Skip to content

Upgrade vitest v2 → v3 and regenerate the lockfile#17

Merged
jhamon merged 1 commit into
deps/remove-danfojsfrom
deps/upgrade-vitest
Jul 9, 2026
Merged

Upgrade vitest v2 → v3 and regenerate the lockfile#17
jhamon merged 1 commit into
deps/remove-danfojsfrom
deps/upgrade-vitest

Conversation

@jhamon

@jhamon jhamon commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Root cause #3 of 3

Stacked on #16 (base = deps/remove-danfojs). Review/merge #16 first; this diff is only the vitest change on top of it.

vitest@2.1.9 has a critical advisory (arbitrary file read/exec via the Vitest UI server, fixed in 3.2.6) and pulled an ancient jsdom@16 as a kept peerOptional. That jsdom was the only remaining source of the form-data critical and the lodash high (which has no npm fix on the 4.x line). Our tests run in the node environment, so jsdom was never actually used.

Changes

  • Bump vitest^3.2.7 — clears the vitest critical and pulls modern vite@7, so the stale vite/rollup/esbuild dev advisories drop out. (Chose v3 over v4 because v4 requires bumping @types/node off 18; v3 keeps the PR minimal.)
  • Regenerate package-lock.json. This is the key insight of the whole effort: most of the alert backlog was lockfile staleness, not version-range blockers. The direct deps' semver ranges already permitted patched transitive versions, so a fresh resolve drops jsdom entirely and refreshes braces, cross-spawn, semver, ws, picomatch, minimatch, tar-fs, flatted, etc. to their fixed versions — no overrides needed. The regen also floats @xenova/transformers 2.2.0 → 2.17.2 within its existing ^2.2.0 range, which clears sharp.

Impact

npm audit: 37 → 7. The remaining 7 are the @xenova/transformers cluster (protobufjs/onnx-proto/onnxruntime-web — root cause #2, next) plus three build-tool moderates (esbuild/tsup/tsx).

Verification

  • npm run build, npm test (23 pass), npm run lint, npm run format:check — all green.
  • Smoke-tested that @xenova/transformers 2.17.2 and the embedder surface still load after the within-range float.

🤖 Generated with Claude Code

vitest 2.1.9 has a critical advisory (arbitrary file read/exec via the
UI server, fixed in 3.2.6) and pulled an ancient jsdom@16 as a kept
peerOptional, which in turn dragged in the only vulnerable copies of
form-data (critical) and lodash (high, no npm fix on the 4.x line) left
in the tree. Our tests use the "node" environment, so jsdom was never
actually used.

- Bump vitest to ^3.2.7 (clears the vitest critical; pulls modern
  vite 7.x, so the old vite/rollup/esbuild dev advisories drop out).
- Regenerate package-lock.json from scratch. Most of the remaining
  alerts were lockfile *staleness*, not version-range blockers: the
  direct deps' semver ranges already permitted patched transitive
  versions, so a fresh resolve drops jsdom entirely and refreshes
  braces, cross-spawn, semver, ws, picomatch, minimatch, tar-fs,
  flatted, etc. to their fixed versions. (This is why overrides were
  the wrong tool here.) The regen also floats @xenova/transformers
  2.2.0 -> 2.17.2 within its existing ^2.2.0 range, which clears sharp.

npm audit: 37 -> 7. The remaining 7 are the @xenova/transformers
cluster (protobufjs / onnx-proto / onnxruntime-web, addressed in the
next PR) plus three build-tool moderates (esbuild / tsup / tsx).

Verified: npm run build, npm test (23 pass), npm run lint,
npm run format:check all green; @xenova/transformers 2.17.2 and the
embedder surface still load.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jhamon jhamon merged commit 952ea3f into deps/remove-danfojs Jul 9, 2026
1 check passed
jhamon added a commit that referenced this pull request Jul 9, 2026
Re-land vitest upgrade (#17) + transformers migration (#18) onto main
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant