Skip to content

chore(deps): bump vitest from 3.2.4 to 4.1.9#120

Merged
caster-Q merged 2 commits into
mainfrom
dependabot/npm_and_yarn/vitest-4.1.9
Jun 29, 2026
Merged

chore(deps): bump vitest from 3.2.4 to 4.1.9#120
caster-Q merged 2 commits into
mainfrom
dependabot/npm_and_yarn/vitest-4.1.9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 16, 2026

Copy link
Copy Markdown
Contributor

Bumps vitest from 3.2.4 to 4.1.9.

Release notes

Sourced from vitest's releases.

v4.1.9

🐞 Bug Fixes

View changes on GitHub

v4.1.8

   🐞 Bug Fixes

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

   🏎 Performance

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

   🐞 Bug Fixes

... (truncated)

Commits
  • a7a61e7 chore: release v4.1.9 (#10598)
  • 934b0f5 fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...
  • 7fb2965 fix(browser): wait for orchestrator readiness before resolving browser sessio...
  • a518019 fix: fix importOriginal with optimizer and query import [backport to v4] (#...
  • e61f2dd chore: release v4.1.8
  • e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
  • a09d472 chore: release v4.1.7
  • a8fd24c chore: release v4.1.6
  • 18af98c fix(browser): simplify orchestrator otel carrier (#10285)
  • 3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.


@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 16, 2026
@dependabot
dependabot Bot requested review from caster-Q and yujiawei as code owners June 16, 2026 10:08
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 16, 2026
@github-actions github-actions Bot added size/XS PR size: XS dependencies-changed This PR modifies dependency files labels Jun 16, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Changes Detected

This PR modifies dependency files. Please review whether these changes are intentional.

Changed files:

  • package.json

Maintainer checklist:

  • Confirm dependency changes are intentional
  • Review package delta if lockfile changed

@lml2468 lml2468 added review:running:qa qa-engineer review in progress review:running:security security-engineer review in progress review:running:code code-reviewer review in progress labels Jun 27, 2026
@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

QA-Engineer Verdict: CHANGES_REQUESTED

Test Results (CI)

  • 4 tests FAIL in src/actions.test.ts (154 total, 4 failed)
  • All failures: AssertionError: expected false to be true on expect(result.ok).toBe(true)

Failing Tests

Test Line Area
should skip falsy values in attachments 2191 media URL resolution
should send media from all three sources 2216 three-source merge
should collect args.url 2241 top-level URL collection
(4th test) 2259 top-level fileUrl collection

Root Cause Analysis

Tests rely on vi.mock("./inbound.js", async (importOriginal) => {...}) with dynamic await import() to get mocked modules. Vitest 4.x changed module mocking hoisting and importOriginal behavior (see vitest-dev/vitest#10546, #10548 in the 4.1.9 changelog itself).

The mock for uploadAndSendMedia is not being applied correctly in vitest 4.x — handleOctoMessageAction does not see the mocked version, so the API call fails and result.ok returns false.

Verify Completeness

  • CI ran (check job: 4/154 failures)
  • No linked issue to verify against (dependabot PR)
  • Tests do NOT pass on this branch
  • Failures are directly caused by the vitest major version bump

Verdict

CHANGES_REQUESTED — PR author must adapt the mocking pattern for vitest 4.x compatibility before merge. The vi.mock + importOriginal pattern needs updating to match vitest 4.x semantics.

Note: dependency-review and secret-scan failures are pre-existing repo issues (dependency graph not enabled; gitleaks false positives in test files), not caused by this PR.

@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Security-Engineer Verdict: CHANGES_REQUESTED

STRIDE Analysis

  • Spoofing: N/A — no auth/identity changes
  • Tampering: N/A — no data integrity changes
  • Repudiation: N/A — no logging/audit changes
  • Information Disclosure: N/A — no sensitive data handling changes
  • Denial of Service: N/A — no resource management changes
  • Elevation of Privilege: N/A — no permission/access changes

SBOM Diff

  • Before: vitest@3.2.4 (dev dependency)
  • After: vitest@4.1.9 (dev dependency)
  • Impact: Dev-only dependency — no production runtime exposure
  • New transitive deps: @emnapi/core, @emnapi/runtime, @emnapi/wasi-threads, @jridgewell/sourcemap-codec, @napi-rs/wasm-runtime, @oxc-project/types, @rolldown/* (replacing @esbuild/*)

CI Security Checks

  • secret-scan (gitleaks): FAIL — 19 leaks detected, including generic-api-key in src/agent-tools.test.ts:977. However, these are pre-existing (the scan targets files not modified by this PR). Not a blocker for this PR specifically.
  • dependency-review: FAIL — "Dependency review is not supported on this repository" (dependency graph not enabled). Pre-existing repo configuration issue.

