fix(deps): bump vitest to ^4.1.0 (GHSA-5xrq-8626-4rwp)

[educlopez]

Resolves Dependabot alerts #156 (direct dep) and #157 (transitive).

Advisory: GHSA-5xrq-8626-4rwp (critical) — when the Vitest UI server is listening, an arbitrary file can be read and executed. Patched in 4.1.0.

We only run vitest run (no UI server), but the vulnerable version is still flagged. Bumping clears both alerts.

Changes

• packages/smoothui/package.json: vitest ^3.2.1 → ^4.1.0 (resolves to 4.1.7)
• pnpm-lock.yaml: regenerated

Verification

Major bump 3→4. Config (packages/smoothui/vitest.config.ts) uses jsdom + globals + setup file only — no workspace/coverage config affected by v4 breaking changes. vitest-axe peer is vitest: '>=1', compatible.

Local pnpm test: 106 tests pass across 74 files.

Summary by CodeRabbit

• Chores
  • Updated development tooling dependency to the latest version.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
smoothui	Ready	Preview, Comment	Jun 1, 2026 2:51pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: da4e2c57-ff74-4037-9842-94cb2be3b7c2

📥 Commits

Reviewing files that changed from the base of the PR and between 3f8930f and d466bc5.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• packages/smoothui/package.json

---

Walkthrough

The PR updates the vitest devDependency in the smoothui package from ^3.2.1 to ^4.1.0. This is a minor version bump that allows access to newer vitest releases and their features or fixes.

Changes

Vitest version upgrade

Layer / File(s)	Summary
Vitest devDependency version bump packages/smoothui/package.json	Updates vitest from ^3.2.1 to ^4.1.0 in the devDependencies.

---

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically identifies the main change: bumping vitest from ^3.2.1 to ^4.1.0 to address a critical security vulnerability (GHSA-5xrq-8626-4rwp), which aligns perfectly with the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/vitest-4-rce

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}