Skip to content

build(deps-dev): bump vitest from 4.1.5 to 4.1.10 in /frontend#330

Merged
veverkananobot merged 1 commit into
mainfrom
dependabot/npm_and_yarn/frontend/vitest-4.1.8
Jul 9, 2026
Merged

build(deps-dev): bump vitest from 4.1.5 to 4.1.10 in /frontend#330
veverkananobot merged 1 commit into
mainfrom
dependabot/npm_and_yarn/frontend/vitest-4.1.8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 7, 2026

Copy link
Copy Markdown
Contributor

Bumps vitest from 4.1.5 to 4.1.10.

Release notes

Sourced from vitest's releases.

v4.1.10

   🐞 Bug Fixes

    View changes on GitHub

v4.1.9

🐞 Bug Fixes

View changes on GitHub

v4.1.8

   🐞 Bug Fixes

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

   🏎 Performance

    View changes on GitHub
Commits
  • db616d2 chore: release v4.1.10 (#10718)
  • bae52b5 fix(vm): fix external module resolve error with deps optimizer query for enco...
  • a7a61e7 chore: release v4.1.9 (#10598)
  • 934b0f5 fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...
  • 7fb2965 fix(browser): wait for orchestrator readiness before resolving browser sessio...
  • a518019 fix: fix importOriginal with optimizer and query import [backport to v4] (#...
  • e61f2dd chore: release v4.1.8
  • e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
  • a09d472 chore: release v4.1.7
  • a8fd24c chore: release v4.1.6
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 7, 2026
@greptile-apps

greptile-apps Bot commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

PR author is in the excluded authors list.

@veverkananobot

Copy link
Copy Markdown
Contributor

@copilot resolve the merge conflicts in this pull request

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

@copilot resolve the merge conflicts in this pull request

Resolved and pushed in commit c4c93e3.

@veverkap

veverkap commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@copilot resolve the merge conflicts in this pull request

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@copilot resolve the merge conflicts in this pull request

Resolved and pushed in commit af7e2ee.

Copilot AI requested a review from veverkap July 9, 2026 00:07
@veverkananobot

Copy link
Copy Markdown
Contributor

@dependabot rebase

@dependabot @github

dependabot Bot commented on behalf of github Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

@veverkananobot

Copy link
Copy Markdown
Contributor

@dependabot recreate

Bumps [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) from 4.1.5 to 4.1.10.
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.10/packages/vitest)

---
updated-dependencies:
- dependency-name: vitest
  dependency-version: 4.1.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title build(deps-dev): bump vitest from 4.1.5 to 4.1.8 in /frontend build(deps-dev): bump vitest from 4.1.5 to 4.1.10 in /frontend Jul 9, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/frontend/vitest-4.1.8 branch from af7e2ee to 597a11e Compare July 9, 2026 00:16
@veverkananobot

Copy link
Copy Markdown
Contributor

/grumpy

@veverkananobot veverkananobot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😾 Grumpy Copilot review via gopr

● Inspect diff file (shell)
│ wc -l /var/folders/_x/b0yz1b7j1wn5sqq5kd4y1td00000gn/T/gopr-diff-2465845518.diff; head -100
│ /var/folders/_x/b0yz1b7j1wn5sqq5kd4y1td00000gn/T/gopr-diff-2465845518.diff
└ 102 lines…

● See remaining diff changes (shell)
│ sed -n 100,516p /var/folders/_x/b0yz1b7j1wn5sqq5kd4y1td00000gn/T/gopr-diff-2465845518.diff |
│ grep -E '^[+-]' | grep -vE 'libc:' | head -80
└ 81 lines…

● Check dependency swaps (shell)
│ grep -E '^[+-]' /var/folders/_x/b0yz1b7j1wn5sqq5kd4y1td00000gn/T/gopr-diff-2465845518.diff |
│ grep -E 'debug|obug|picomatch|tinyglobby|fdir' | sort -u | head -30
└ 15 lines…

Reading complete. Writing the review.


Review: bump vitest 4.1.5 → 4.1.10

Ah yes, another dependabot bump. The robot has spoken, and we shall obey. Fine — approving, mostly. But since you insisted on a human looking at this, here's what the human actually noticed:

1. The libc: field removals in the lockfile are not from this upgrade. Every @rollup/rollup-linux-* entry silently lost its libc: [glibc]/libc: [musl] metadata. That's not vitest — that's the lockfile being regenerated by a different pnpm version than the one your team uses locally. Rollup didn't change (still 4.62.2), yet its entries got rewritten. This means the next developer who runs pnpm install locally may churn all of this right back, and we get to enjoy an eternal lockfile ping-pong in every future PR. Pin the pnpm version (packageManager field in package.json, or engines) so dependabot and humans generate the same lockfile. I've watched this exact movie a dozen times; it doesn't get better in the sequel.

2. This is more than a patch bump of one package, despite what the title implies. Riding along uninvited: es-module-lexer 2.1.0 → 2.3.0 and expect-type 1.3.0 → 1.4.0 (both minor bumps of things that parse your modules and check your types in tests), plus picomatch, tinyglobby, std-env, tinyexec, obug. Is any of it likely to break? Probably not. Did anyone actually run the frontend test suite against this before merging, or are we trusting the green checkmark fairy? If CI runs pnpm test on the frontend, say so and merge. If it doesn't — and I've seen plenty of repos where the frontend tests are decorative — go run them.

3. Five patch releases at once (4.1.5 → 4.1.10). That's not a complaint about this PR — it's a complaint that the last four dependabot PRs apparently sat around unreviewed until they were stale-closed and superseded. Batching patch bumps is fine, but do it on purpose (dependabot groups config), not by neglect. The upside: 4.1.6–4.1.10 are genuinely bug fixes (mocker, runner, snapshot handling), so you actually want these.

4. The good news, grudgingly: package.json and lockfile agree (^4.1.10 / 4.1.10), the caret range already covered this version so no consumer breakage, integrity hashes are present for everything new, and nothing suspicious snuck into the dependency tree — obug is the debug fork vitest actually uses, not typosquatting, yes I checked, because somebody has to.

Verdict: ✅ Approve — after you confirm frontend tests ran, and file a follow-up to pin the pnpm version before this lockfile churn becomes a lifestyle.

@veverkananobot veverkananobot merged commit d087a2d into main Jul 9, 2026
6 checks passed
@veverkananobot veverkananobot deleted the dependabot/npm_and_yarn/frontend/vitest-4.1.8 branch July 9, 2026 00:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants