packages/vite/src/node/server/middlewares/error.ts#L25-L36, https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message, https://github.com/actions/toolkit/blob/f1d9b4b985e6f0f728b4b766db73498403fd5ca3/packages/core/src/command.ts#L80-L85, https://github.com/, https://github.com/vitest-dev/vitest/issues, https://gist.github.com/john-doherty/b9195065884cdbfd2017a4756e6409cc, 0.0.0.0, process.env.CI, https://vitest.dev/config/coverage#coverage-reporter, https://github.com/istanbuljs/nyc#coverage-thresholds, https://github.com/istanbuljs/nyc#ignoring-methods, https://vitest.dev/guide/coverage#custom-coverage-provider, https://en.wikipedia.org/wiki/Random_seed, https://vitest.dev/config/sequence#sequence-hooks, 127.0.0.1:9229, https://github.com/spf13/cobra/issues/1279, https://nodejs.org/api/esm.html#https-and-http-imports, 127.0.0.0, vitest.fetched_module.id, https://github.com/vitejs/vite/issues/15438,, https://nodejs.org/api/process.html#signal-events, https://github.com/vitest-dev/vitest/issues/7871, vitest.worker.name, https://github.com/jestjs/jest/blob/25a8785584c9d54a05887001ee7f498d489a5441/packages/jest-worker/src/workers/ChildProcessWorker.ts#L463-L477, https://github.com/tinylibs/tinypool/blob/40b4b3eb926dabfbfd3d0a7e3d1222d4dd1c0d2d/src/runtime/process-worker.ts#L56, https://github.com/vitejs/vite/blob/af2aa09575229462635b7cbb6d248ca853057ba2/packages/vite/src/node/plugins/resolve.ts#L1056-L1080, https://github.com/STRML/async-limiter, https://github.com/nodejs/node/issues/8871#issuecomment-250915913, https://github.com/websockets/ws/issues/1202, https://www.cl.cam.ac.uk/%7Emgk25/ucs/utf8_check.c, https://tools.ietf.org/html/rfc6455#section-9.1, https://github.com/websockets/ws/issues/1869., https://github.com/websockets/ws/issues/1940., https://github.com/vitejs/vite/issues/14328, https://github.com/vitejs/vite/blob/main/packages/vite/src/node/logger.ts?rgh-link-date=2024-10-16T23%3A29%3A19Z, https://github.com/vitejs/vite/pull/15184, https://github.com/unjs/mlly/blob/c5bcca0cda175921344fd6de1bc0c499e73e5dac/src/syntax.ts#L51-L98, https://github.com/broofa/mime/blob/main/README.md#custom-mime-instances, https://vitest.dev/guide/projects, https://vitest.dev/guide/reporters.html#hanging-process-reporter, https://github.com/vitejs/vite/pull/20449, https://html.spec.whatwg.org/#document, https://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-26809268, https://html.spec.whatwg.org/multipage/webappapis.html#pluginarray, https://html.spec.whatwg.org/#htmltabledatacellelement, https://www.w3.org/TR/DOM-Level-2-HTML/html.html#ID-82915075, https://html.spec.whatwg.org/#htmltableheadercellelement, http://www.ecma-international.org/ecma-262/6.0/index.html#sec-promise.prototype-@@tostringtag, http://www.ecma-international.org/ecma-262/6.0/index.html#sec-%mapiteratorprototype%-@@tostringtag, http://www.ecma-international.org/ecma-262/6.0/index.html#sec-%arrayiteratorprototype%-@@tostringtag, https://heycam.github.io/webidl/#abstract-opdef-converttoint, https://github.com/sinonjs/sinon/issues/1852#issuecomment-419622780, https://developer.mozilla.org/en-US/docs/Web/API/setTimeout#reasons_for_delays_longer_than_specified, https://stackblitz.com/edit/stackblitz-starters-qtlpcc, https://github.com/sinonjs/fake-timers/issues/250, https://vitest.dev/guide/snapshot.html#custom-snapshot-matchers, https://github.com/vitejs/vite/pull/21585, https://vitest.dev/api/vi#vi-advancetimersbytime, performance.now, Date.now, https://vitest.dev/api/vi#vi-fn, https://vitest.dev/api/mock, https://vitest.dev/api/vi#vi-waitfor, https://vitest.dev/api/vi#vi-mock Location: Package overview From: package-lock.json → `npm/vitest@4.1.6` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/vitest@4.1.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

guibranco

Automatically approved by gstraccini[bot]

guibranco · 2026-05-12T15:58:51Z

@depfu merge

Update @vitest/coverage-v8 to version 4.1.6

98bbc2d

depfu Bot added the depfu label May 12, 2026

github-actions Bot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label May 12, 2026

guibranco enabled auto-merge (squash) May 12, 2026 15:58

gstraccini Bot added the ☑️ auto-merge Automatic merging of pull requests (gstraccini-bot) label May 12, 2026

gstraccini Bot assigned guibranco May 12, 2026

gstraccini Bot approved these changes May 12, 2026

View reviewed changes

guibranco approved these changes May 12, 2026

View reviewed changes

gstraccini Bot added the 🤖 bot Automated processes or integrations label May 12, 2026

guibranco merged commit 20210a2 into main May 12, 2026
15 of 16 checks passed

guibranco deleted the depfu/update/npm/@vitest/coverage-v8-4.1.6 branch May 12, 2026 15:59

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update @vitest/coverage-v8 4.1.5 → 4.1.6 (patch)#123

Update @vitest/coverage-v8 4.1.5 → 4.1.6 (patch)#123
guibranco merged 1 commit into
mainfrom
depfu/update/npm/@vitest/coverage-v8-4.1.6

depfu Bot commented May 12, 2026

Uh oh!

github-actions Bot commented May 12, 2026

Uh oh!

sonarqubecloud Bot commented May 12, 2026

Uh oh!

socket-security Bot commented May 12, 2026

Uh oh!

socket-security Bot commented May 12, 2026

Uh oh!

guibranco left a comment

Uh oh!

guibranco commented May 12, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

depfu Bot commented May 12, 2026

What changed?

✳️ @​vitest/coverage-v8 (4.1.5 → 4.1.6) · Repo

🐞 Bug Fixes

🏎 Performance

✳️ vite (8.0.9 → 8.0.12) · Repo · Changelog

✳️ vitest (4.1.5 → 4.1.6) · Repo

🐞 Bug Fixes

🏎 Performance

↗️ @​emnapi/core (indirect, 1.9.2 → 1.10.0) · Repo

What's Changed

↗️ @​emnapi/runtime (indirect, 1.9.2 → 1.10.0) · Repo

What's Changed

↗️ @​tybys/wasm-util (indirect, 0.10.1 → 0.10.2) · Repo

↗️ @​vitest/expect (indirect, 4.1.5 → 4.1.6) · Repo

🐞 Bug Fixes

🏎 Performance

↗️ @​vitest/mocker (indirect, 4.1.5 → 4.1.6) · Repo

🐞 Bug Fixes

🏎 Performance

↗️ @​vitest/pretty-format (indirect, 4.1.5 → 4.1.6) · Repo

🐞 Bug Fixes

🏎 Performance

↗️ @​vitest/runner (indirect, 4.1.5 → 4.1.6) · Repo

🐞 Bug Fixes

🏎 Performance

↗️ @​vitest/snapshot (indirect, 4.1.5 → 4.1.6) · Repo

🐞 Bug Fixes

🏎 Performance

↗️ @​vitest/spy (indirect, 4.1.5 → 4.1.6) · Repo

🐞 Bug Fixes

🏎 Performance

↗️ @​vitest/utils (indirect, 4.1.5 → 4.1.6) · Repo

🐞 Bug Fixes

🏎 Performance

↗️ rolldown (indirect, 1.0.0-rc.16 → 1.0.0) · Repo · Changelog

[1.0.0] - 2026-05-07

🐛 Bug Fixes

🚜 Refactor

📚 Documentation

⚡ Performance

⚙️ Miscellaneous Tasks

🆕 @​esbuild/netbsd-arm64 (added, 0.28.0)

🆕 @​esbuild/openbsd-arm64 (added, 0.28.0)

🆕 @​esbuild/openharmony-arm64 (added, 0.28.0)

🆕 @​esbuild/aix-ppc64 (added, 0.28.0)

🆕 @​esbuild/android-arm (added, 0.28.0)

🆕 @​esbuild/android-arm64 (added, 0.28.0)

🆕 @​esbuild/android-x64 (added, 0.28.0)

🆕 @​esbuild/darwin-arm64 (added, 0.28.0)

🆕 @​esbuild/darwin-x64 (added, 0.28.0)

🆕 @​esbuild/freebsd-arm64 (added, 0.28.0)

🆕 @​esbuild/freebsd-x64 (added, 0.28.0)

🆕 @​esbuild/linux-arm (added, 0.28.0)

🆕 @​esbuild/linux-arm64 (added, 0.28.0)

🆕 @​esbuild/linux-ia32 (added, 0.28.0)

🆕 @​esbuild/linux-loong64 (added, 0.28.0)

🆕 @​esbuild/linux-mips64el (added, 0.28.0)

🆕 @​esbuild/linux-ppc64 (added, 0.28.0)

🆕 @​esbuild/linux-riscv64 (added, 0.28.0)

🆕 @​esbuild/linux-s390x (added, 0.28.0)

🆕 @​esbuild/linux-x64 (added, 0.28.0)

🆕 @​esbuild/netbsd-x64 (added, 0.28.0)

🆕 @​esbuild/openbsd-x64 (added, 0.28.0)

🆕 @​esbuild/sunos-x64 (added, 0.28.0)

🆕 @​esbuild/win32-arm64 (added, 0.28.0)

🆕 @​esbuild/win32-ia32 (added, 0.28.0)

🆕 @​esbuild/win32-x64 (added, 0.28.0)

🆕 esbuild (added, 0.28.0)

Uh oh!

github-actions Bot commented May 12, 2026

Uh oh!

sonarqubecloud Bot commented May 12, 2026

Quality Gate passed

Uh oh!

socket-security Bot commented May 12, 2026

Uh oh!

socket-security Bot commented May 12, 2026

Uh oh!

✳️ @vitest/coverage-v8 (4.1.5 → 4.1.6) · Repo

↗️ @emnapi/core (indirect, 1.9.2 → 1.10.0) · Repo

↗️ @emnapi/runtime (indirect, 1.9.2 → 1.10.0) · Repo

↗️ @tybys/wasm-util (indirect, 0.10.1 → 0.10.2) · Repo

↗️ @vitest/expect (indirect, 4.1.5 → 4.1.6) · Repo

↗️ @vitest/mocker (indirect, 4.1.5 → 4.1.6) · Repo

↗️ @vitest/pretty-format (indirect, 4.1.5 → 4.1.6) · Repo

↗️ @vitest/runner (indirect, 4.1.5 → 4.1.6) · Repo

↗️ @vitest/snapshot (indirect, 4.1.5 → 4.1.6) · Repo

↗️ @vitest/spy (indirect, 4.1.5 → 4.1.6) · Repo

↗️ @vitest/utils (indirect, 4.1.5 → 4.1.6) · Repo

🆕 @esbuild/netbsd-arm64 (added, 0.28.0)

🆕 @esbuild/openbsd-arm64 (added, 0.28.0)

🆕 @esbuild/openharmony-arm64 (added, 0.28.0)

🆕 @esbuild/aix-ppc64 (added, 0.28.0)

🆕 @esbuild/android-arm (added, 0.28.0)

🆕 @esbuild/android-arm64 (added, 0.28.0)

🆕 @esbuild/android-x64 (added, 0.28.0)

🆕 @esbuild/darwin-arm64 (added, 0.28.0)

🆕 @esbuild/darwin-x64 (added, 0.28.0)

🆕 @esbuild/freebsd-arm64 (added, 0.28.0)

🆕 @esbuild/freebsd-x64 (added, 0.28.0)

🆕 @esbuild/linux-arm (added, 0.28.0)

🆕 @esbuild/linux-arm64 (added, 0.28.0)

🆕 @esbuild/linux-ia32 (added, 0.28.0)

🆕 @esbuild/linux-loong64 (added, 0.28.0)

🆕 @esbuild/linux-mips64el (added, 0.28.0)

🆕 @esbuild/linux-ppc64 (added, 0.28.0)

🆕 @esbuild/linux-riscv64 (added, 0.28.0)

🆕 @esbuild/linux-s390x (added, 0.28.0)

🆕 @esbuild/linux-x64 (added, 0.28.0)

🆕 @esbuild/netbsd-x64 (added, 0.28.0)

🆕 @esbuild/openbsd-x64 (added, 0.28.0)

🆕 @esbuild/sunos-x64 (added, 0.28.0)

🆕 @esbuild/win32-arm64 (added, 0.28.0)

🆕 @esbuild/win32-ia32 (added, 0.28.0)

🆕 @esbuild/win32-x64 (added, 0.28.0)