chore(deps): bump vitest from 3.2.4 to 4.1.9#120
Conversation
Dependency Changes DetectedThis PR modifies dependency files. Please review whether these changes are intentional. Changed files:
Maintainer checklist:
|
QA-Engineer Verdict: CHANGES_REQUESTEDTest Results (CI)
Failing Tests
Root Cause AnalysisTests rely on The mock for Verify Completeness
VerdictCHANGES_REQUESTED — PR author must adapt the mocking pattern for vitest 4.x compatibility before merge. The Note: |
Security-Engineer Verdict: CHANGES_REQUESTEDSTRIDE Analysis
SBOM Diff
CI Security Checks
AssessmentThe vitest upgrade itself is low-risk from a security perspective — it's a dev-only tool. No new attack surface is introduced in production code. VerdictCHANGES_REQUESTED — not for security concerns (which are clean), but because CI must pass before merge. The test failures themselves are not security-relevant (they're mocking issues, not logic flaws). Recommend resolving test failures and enabling dependency graph in repo settings. |
Code-Reviewer Verdict: CHANGES_REQUESTEDChange Summary
Correctness❌ Tests fail. 4 of 154 tests in The failures are all in the The test file uses: vi.mock("./inbound.js", async (importOriginal) => {
const actual = await importOriginal<typeof import("./inbound.js")>();
return { ...actual, uploadAndSendMedia: vi.fn()... };
});Then individual tests do dynamic Required fix: Adapt the mocking pattern for vitest 4.x. Possible approaches:
Readability / Maintainability
Design Fit
VerdictCHANGES_REQUESTED — The upgrade is appropriate in principle, but the test suite must be adapted for vitest 4.x compatibility. The 4 failing tests indicate that the mocking pattern used in Suggested approach: Use |
Aggregate Verdict: CHANGES_REQUESTEDAll 3 reviewers completed review. Summary:
Root CauseVitest 3.x → 4.x is a major version bump with breaking changes to module mocking. The Required Actions
Next step: Engineer must revise and push updated commits. |
lml2468
left a comment
There was a problem hiding this comment.
Automated review by review-lead agent. 3/3 reviewers request changes. See aggregate verdict comment for details.
Bumps [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) from 3.2.4 to 4.1.9. - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest) --- updated-dependencies: - dependency-name: vitest dependency-version: 4.1.9 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
74ebe9c to
dbaa234
Compare
vitest 4 changed restoreAllMocks to no longer reset automock state — it only restores spies created via vi.spyOn. The suite relied on the old behavior to wipe per-test mock implementations, so a persistent mockRejectedValue set by the "all uploads fail" cases leaked into later media-collection tests and made uploadAndSendMedia reject there too. Re-seed the ./inbound.js automocks to their factory defaults in beforeEach so each test starts from a clean implementation.
OctoBoooot
left a comment
There was a problem hiding this comment.
Review: chore(deps): bump vitest from 3.2.4 to 4.1.9 (#120)
Verdict: Comment
Dependabot major-version bump (vitest 3 → 4, a dev-only test dependency). The prior CR at 74ebe9c (lml2468) is now addressed by the follow-up commit. CI: check (22) build/test is green on vitest 4 — the decisive signal for a test-framework major bump. The two red checks (dependency-review, secret-scan) are the standing repo-level conditions, unrelated to this diff.
Verified correct
- The suite actually passes on v4.
check (22)= SUCCESS at this head, so the full test run executes under vitest 4 — that's the thing that matters for a major test-tooling bump, and it's confirmed rather than assumed. - The breaking change is handled, not papered over. vitest 4 changed
restoreAllMocksto no longer reset automock state (only manualvi.spyOnspies). The follow-up commit (src/actions.test.ts:27-31, 61-74) re-seeds the./inbound.jsautomocks to their factory defaults inbeforeEach, with a comment naming the exact v4 behavior change. Without this, a persistentmockRejectedValuefrom one test would leak into later ones — a real cross-test-pollution bug the migration would otherwise introduce. This is the correct fix for the named behavior change, and it directly resolves the prior CR. - Scope is contained.
package.json(one line),package-lock.json(lockfile regen), and the one test-file compat fix.vitestis adevDependency— no runtime/production surface, no shipped-artifact change. - Transitive bumps are consistent (chai 5→6, tinyrainbow 2→3, the
@vitest/*family all to 4.1.9) — standard for a vitest major, all dev-tree.
Praise
- The author didn't just bump and hope — they hit the
restoreAllMocksautomock-reset behavior change (a genuinely easy-to-miss v4 breaking change), fixed it at the right place (beforeEachre-seed), and documented why in the comment. That's the difference between a green-by-luck bump and a verified migration.
Out of scope (informational)
dependency-review/secret-scanreds are the standing repo-level conditions seen across every recent PR here; neither is introduced by a dev-dependency bump.
Clean, verified major-version dev-dep migration with the v4 breaking change correctly absorbed. Merge decision is the maintainer's (dependabot PR).