Assessment

The vitest upgrade itself is low-risk from a security perspective — it's a dev-only tool. No new attack surface is introduced in production code.

Verdict

CHANGES_REQUESTED — not for security concerns (which are clean), but because CI must pass before merge. The test failures themselves are not security-relevant (they're mocking issues, not logic flaws). Recommend resolving test failures and enabling dependency graph in repo settings.

@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Code-Reviewer Verdict: CHANGES_REQUESTED

Change Summary

  • package.json: "vitest": "^3.0.0""vitest": "^4.1.9" (major version bump)
  • package-lock.json: lockfile regeneration (vitest 4.x deps)

Correctness

❌ Tests fail. 4 of 154 tests in src/actions.test.ts fail after this upgrade.

The failures are all in the handleOctoMessageAction > send test suite, specifically in tests involving media URL handling. The root cause is a breaking change in vitest 4.x module mocking behavior.

The test file uses:

vi.mock("./inbound.js", async (importOriginal) => {
  const actual = await importOriginal<typeof import("./inbound.js")>();
  return { ...actual, uploadAndSendMedia: vi.fn()... };
});

Then individual tests do dynamic await import("./inbound.js") to access the mocked functions. Vitest 4.x changed how vi.mock() hoisting and importOriginal() interact — the mock factory may now return a different module instance than what the dynamic import in the source code resolves to.

Required fix: Adapt the mocking pattern for vitest 4.x. Possible approaches:

  1. Use vi.hoisted() to declare mock references before vi.mock()
  2. Adjust importOriginal usage to match vitest 4.x semantics
  3. Consider using vi.mock with explicit factory that doesn't rely on importOriginal spreading

Readability / Maintainability

  • The package.json change is clear and well-scoped
  • Vitest 4.x is a legitimate upgrade (3.x → 4.x is a major version, appropriate for a chore(deps) bump)
  • No concerns about code quality

Design Fit

  • Dependabot PRs follow standard dependency update patterns
  • The change is appropriately scoped to dev dependencies only

Verdict

CHANGES_REQUESTED — The upgrade is appropriate in principle, but the test suite must be adapted for vitest 4.x compatibility. The 4 failing tests indicate that the mocking pattern used in src/actions.test.ts is incompatible with vitest 4.x and needs updating before this PR can be safely merged.

Suggested approach: Use vi.hoisted() pattern (new in vitest 2.x, stabilized in 4.x) to declare mock function references before vi.mock(), avoiding the importOriginal spread pattern that changed behavior.

@lml2468 lml2468 added review:done:qa:changes qa-engineer FAIL review:done:security:changes security-engineer BLOCKED review:done:code:changes code-reviewer REQUEST_CHANGES and removed review:running:qa qa-engineer review in progress review:running:security security-engineer review in progress review:running:code code-reviewer review in progress labels Jun 27, 2026
@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Aggregate Verdict: CHANGES_REQUESTED

All 3 reviewers completed review. Summary:

Role Verdict Key Finding
QA Engineer CHANGES_REQUESTED 4/154 tests fail due to vitest 4.x breaking changes in vi.mock/importOriginal behavior
Security Engineer CHANGES_REQUESTED No security concerns, but CI must pass. Pre-existing dependency-review and secret-scan failures also noted.
Code Reviewer CHANGES_REQUESTED Vitest 4.x mocking pattern incompatible with current test setup in src/actions.test.ts

Root Cause

Vitest 3.x → 4.x is a major version bump with breaking changes to module mocking. The vi.mock("./inbound.js", async (importOriginal) => {...}) pattern used in src/actions.test.ts no longer correctly propagates mocks to dynamically imported modules.

Required Actions

  1. Fix test mocking — Adapt vi.mock usage in src/actions.test.ts for vitest 4.x. Recommended: use vi.hoisted() to declare mock references.
  2. Enable dependency graph in repo settings (Settings > Security > Dependency graph) to fix dependency-review check.
  3. Address gitleaks findings — Add false positives to .gitleaksignore if appropriate.

Next step: Engineer must revise and push updated commits.

