Skip to content

fix: upgrade Vitest 3→4 to resolve npm audit vulnerabilities#58

Merged
dean0x merged 2 commits intomainfrom
fix/upgrade-vitest-4
Feb 21, 2026
Merged

fix: upgrade Vitest 3→4 to resolve npm audit vulnerabilities#58
dean0x merged 2 commits intomainfrom
fix/upgrade-vitest-4

Conversation

@dean0x
Copy link
Owner

@dean0x dean0x commented Feb 21, 2026

Summary

  • Upgrades vitest, @vitest/coverage-v8, and @vitest/ui from ^3.2.4 to ^4.0.18
  • Resolves 4 high-severity npm audit vulnerabilities (minimatch ReDoS via @vitest/coverage-v8test-excludeglobminimatch)
  • Updates vitest.config.ts for v4 API changes: poolOptions block → top-level maxWorkers + vmMemoryLimit
  • Updates CLAUDE.md references to match new config option names

Closes #51

Config migration

Old (v3) New (v4)
poolOptions.threads.singleThread: true maxWorkers: 1
poolOptions.threads.maxThreads: 1 maxWorkers: 1
poolOptions.threads.minThreads: 1 (removed)
poolOptions.threads.memoryLimit: '1024MB' vmMemoryLimit: '1024MB'

Test plan

  • npm run build passes
  • npm audit reports 0 vulnerabilities
  • npm run test:core — 275 passed
  • npm run test:handlers — 80 passed
  • npm run test:repositories — 109 passed
  • npm run test:adapters — 40 passed
  • npm run test:implementations — 218 passed, 3 skipped
  • npm run test:cli — 86 passed
  • No "Channel closed" worker crash errors

@qodo-free-for-open-source-projects
Copy link

qodo-free-for-open-source-projects bot commented Feb 21, 2026

Review Summary by Qodo

Upgrade Vitest 3→4 to resolve npm audit vulnerabilities

🐞 Bug fix ✨ Enhancement

Grey Divider

Walkthroughs

Description 
• Upgrades Vitest from v3.2.4 to v4.0.18 resolving npm audit vulnerabilities
• Migrates vitest.config.ts to v4 API: poolOptions → maxWorkers and vmMemoryLimit
• Updates documentation references to reflect new configuration option names
• All 808 tests pass with zero npm audit vulnerabilities reported
Diagram 
flowchart LR
  A["Vitest v3.2.4<br/>with vulnerabilities"] -- "Upgrade packages" --> B["Vitest v4.0.18<br/>secure versions"]
  B -- "Migrate config API" --> C["poolOptions removed<br/>maxWorkers + vmMemoryLimit"]
  C -- "Update docs" --> D["CLAUDE.md<br/>references updated"]
  D --> E["0 npm audit<br/>vulnerabilities"]
Loading

Grey Divider

File Changes

1. package.json Dependencies +3/-3

Upgrade Vitest and related packages to v4

• Upgrades vitest from ^3.2.4 to ^4.0.18
• Upgrades @vitest/coverage-v8 from ^3.2.4 to ^4.0.18
• Upgrades @vitest/ui from ^3.2.4 to ^4.0.18

package.json

2. vitest.config.ts ⚙️ Configuration changes +5/-11

Migrate vitest config to v4 API structure

• Replaces poolOptions.threads block with top-level maxWorkers: 1
• Renames memoryLimit to vmMemoryLimit for v4 API compatibility
• Removes deprecated minThreads configuration option
• Updates inline comments to reflect v4 defaults and configuration changes

vitest.config.ts

3. CLAUDE.md 📝 Documentation +3/-3

Update documentation for Vitest v4 config changes

• Updates memory management documentation from memoryLimit to vmMemoryLimit
• Updates test execution documentation from singleThread: true to maxWorkers: 1
• Maintains context about worker memory accumulation and sequential test execution