Jerry-Xin
left a comment
There was a problem hiding this comment.
Summary: The PR is in scope for this repository and the Vitest 4 migration looks correct; no blocking issues found.
💬 Non-blocking
- 🟡 Warning:
package.json:92still advertises"node": ">=22", while the new locked Vite/Rolldown toolchain requires Node>=22.12.0inpackage-lock.json:5425. CI usesnode-version: 22, which currently resolves to a compatible latest Node 22, but contributors on Node 22.0-22.11 may hit engine warnings or runtime failures. Consider tightening the dev/runtime guidance to>=22.12.0if the project intends local test/build support with this lockfile.
✅ Highlights
src/actions.test.ts:59correctly re-seeds the mockeduploadAndSendMediaanduploadMediaexports aftervi.restoreAllMocks(), preventing one test’s persistent mock behavior from leaking into later tests under Vitest 4.- The dependency bump is limited to test tooling and the adapted test behavior is covered by the existing action test suite.
Verification run:
npm cinpm run type-checknpx vitest run src/actions.test.tsnpm testnpm run build
yujiawei
left a comment
There was a problem hiding this comment.
Code Review — PR #120 (openclaw-channel-octo)
Scope: vitest major bump 3.2.4 → 4.1.9 (devDependency) + one accompanying test adaptation. Reviewed at head SHA 73a0e0b1ef4fc543d16999651ce57203e630c378.
1. Spec compliance
This is a Dependabot major-version bump. The diff is exactly what such a change should contain — nothing missing, nothing out of scope:
package.json—vitestdevDep^3.0.0 → ^4.1.9. ✅package-lock.json— all changes are confined to vitest's transitive tree (esbuild,lightningcss*,loupe,deep-eql,check-error, etc.), all dev-time only. No production dependency (axios,crypto-js,ws,curve25519-js,md5-typescript) is touched. ✅src/actions.test.ts— minimal adaptation to a vitest 4 behavior change (details below). No source/runtime code modified. ✅
No over-build (no extra features/flags), no deviation. Spec: ✅
2. Code quality
The test adaptation is correct and necessary
vitest 4 changed vi.restoreAllMocks() semantics: it now only restores vi.spyOn spies and no longer resets automocked module functions to their factory defaults. In this file, ./inbound.js is automocked via vi.mock(...), and several tests set persistent mock behavior (uploadSpy.mockResolvedValue(...) at L914, mockRejectedValue(...) at L2133/L2154). Under vitest 4 that state would leak into subsequent tests.
The fix re-seeds both automocks to their factory defaults in beforeEach via mockReset().mockResolvedValue(...), with an added static import of the mocked symbols. This is the idiomatic vitest-4 remedy.
I verified the change is load-bearing, not superfluous: removing the re-seed block and running vitest run src/actions.test.ts under 4.1.9 produces 4 failures (should skip falsy values in attachments, should send media from all three sources, should collect args.url, should collect args.fileUrl) — exactly the cross-test leakage the comment describes. With the block in place, all pass.
Verification performed (clean checkout, npm ci)
npm test→ 35 files, 1300 tests passed on vitest 4.1.9.npm run type-check(tsc --noEmit) → clean.- Lockfile resolves
vitest@4.1.9; bumped packages are all dev-only transitive deps.
Notes (non-blocking)
- Four other test files (
bug-repro,channel,reconnect-fixes,socket) also combinevi.mock(...)withrestoreAllMocks, but the full suite passes — they don't depend on automock state being reset between tests, so they need no change. Worth keeping in mind if their mocks gain persistent return values later. - vitest 4 pulls
lightningcss(browser-mode tooling) into the dev tree; it is unused here and dev-only, so no runtime or supply-chain impact on the published plugin.
Quality: Approved.
3. Verdict
APPROVED. No P0/P1 findings. The bump is scoped to devDependencies, the single test change is the correct and minimal adaptation to vitest 4's restoreAllMocks change, and the entire suite + type-check pass on a clean install.
mochashanyao
left a comment
There was a problem hiding this comment.
[Octo-Q · automated review]
Verdict: Approve — no blocking findings; notes below (data-flow traced).
openclaw-channel-octo PR#120 Review Report
PR: #120
Title: chore(deps): bump vitest from 3.2.4 to 4.1.9
Head SHA: 73a0e0b
Reviewer: Octo-Q (automated review)
1. 验证结论
- ✅ Tests pass: 1300/1300 across 35 test files (
vitest run— 4.13s) - ✅ Type-check passes:
tsc --noEmitclean - ✅ Node engine compatibility: project requires
>=22, vitest 4 requires^20.0.0 || ^22.0.0 || >=24.0.0— compatible - ✅ Test adaptation correctly addresses vitest 4 breaking change
- ✅ No other test files affected by same breaking change (verified via grep)
2. 发现的问题(P0/P1/P2)
No P0/P1 findings.
P2 — form-data npm audit vulnerability (pre-existing)
- diff-scope: Pre-existing.
form-data@4.0.5is a transitive dep ofaxios@1.18.1, not vitest. Not introduced or amplified by this PR. - CRLF injection advisory (GHSA-hmw2-7cc7-3qxx). Fixable via
npm audit fix. - Not blocking — unrelated to this PR's scope.
P2 — hosted-git-info@10.1.1 engine warning (cosmetic)
- diff-scope: Pre-existing. Requires
^22.22.2, environment hasv22.22.0. Not introduced by this PR. - No functional impact on tests or build.
3. 建议
No blocking suggestions. Optional improvements:
- Consider running
npm audit fixin a separate PR to address theform-datavulnerability.
4. 额外发现
- Transitive dep chain impact: vitest 4 pulls in vite 8.1.0 (from 7.3.3), which replaces rollup with rolldown as the internal bundler. Since vite is only a transitive dep (not directly used by the project), this has no production impact.
- vitest 4 drops Node 18 support (now
^20.0.0 || ^22.0.0 || >=24.0.0). Project already requires>=22— compatible. - New transitive deps added:
@emnapi/*,@napi-rs/wasm-runtime,@oxc-project/types,rolldown,obug,tslib. All are dev-only. - Removed transitive deps:
@esbuild/*platform binaries,rollup+@rollup/*,vite-node,tinypool,tinyspy,strip-literal,pathval,loupe,js-tokens,chai. These are replaced by vitest 4's internal rewrites.
5. 数据流回溯
src/actions.test.ts — mock reset in beforeEach:
uploadAndSendMediaanduploadMediaarevi.fn()instances created in thevi.mock("./inbound.js", ...)factory (line 10-22).- In vitest 3,
vi.restoreAllMocks()also reset these factory-created mocks. In vitest 4, it only restoresvi.spyOn()spies. - The fix (lines 64-75) explicitly calls
.mockReset().mockResolvedValue(...)on both mocks, re-seeding them to factory defaults. - Data flow verified:
vi.mocked(uploadAndSendMedia)→ resolves to thevi.fn()created at line 14 →.mockReset()clears call history + return values →.mockResolvedValue(undefined)sets default behavior. Same pattern foruploadMediawith the matching factory-default return object. - Import correctness (lines 26-27): Static
import { uploadAndSendMedia, uploadMedia } from "./inbound.js"resolves to the mocked module becausevi.mock()is hoisted before imports by vitest. Verified: the imported symbols are the samevi.fn()instances created in the factory.
Other test files using vi.restoreAllMocks() + factory mocks:
channel.test.tsalready avoidsvi.restoreAllMocks()(line 678 comment: "do NOT call vi.restoreAllMocks() here") and usesvi.clearAllMocks()instead — unaffected.agent-tools.test.tsusesvi.clearAllMocks()(line 133) — unaffected.- Other files with
vi.restoreAllMocks()either don't usevi.fn()insidevi.mock()factories, or their factory mocks return static objects that aren't modified per-test — unaffected.
6. 盲点 checklist(R5)
- C1 双路径 parity: N/A — no symmetric paths (add/remove, subscribe/unsubscribe) touched.
- C2 control-flow ordering / 嵌套复用: N/A — no shared logic reordered or nested.
- C3 授权边界: N/A — no auth/permission changes.
- C4 授权生命周期 / 容器-成员状态级联: N/A — no auth changes.
- C5 build/note ≠ 运行期: Verified. Vite 8 replaces rollup with rolldown internally, but vite is only a transitive dep of vitest — not directly consumed by the project.
tscbuild andvitest runboth pass. No relative-path/origin concerns (no browser extension, no CLI, no packaging). - C6 治理/策略/安全文档自洽性: N/A — no doc changes.
7. 跨轮 blocker 复检(R6)
N/A — first review.
[Octo-Q] verdict: APPROVE
Clean major-version dependency bump. The vitest 3→4 breaking change (restoreAllMocks() semantics) is correctly addressed in actions.test.ts with explicit mock re-seeding. All 1300 tests pass. Type-check passes. No P0/P1 findings. No production code changes.
Test failures that triggered this review are fixed in 73a0e0b (vitest 4 automock re-seed); check (22) green, 3 fresh approvals. Dismissing stale review.
Bumps vitest from 3.2.4 to 4.1.9.
Release notes
Sourced from vitest's releases.
... (truncated)
Commits
a7a61e7chore: release v4.1.9 (#10598)934b0f5fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...7fb2965fix(browser): wait for orchestrator readiness before resolving browser sessio...a518019fix: fiximportOriginalwith optimizer and query import [backport to v4] (#...e61f2ddchore: release v4.1.8e4067b3fix(browser): disable clientcdpAPI whenallowWrite/allowExec: false[ba...a09d472chore: release v4.1.7a8fd24cchore: release v4.1.618af98cfix(browser): simplify orchestrator otel carrier (#10285)3188260feat(browser): provide project reference inToMatchScreenshotResolvePath(#...Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.