@lml2468 lml2468 added the review:complete 3 verdicts aggregated, awaiting human merge label Jun 27, 2026

@lml2468 lml2468 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review by review-lead agent. 3/3 reviewers request changes. See aggregate verdict comment for details.

@lml2468 lml2468 added needs-human-review and removed review:complete 3 verdicts aggregated, awaiting human merge labels Jun 29, 2026
Bumps [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) from 3.2.4 to 4.1.9.
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.9/packages/vitest)

---
updated-dependencies:
- dependency-name: vitest
  dependency-version: 4.1.9
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/vitest-4.1.9 branch from 74ebe9c to dbaa234 Compare June 29, 2026 09:51
vitest 4 changed restoreAllMocks to no longer reset automock state — it
only restores spies created via vi.spyOn. The suite relied on the old
behavior to wipe per-test mock implementations, so a persistent
mockRejectedValue set by the "all uploads fail" cases leaked into later
media-collection tests and made uploadAndSendMedia reject there too.
Re-seed the ./inbound.js automocks to their factory defaults in
beforeEach so each test starts from a clean implementation.
@github-actions github-actions Bot added size/S PR size: S and removed size/XS PR size: XS labels Jun 29, 2026

@OctoBoooot OctoBoooot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: chore(deps): bump vitest from 3.2.4 to 4.1.9 (#120)

Verdict: Comment

Dependabot major-version bump (vitest 3 → 4, a dev-only test dependency). The prior CR at 74ebe9c (lml2468) is now addressed by the follow-up commit. CI: check (22) build/test is green on vitest 4 — the decisive signal for a test-framework major bump. The two red checks (dependency-review, secret-scan) are the standing repo-level conditions, unrelated to this diff.

Verified correct

  • The suite actually passes on v4. check (22) = SUCCESS at this head, so the full test run executes under vitest 4 — that's the thing that matters for a major test-tooling bump, and it's confirmed rather than assumed.
  • The breaking change is handled, not papered over. vitest 4 changed restoreAllMocks to no longer reset automock state (only manual vi.spyOn spies). The follow-up commit (src/actions.test.ts:27-31, 61-74) re-seeds the ./inbound.js automocks to their factory defaults in beforeEach, with a comment naming the exact v4 behavior change. Without this, a persistent mockRejectedValue from one test would leak into later ones — a real cross-test-pollution bug the migration would otherwise introduce. This is the correct fix for the named behavior change, and it directly resolves the prior CR.
  • Scope is contained. package.json (one line), package-lock.json (lockfile regen), and the one test-file compat fix. vitest is a devDependency — no runtime/production surface, no shipped-artifact change.
  • Transitive bumps are consistent (chai 5→6, tinyrainbow 2→3, the @vitest/* family all to 4.1.9) — standard for a vitest major, all dev-tree.

Praise

  • The author didn't just bump and hope — they hit the restoreAllMocks automock-reset behavior change (a genuinely easy-to-miss v4 breaking change), fixed it at the right place (beforeEach re-seed), and documented why in the comment. That's the difference between a green-by-luck bump and a verified migration.

Out of scope (informational)

  • dependency-review / secret-scan reds are the standing repo-level conditions seen across every recent PR here; neither is introduced by a dev-dependency bump.

Clean, verified major-version dev-dep migration with the v4 breaking change correctly absorbed. Merge decision is the maintainer's (dependabot PR).

@Jerry-Xin Jerry-Xin left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary: The PR is in scope for this repository and the Vitest 4 migration looks correct; no blocking issues found.

💬 Non-blocking

  • 🟡 Warning: package.json:92 still advertises "node": ">=22", while the new locked Vite/Rolldown toolchain requires Node >=22.12.0 in package-lock.json:5425. CI uses node-version: 22, which currently resolves to a compatible latest Node 22, but contributors on Node 22.0-22.11 may hit engine warnings or runtime failures. Consider tightening the dev/runtime guidance to >=22.12.0 if the project intends local test/build support with this lockfile.

✅ Highlights

  • src/actions.test.ts:59 correctly re-seeds the mocked uploadAndSendMedia and uploadMedia exports after vi.restoreAllMocks(), preventing one test’s persistent mock behavior from leaking into later tests under Vitest 4.
  • The dependency bump is limited to test tooling and the adapted test behavior is covered by the existing action test suite.

