build(deps-dev): bump vitest from 4.1.5 to 4.1.10 in /frontend#330
Conversation
|
PR author is in the excluded authors list. |
|
@copilot resolve the merge conflicts in this pull request |
|
@copilot resolve the merge conflicts in this pull request |
|
@dependabot rebase |
|
Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry! If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request |
|
@dependabot recreate |
Bumps [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) from 4.1.5 to 4.1.10. - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.10/packages/vitest) --- updated-dependencies: - dependency-name: vitest dependency-version: 4.1.8 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
af7e2ee to
597a11e
Compare
|
/grumpy |
veverkananobot
left a comment
There was a problem hiding this comment.
😾 Grumpy Copilot review via gopr
● Inspect diff file (shell)
│ wc -l /var/folders/_x/b0yz1b7j1wn5sqq5kd4y1td00000gn/T/gopr-diff-2465845518.diff; head -100
│ /var/folders/_x/b0yz1b7j1wn5sqq5kd4y1td00000gn/T/gopr-diff-2465845518.diff
└ 102 lines…
● See remaining diff changes (shell)
│ sed -n 100,516p /var/folders/_x/b0yz1b7j1wn5sqq5kd4y1td00000gn/T/gopr-diff-2465845518.diff |
│ grep -E '^[+-]' | grep -vE 'libc:' | head -80
└ 81 lines…
● Check dependency swaps (shell)
│ grep -E '^[+-]' /var/folders/_x/b0yz1b7j1wn5sqq5kd4y1td00000gn/T/gopr-diff-2465845518.diff |
│ grep -E 'debug|obug|picomatch|tinyglobby|fdir' | sort -u | head -30
└ 15 lines…
Reading complete. Writing the review.
Review: bump vitest 4.1.5 → 4.1.10
Ah yes, another dependabot bump. The robot has spoken, and we shall obey. Fine — approving, mostly. But since you insisted on a human looking at this, here's what the human actually noticed:
1. The libc: field removals in the lockfile are not from this upgrade. Every @rollup/rollup-linux-* entry silently lost its libc: [glibc]/libc: [musl] metadata. That's not vitest — that's the lockfile being regenerated by a different pnpm version than the one your team uses locally. Rollup didn't change (still 4.62.2), yet its entries got rewritten. This means the next developer who runs pnpm install locally may churn all of this right back, and we get to enjoy an eternal lockfile ping-pong in every future PR. Pin the pnpm version (packageManager field in package.json, or engines) so dependabot and humans generate the same lockfile. I've watched this exact movie a dozen times; it doesn't get better in the sequel.
2. This is more than a patch bump of one package, despite what the title implies. Riding along uninvited: es-module-lexer 2.1.0 → 2.3.0 and expect-type 1.3.0 → 1.4.0 (both minor bumps of things that parse your modules and check your types in tests), plus picomatch, tinyglobby, std-env, tinyexec, obug. Is any of it likely to break? Probably not. Did anyone actually run the frontend test suite against this before merging, or are we trusting the green checkmark fairy? If CI runs pnpm test on the frontend, say so and merge. If it doesn't — and I've seen plenty of repos where the frontend tests are decorative — go run them.
3. Five patch releases at once (4.1.5 → 4.1.10). That's not a complaint about this PR — it's a complaint that the last four dependabot PRs apparently sat around unreviewed until they were stale-closed and superseded. Batching patch bumps is fine, but do it on purpose (dependabot groups config), not by neglect. The upside: 4.1.6–4.1.10 are genuinely bug fixes (mocker, runner, snapshot handling), so you actually want these.
4. The good news, grudgingly: package.json and lockfile agree (^4.1.10 / 4.1.10), the caret range already covered this version so no consumer breakage, integrity hashes are present for everything new, and nothing suspicious snuck into the dependency tree — obug is the debug fork vitest actually uses, not typosquatting, yes I checked, because somebody has to.
Verdict: ✅ Approve — after you confirm frontend tests ran, and file a follow-up to pin the pnpm version before this lockfile churn becomes a lifestyle.
Bumps vitest from 4.1.5 to 4.1.10.
Release notes
Sourced from vitest's releases.
Commits
db616d2chore: release v4.1.10 (#10718)bae52b5fix(vm): fix external module resolve error with deps optimizer query for enco...a7a61e7chore: release v4.1.9 (#10598)934b0f5fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...7fb2965fix(browser): wait for orchestrator readiness before resolving browser sessio...a518019fix: fiximportOriginalwith optimizer and query import [backport to v4] (#...e61f2ddchore: release v4.1.8e4067b3fix(browser): disable clientcdpAPI whenallowWrite/allowExec: false[ba...a09d472chore: release v4.1.7a8fd24cchore: release v4.1.6