chore(build): Bump vite 5→6, vitest 1→2, vite-plugin-dts 3→4 (#273)

Bump the core build/test tooling across all workspace packages:

- **vite** ^5.2.8 → ^6.4.1
- **vitest** ^1.4.0 → ^2.1.9
- **vite-plugin-dts** ^3.8.1 → ^4.5.4
- **rollup-plugin-terser** (deprecated) → **@rollup/plugin-terser** in
rrweb-worker

Added `cssFileName: 'style'` to the shared vite config to preserve the
`style.css` output filename (Vite 6 changed the default to
package-name-based).

### Dependabot alerts resolved

**Fully resolved** (vulnerable version completely removed from
lockfile):

| Alert | Severity | Package | Summary |
|-------|----------|---------|---------|
| #113 | CRITICAL | `vitest` | Remote Code Execution when accessing a
malicious website while Vitest API server is listening |
| #203 | HIGH | `rollup` | Rollup 4 has Arbitrary File Write via Path
Traversal |
| #110 | MEDIUM | `vue-template-compiler` | Client-side XSS (no fix
available — removed by vite-plugin-dts v4 dropping the dependency) |

**Partially resolved** (some vulnerable entries removed, but package
still exists via other dependency chains):

| Alert | Severity | Package | Remaining source |
|-------|----------|---------|-----------------|
| #154, #146, #145, #141, #140, #139, #138, #126, #111 | MEDIUM/LOW |
`vite` | `@sveltejs/vite-plugin-svelte@3` still pulls in vite@5 (needs
Svelte 5 upgrade) |
| #114 | MEDIUM | `esbuild` | `esbuild-plugin-umd-wrapper` still uses
esbuild@0.18 |
| #214 | HIGH | `serialize-javascript` | webpack (via `@size-limit`)
still pulls in v6 |
| #105, #104 | MEDIUM | `nanoid` | postcss (via vite internally) still
uses nanoid@3 |
| #165, #155 | HIGH/MEDIUM | `validator` | `@microsoft/api-extractor`
(via vite-plugin-dts) — needs further investigation |

The partially resolved alerts will be addressed in later phases (Svelte
5 upgrade, @size-limit bump, mop-up).

closes
https://linear.app/getsentry/issue/SDK-1095/bump-vitest-vite-56-1-critical-7-alerts

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: chargome <chargome@users.noreply.github.com>

Author: chargome

.github/workflows/ci-cd.yml

@@ -21,14 +21,15 @@ jobs:
           # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
           fetch-depth: 0
 
-      - name: Setup Node.js lts/*
-        uses: actions/setup-node@v3
+      - name: Setup Node.js 20
+        uses: actions/setup-node@v4
         with:
-          node-version: lts/*
+          node-version: 20
           cache: 'yarn'
 
       - name: Install Dependencies
-        run: yarn install --frozen-lockfile
+        run: yarn install --frozen-lockfile --network-timeout 300000
+        timeout-minutes: 10
 
       - name: Build Project
         run: NODE_OPTIONS='--max-old-space-size=4096' yarn build:all
@@ -58,14 +59,15 @@ jobs:
       - name: Checkout Repo
         uses: actions/checkout@v3
 
-      - name: Setup Node.js lts/*
-        uses: actions/setup-node@v3
+      - name: Setup Node.js 20
+        uses: actions/setup-node@v4
         with:
-          node-version: lts/*
+          node-version: 20
           cache: 'yarn'
 
       - name: Install Dependencies
-        run: yarn install --frozen-lockfile
+        run: yarn install --frozen-lockfile --network-timeout 300000
+        timeout-minutes: 10
 
       - name: Build Project
         run: NODE_OPTIONS='--max-old-space-size=4096' yarn build:all

.gitignore

@@ -39,3 +39,6 @@ dist-ts3.8
 # for vite
 vite.config.js.timestamp-*
 vite.config.ts.timestamp-*
+
+# rrvideo temp output
+__rrvideo__temp__

packages/all/package.json

@@ -51,9 +51,9 @@
   "devDependencies": {
     "puppeteer": "^20.9.0",
     "typescript": "^4.7.3",
-    "vite": "^5.2.8",
-    "vite-plugin-dts": "^3.8.1",
-    "vitest": "^1.4.0"
+    "vite": "^6.4.1",
+    "vite-plugin-dts": "^4.5.4",
+    "vitest": "^2.1.9"
   },
   "dependencies": {
     "@sentry-internal/rrweb": "2.41.0",

packages/packer/package.json

@@ -73,9 +73,9 @@
   ],
   "devDependencies": {
     "typescript": "^4.7.3",
-    "vite": "^5.2.8",
-    "vite-plugin-dts": "^3.8.1",
-    "vitest": "^1.4.0"
+    "vite": "^6.4.1",
+    "vite-plugin-dts": "^4.5.4",
+    "vitest": "^2.1.9"
   },
   "dependencies": {
     "@sentry-internal/rrweb-types": "2.41.0",

packages/packer/test/packer.test.ts

@@ -30,7 +30,7 @@ describe('unpack', () => {
   it('stop on unknown data format', () => {
     const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
 
-    expect(() => unpack('[""]')).toThrow('');
+    expect(() => unpack('[""]')).toThrow();
 
     expect(consoleSpy).toHaveBeenCalled();
     vi.resetAllMocks();

packages/plugins/rrweb-plugin-canvas-webrtc-record/package.json

@@ -45,8 +45,8 @@
   "devDependencies": {
     "@sentry-internal/rrweb": "2.41.0",
     "typescript": "^4.7.3",
-    "vite": "^5.2.8",
-    "vite-plugin-dts": "^3.8.1"
+    "vite": "^6.4.1",
+    "vite-plugin-dts": "^4.5.4"
   },
   "peerDependencies": {
     "@sentry-internal/rrweb": "^2.0.0-alpha.14"

packages/plugins/rrweb-plugin-canvas-webrtc-replay/package.json

@@ -45,8 +45,8 @@
   "devDependencies": {
     "@sentry-internal/rrweb": "2.41.0",
     "typescript": "^4.7.3",
-    "vite": "^5.2.8",
-    "vite-plugin-dts": "^3.8.1"
+    "vite": "^6.4.1",
+    "vite-plugin-dts": "^4.5.4"
   },
   "peerDependencies": {
     "@sentry-internal/rrweb": "^2.0.0-alpha.14"

packages/plugins/rrweb-plugin-console-record/package.json

@@ -48,9 +48,9 @@
     "@sentry-internal/rrweb": "2.41.0",
     "puppeteer": "^20.9.0",
     "typescript": "^4.7.3",
-    "vite": "^5.2.8",
-    "vite-plugin-dts": "^3.8.1",
-    "vitest": "^1.4.0"
+    "vite": "^6.4.1",
+    "vite-plugin-dts": "^4.5.4",
+    "vitest": "^2.1.9"
   },
   "peerDependencies": {
     "@sentry-internal/rrweb": "^2.0.0-alpha.14"

packages/plugins/rrweb-plugin-console-record/test/index.test.ts

@@ -19,9 +19,25 @@ export async function launchPuppeteer(
   });
 }
 
+/**
+ * Filter out console events originating from Vite's injected client script.
+ * Vite 6 logs messages like "[vite] connected" or "[vite] failed to connect"
+ * that pollute our snapshots.
+ */
+function filterViteClientEvents(snapshots: eventWithTime[]): eventWithTime[] {
+  return snapshots.filter((event) => {
+    if (event.type !== 6) return true;
+    const trace = (event.data as any)?.payload?.trace;
+    if (!Array.isArray(trace)) return true;
+    return !trace.some((t: string) => t.includes('@vite/client'));
+  });
+}
+
 export function assertSnapshot(snapshots: eventWithTime[]) {
   expect(snapshots).toBeDefined();
-  expect(stringifySnapshots(snapshots)).toMatchSnapshot();
+  expect(
+    stringifySnapshots(filterViteClientEvents(snapshots)),
+  ).toMatchSnapshot();
 }
 
 describe('rrweb-plugin-console-record', () => {
@@ -35,8 +51,6 @@ describe('rrweb-plugin-console-record', () => {
     server = await createServer({
       preview: { port: 3000 },
       mode: 'test',
-      // hmr calls `console.debug('[vite] connected')` and messes up our snapshots
-      // so we disable it
       server: { hmr: false },
     });
     await server.listen();

packages/plugins/rrweb-plugin-console-replay/package.json

@@ -46,8 +46,8 @@
     "@rrweb/rrweb-plugin-console-record": "2.41.0",
     "@sentry-internal/rrweb": "2.41.0",
     "typescript": "^4.7.3",
-    "vite": "^5.2.8",
-    "vite-plugin-dts": "^3.8.1"
+    "vite": "^6.4.1",
+    "vite-plugin-dts": "^4.5.4"
   },
   "peerDependencies": {
     "@sentry-internal/rrweb": "^2.0.0-alpha.14"