Verification run:

  • npm ci
  • npm run type-check
  • npx vitest run src/actions.test.ts
  • npm test
  • npm run build

@yujiawei yujiawei left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review — PR #120 (openclaw-channel-octo)

Scope: vitest major bump 3.2.4 → 4.1.9 (devDependency) + one accompanying test adaptation. Reviewed at head SHA 73a0e0b1ef4fc543d16999651ce57203e630c378.

1. Spec compliance

This is a Dependabot major-version bump. The diff is exactly what such a change should contain — nothing missing, nothing out of scope:

  • package.jsonvitest devDep ^3.0.0 → ^4.1.9. ✅
  • package-lock.json — all changes are confined to vitest's transitive tree (esbuild, lightningcss*, loupe, deep-eql, check-error, etc.), all dev-time only. No production dependency (axios, crypto-js, ws, curve25519-js, md5-typescript) is touched. ✅
  • src/actions.test.ts — minimal adaptation to a vitest 4 behavior change (details below). No source/runtime code modified. ✅

No over-build (no extra features/flags), no deviation. Spec: ✅

2. Code quality

The test adaptation is correct and necessary

vitest 4 changed vi.restoreAllMocks() semantics: it now only restores vi.spyOn spies and no longer resets automocked module functions to their factory defaults. In this file, ./inbound.js is automocked via vi.mock(...), and several tests set persistent mock behavior (uploadSpy.mockResolvedValue(...) at L914, mockRejectedValue(...) at L2133/L2154). Under vitest 4 that state would leak into subsequent tests.

The fix re-seeds both automocks to their factory defaults in beforeEach via mockReset().mockResolvedValue(...), with an added static import of the mocked symbols. This is the idiomatic vitest-4 remedy.

I verified the change is load-bearing, not superfluous: removing the re-seed block and running vitest run src/actions.test.ts under 4.1.9 produces 4 failures (should skip falsy values in attachments, should send media from all three sources, should collect args.url, should collect args.fileUrl) — exactly the cross-test leakage the comment describes. With the block in place, all pass.

Verification performed (clean checkout, npm ci)

  • npm test35 files, 1300 tests passed on vitest 4.1.9.
  • npm run type-check (tsc --noEmit) → clean.
  • Lockfile resolves vitest@4.1.9; bumped packages are all dev-only transitive deps.

Notes (non-blocking)

  • Four other test files (bug-repro, channel, reconnect-fixes, socket) also combine vi.mock(...) with restoreAllMocks, but the full suite passes — they don't depend on automock state being reset between tests, so they need no change. Worth keeping in mind if their mocks gain persistent return values later.
  • vitest 4 pulls lightningcss (browser-mode tooling) into the dev tree; it is unused here and dev-only, so no runtime or supply-chain impact on the published plugin.

Quality: Approved.

3. Verdict

APPROVED. No P0/P1 findings. The bump is scoped to devDependencies, the single test change is the correct and minimal adaptation to vitest 4's restoreAllMocks change, and the entire suite + type-check pass on a clean install.

@mochashanyao mochashanyao left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Octo-Q · automated review]

Verdict: Approve — no blocking findings; notes below (data-flow traced).


openclaw-channel-octo PR#120 Review Report

PR: #120
Title: chore(deps): bump vitest from 3.2.4 to 4.1.9
Head SHA: 73a0e0b
Reviewer: Octo-Q (automated review)

1. 验证结论

  • ✅ Tests pass: 1300/1300 across 35 test files (vitest run — 4.13s)
  • ✅ Type-check passes: tsc --noEmit clean
  • ✅ Node engine compatibility: project requires >=22, vitest 4 requires ^20.0.0 || ^22.0.0 || >=24.0.0 — compatible
  • ✅ Test adaptation correctly addresses vitest 4 breaking change
  • ✅ No other test files affected by same breaking change (verified via grep)

2. 发现的问题(P0/P1/P2)

No P0/P1 findings.

P2 — form-data npm audit vulnerability (pre-existing)

  • diff-scope: Pre-existing. form-data@4.0.5 is a transitive dep of axios@1.18.1, not vitest. Not introduced or amplified by this PR.
  • CRLF injection advisory (GHSA-hmw2-7cc7-3qxx). Fixable via npm audit fix.
  • Not blocking — unrelated to this PR's scope.

P2 — hosted-git-info@10.1.1 engine warning (cosmetic)

  • diff-scope: Pre-existing. Requires ^22.22.2, environment has v22.22.0. Not introduced by this PR.
  • No functional impact on tests or build.