CLAUDE.md

Grey Divider

Qodo Logo

@qodo-free-for-open-source-projects
Copy link

qodo-free-for-open-source-projects bot commented Feb 21, 2026
edited
Loading

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider


Remediation recommended

1. Stale Vitest config in docs 🐞 Bug ⛯ Reliability
Description 
After migrating vitest.config.ts to v4-style maxWorkers/vmMemoryLimit, the testing architecture
documentation still shows the old v3 poolOptions config (pool: 'forks'). This mismatch can lead
contributors to copy/paste incorrect settings or debug with the wrong knobs (especially around
worker/memory stability).
Code

vitest.config.ts[R33-37]

+    pool: 'threads', // Explicit: v4 defaults to 'forks'
+    maxWorkers: 1, // CRITICAL: Single worker to prevent resource exhaustion
+    // CRITICAL: Restart workers when they exceed 1GB to prevent memory accumulation
+    // This fixes "Channel closed" errors from worker crashes
+    vmMemoryLimit: '1024MB',
Evidence 
The repo’s current Vitest config uses pool: 'threads' with maxWorkers and vmMemoryLimit, while
the documented example still teaches poolOptions under forks, which no longer matches project
behavior after this PR.

vitest.config.ts[28-47]
tests/TESTING_ARCHITECTURE.md[252-276]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`tests/TESTING_ARCHITECTURE.md` documents a Vitest configuration example that no longer matches the repo’s actual `vitest.config.ts` after the v4 migration (it references `poolOptions` and `pool: &amp;amp;#x27;forks&amp;amp;#x27;`). This documentation drift can cause incorrect future configuration changes and makes memory/worker troubleshooting harder.
### Issue Context
The PR migrated the real config to use `maxWorkers` + `vmMemoryLimit` and removed `poolOptions`.
### Fix Focus Areas
- tests/TESTING_ARCHITECTURE.md[252-276]
- vitest.config.ts[28-47]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Advisory comments

2. Outdated CI workflow comment 🐞 Bug ⛯ Reliability
Description 
The CI workflow still contains a commented command using old --poolOptions.forks.singleFork flags.
While not executed, it’s likely incorrect post-migration and could mislead anyone re-enabling or
debugging the skipped worker-handler test.
Code

vitest.config.ts[R33-37]

+    pool: 'threads', // Explicit: v4 defaults to 'forks'
+    maxWorkers: 1, // CRITICAL: Single worker to prevent resource exhaustion
+    // CRITICAL: Restart workers when they exceed 1GB to prevent memory accumulation
+    // This fixes "Channel closed" errors from worker crashes
+    vmMemoryLimit: '1024MB',
Evidence 
The workflow guidance explicitly references --poolOptions.forks.singleFork, whereas the repo’s
Vitest configuration (post-change) uses maxWorkers/vmMemoryLimit and no longer configures pools
via poolOptions.

.github/workflows/ci.yml[46-50]
vitest.config.ts[28-47]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`.github/workflows/ci.yml` contains commented-out guidance using old Vitest CLI flags (`--poolOptions...`) that no longer match the project’s Vitest configuration approach after the v4 migration.
### Issue Context
Even though the lines are commented, they are a common place engineers copy commands from when re-enabling tests.
### Fix Focus Areas
- .github/workflows/ci.yml[46-50]
- vitest.config.ts[28-47]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

fix: use test:all in CI instead of ad-hoc test steps (#52)
ba58b5f 
Replace 6 hand-rolled test:unit invocations with the single test:all
script, which already chains all 10 test groups with correct paths and
memory limits. Removes stale comments about Node 22.x and integration
tests requiring Claude CLI.
@dean0x dean0x merged commit 516b7f6 into main Feb 21, 2026
1 check passed
@dean0x dean0x deleted the fix/upgrade-vitest-4 branch February 21, 2026 09:57
@dean0x dean0x mentioned this pull request Feb 21, 2026
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix: Upgrade Vitest 3→4 to resolve npm audit vulnerabilities

1 participant

@dean0x