Skip to content

chore(deps-dev): bump vitest from 4.1.0 to 4.1.2#224

Merged
urugus merged 1 commit intomainfrom
dependabot/npm_and_yarn/vitest-4.1.2
Mar 31, 2026
Merged

chore(deps-dev): bump vitest from 4.1.0 to 4.1.2#224
urugus merged 1 commit intomainfrom
dependabot/npm_and_yarn/vitest-4.1.2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 30, 2026
edited
Loading

Bumps vitest from 4.1.0 to 4.1.2.

Release notes

Sourced from vitest's releases.

v4.1.2

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (vitest-dev/vitest#9975).

   🐞 Bug Fixes

    View changes on GitHub

v4.1.1

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub
Commits
  • fc6f482 chore: release v4.1.2
  • 6f97b55 feat: disable colors if agent is detected (#9851)
  • b3c992c fix(coverage): correct coverageConfigDefaults values and types (#9940)
  • 7c06598 fix: ensure sequential mock/unmock resolution (#9830)
  • f54abad chore: add typo-checker skill and fix typos (#9963)
  • 7aa9377 fix: don't resolve setupFiles from parent directory (#9960)
  • 1f2d318 chore: release v4.1.1
  • ebfde79 refactor: rename matchesTagsFilter to matchesTags (#9956)
  • 5611500 feat(experimental): introduce experimental.vcsProvider (#9928)
  • eec53d9 feat(experimental): expose matchesTagsFilter to test if the current filter ...
  • Additional commits viewable in compare view

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Mar 30, 2026

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot
chore(deps-dev): bump vitest from 4.1.0 to 4.1.2
7a19997 
Bumps [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) from 4.1.0 to 4.1.2.
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/vitest)

---
updated-dependencies:
- dependency-name: vitest
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/vitest-4.1.2 branch from 2f4c4b0 to 7a19997 Compare March 31, 2026 21:21
@urugus urugus mentioned this pull request Mar 31, 2026
Merged
@urugus
Copy link
Copy Markdown
Owner

urugus commented Mar 31, 2026

vitest 4.1.0 → 4.1.2 調査レポート

変更内容

v4.1.1

  • (実験的) matchesTags API、experimental.vcsProvider の追加
  • vi.mocked() の型回帰修正、ソフトアサーション修正、sinon-chai API修正など多数のバグ修正

v4.1.2

  • CVE対応: 依存パッケージ flatted のバージョンアップ
    • CVE-2026-32141 (DoS): parse() の無制限再帰によるスタックオーバーフロー
    • CVE-2026-33228 (プロトタイプ汚染): Array.prototype 汚染の可能性
  • setupFiles の解決パス修正、mock/unmock の順序保証、coverageConfigDefaults 修正

セキュリティ

  • flatted の2件のCVE修正が含まれるため、アップグレード推奨
  • vitest は開発依存のため本番環境への直接的リスクは低いが、テスト環境のセキュリティ向上に寄与

破壊的変更

  • なし(パッチリリース)

CI状況

結論

パッケージ自体は安全。PR #225 と統合してマージすること。

@urugus urugus merged commit f49d064 into main Mar 31, 2026
1 of 4 checks passed
@urugus urugus deleted the dependabot/npm_and_yarn/vitest-4.1.2 branch March 31, 2026 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@urugus