3. 建议

No blocking suggestions. Optional improvements:

  • Consider running npm audit fix in a separate PR to address the form-data vulnerability.

4. 额外发现

  • Transitive dep chain impact: vitest 4 pulls in vite 8.1.0 (from 7.3.3), which replaces rollup with rolldown as the internal bundler. Since vite is only a transitive dep (not directly used by the project), this has no production impact.
  • vitest 4 drops Node 18 support (now ^20.0.0 || ^22.0.0 || >=24.0.0). Project already requires >=22 — compatible.
  • New transitive deps added: @emnapi/*, @napi-rs/wasm-runtime, @oxc-project/types, rolldown, obug, tslib. All are dev-only.
  • Removed transitive deps: @esbuild/* platform binaries, rollup + @rollup/*, vite-node, tinypool, tinyspy, strip-literal, pathval, loupe, js-tokens, chai. These are replaced by vitest 4's internal rewrites.

5. 数据流回溯

src/actions.test.ts — mock reset in beforeEach:

  • uploadAndSendMedia and uploadMedia are vi.fn() instances created in the vi.mock("./inbound.js", ...) factory (line 10-22).
  • In vitest 3, vi.restoreAllMocks() also reset these factory-created mocks. In vitest 4, it only restores vi.spyOn() spies.
  • The fix (lines 64-75) explicitly calls .mockReset().mockResolvedValue(...) on both mocks, re-seeding them to factory defaults.
  • Data flow verified: vi.mocked(uploadAndSendMedia) → resolves to the vi.fn() created at line 14 → .mockReset() clears call history + return values → .mockResolvedValue(undefined) sets default behavior. Same pattern for uploadMedia with the matching factory-default return object.
  • Import correctness (lines 26-27): Static import { uploadAndSendMedia, uploadMedia } from "./inbound.js" resolves to the mocked module because vi.mock() is hoisted before imports by vitest. Verified: the imported symbols are the same vi.fn() instances created in the factory.

Other test files using vi.restoreAllMocks() + factory mocks:

  • channel.test.ts already avoids vi.restoreAllMocks() (line 678 comment: "do NOT call vi.restoreAllMocks() here") and uses vi.clearAllMocks() instead — unaffected.
  • agent-tools.test.ts uses vi.clearAllMocks() (line 133) — unaffected.
  • Other files with vi.restoreAllMocks() either don't use vi.fn() inside vi.mock() factories, or their factory mocks return static objects that aren't modified per-test — unaffected.

6. 盲点 checklist(R5)

  • C1 双路径 parity: N/A — no symmetric paths (add/remove, subscribe/unsubscribe) touched.
  • C2 control-flow ordering / 嵌套复用: N/A — no shared logic reordered or nested.
  • C3 授权边界: N/A — no auth/permission changes.
  • C4 授权生命周期 / 容器-成员状态级联: N/A — no auth changes.
  • C5 build/note ≠ 运行期: Verified. Vite 8 replaces rollup with rolldown internally, but vite is only a transitive dep of vitest — not directly consumed by the project. tsc build and vitest run both pass. No relative-path/origin concerns (no browser extension, no CLI, no packaging).
  • C6 治理/策略/安全文档自洽性: N/A — no doc changes.

7. 跨轮 blocker 复检(R6)

N/A — first review.


[Octo-Q] verdict: APPROVE

Clean major-version dependency bump. The vitest 3→4 breaking change (restoreAllMocks() semantics) is correctly addressed in actions.test.ts with explicit mock re-seeding. All 1300 tests pass. Type-check passes. No P0/P1 findings. No production code changes.

@caster-Q
caster-Q requested a review from lml2468 June 29, 2026 10:04
@caster-Q
caster-Q dismissed lml2468’s stale review June 29, 2026 10:06

Test failures that triggered this review are fixed in 73a0e0b (vitest 4 automock re-seed); check (22) green, 3 fresh approvals. Dismissing stale review.

@caster-Q
caster-Q merged commit 23901d3 into main Jun 29, 2026
7 of 9 checks passed
@dependabot
dependabot Bot deleted the dependabot/npm_and_yarn/vitest-4.1.9 branch June 29, 2026 10:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file dependencies-changed This PR modifies dependency files needs-human-review review:done:code:changes code-reviewer REQUEST_CHANGES review:done:qa:changes qa-engineer FAIL review:done:security:changes security-engineer BLOCKED size/S PR size: S

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants