chore(deps-dev): bump vitest from 1.6.1 to 3.2.6#29
Conversation
Bumps [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) from 1.6.1 to 3.2.6. - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v3.2.6/packages/vitest) --- updated-dependencies: - dependency-name: vitest dependency-version: 3.2.6 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![meroreviewer[bot]](https://avatars.githubusercontent.com/in/2793509?s=60&v=4){kind=small}
There was a problem hiding this comment.
🤖 AI Code Reviewer
Reviewed by 2 agents | Quality score: 55% | Review time: 55.3s
🟡 1 warnings, 💡 1 suggestions. See inline comments.
🤖 Generated by AI Code Reviewer | Review ID: review-d502ca7d
| "typescript": "^5.3.0", | ||
| "vite": "^5.4.21", | ||
| "vitest": "^1.0.0" | ||
| "vitest": "^3.2.6" |
There was a problem hiding this comment.
🟡 Major version bump (v1 → v3) without explicit compatibility verification
The vitest dependency is being bumped from ^1.0.0 (resolved to 1.6.1) to ^3.2.6 — a two-major-version jump. Vitest v2 and v3 introduced breaking changes (e.g., new pool defaults, changed snapshot serialization, updated expect API, new @vitest/mocker package, removal of local-pkg, acorn-walk, execa from the dependency tree, and changed node engine requirements from ^18.0.0 || >=20.0.0 to ^18.0.0 || ^20.0.0 || >=22.0.0). There is no evidence in the diff of any test suite updates, vitest config changes, or CI verification that existing tests still pass under v3. The PR description is purely a Dependabot bump with no mention of test results.
Suggested fix:
Before merging, run `pnpm test` locally and in CI to confirm all tests pass. Review the vitest v2 and v3 migration guides for breaking changes. Check `vitest.config.*` (not present in the diff) for any options that were renamed or removed. Verify the node engine constraint change (>=22.0.0 now supported) aligns with your CI matrix.
| "typescript": "^5.3.0", | ||
| "vite": "^5.4.21", | ||
| "vitest": "^1.0.0" | ||
| "vitest": "^3.2.6" |
There was a problem hiding this comment.
💡 Loose semver range allows future breaking upgrades without review
The specifier ^3.2.6 allows automatic upgrades to any 3.x release. Given that vitest has historically introduced subtle breaking changes within minor versions (e.g., snapshot format changes, reporter API changes), a loose caret range means future pnpm install or lockfile refreshes could silently pull in a breaking minor. The lockfile pins the exact version today, but any lockfile refresh will pick up the latest 3.x.
Suggested fix:
Consider pinning to an exact version (`"vitest": "3.2.6"`) or a tighter range (`"vitest": "~3.2.6"`) for a dev-only test framework where you want explicit control over upgrades. Alternatively, keep `^3.2.6` but ensure CI runs `pnpm install --frozen-lockfile` to prevent unintended upgrades.
Documentation ReviewThe following documentation may need updates based on the changes in this PR:
|
Bumps vitest from 1.6.1 to 3.2.6.
Release notes
Sourced from vitest's releases.
... (truncated)
Commits
b6d56f8chore: release v3.2.616f120dfix: pin last supported vite-node version2cbad0achore: release v3.2.5385a1aefix(browser): disable clientcdpAPI whenallowWrite/allowExec: false[ba...af88b1ffeat(api): addallowWriteandallowExecoptions toapi[backport to v3]...c666d14chore: release v3.2.48a18c8efix(cli): throw error when--shard x/\<count>exceeds count of test files (#...8abd7ccchore(deps): updatetinypool(#8174)93f3200fix(deps): update all non-major dependencies (#8123)0c3be6ffix(coverage): ignore SCSS in browser mode (#8161)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Medium Risk
Major-version test tooling jump may break tests or require config tweaks; runtime library surface is unchanged.
Overview
Upgrades the dev test runner Vitest from 1.6.1 to 3.2.6 in
package.json, withpnpm-lock.yamlrefreshed for the new@vitest/*stack (e.g. chai 5, vite-node 3.2.4, tinypool 1.x) and removal of Vitest 1–era transitive packages.No application source or Vitest config files are changed;
test/test:watchstill invokevitestas before. Reviewers should confirmpnpm test(and CI) pass under the major bump, since Vitest 3 can differ in APIs and defaults from v1.Reviewed by Cursor Bugbot for commit ea2a3a7. Bugbot is set up for automated code reviews on this repo. Configure here.