Bump vitest from 3.2.4 to 4.1.0

[dependabot]

Resolves intercom/intercom#517349.

Bumps vitest from 3.2.4 to 4.1.0.

Release notes

Sourced from vitest's releases.

v4.1.0

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

   🚀 Features

• Return a disposable from doMock()  -  by @​kirkwaiblinger in vitest-dev/vitest#9332 (e3e65)
• Added chai style assertions  -  by @​ronnakamoto and @​sheremet-va in vitest-dev/vitest#8842 (841df)
• Update to sinon/fake-timers v15 and add setTickMode to timer controls  -  by @​atscott and @​sheremet-va in vitest-dev/vitest#8726 (4b480)
• Expose matcher types  -  by @​sheremet-va in vitest-dev/vitest#9448 (3e4b9)
• Add toTestSpecification to reported tasks  -  by @​sheremet-va in vitest-dev/vitest#9464 (1a470)
• Show a warning if vi.mock or vi.hoisted are declared outside of top level of the module  -  by @​sheremet-va in vitest-dev/vitest#9387 (5db54)
• Track and display expectedly failed tests (.fails) in UI and CLI  -  by @​Copilot, sheremet-va and @​sheremet-va in vitest-dev/vitest#9476 (77d75)
• Support tags  -  by @​sheremet-va in vitest-dev/vitest#9478 (de7c8)
• Implement aroundEach and aroundAll hooks  -  by @​sheremet-va in vitest-dev/vitest#9450 (2a8cb)
• Stabilize experimental features  -  by @​sheremet-va in vitest-dev/vitest#9529 (b5fd2)
• Accept new or all in --update flag  -  by @​sheremet-va in vitest-dev/vitest#9543 (a5acf)
• Support meta in test options  -  by @​sheremet-va in vitest-dev/vitest#9535 (7d622)
• Support type inference with a new test.extend syntax  -  by @​sheremet-va in vitest-dev/vitest#9550 (e5385)
• Support vite 8 beta, fix type issues in the config with different vite versions  -  by @​sheremet-va in vitest-dev/vitest#9587 (99028)
• Add assertion helper to hide internal stack traces  -  by @​hi-ogawa and Claude Opus 4.6 in vitest-dev/vitest#9594 (eeb0a)
• Store failure screenshots using artifacts API  -  by @​macarie in vitest-dev/vitest#9588 (24603)
• Allow vitest list to statically collect tests instead of running files to collect them  -  by @​sheremet-va in vitest-dev/vitest#9630 (7a8e7)
• Add --detect-async-leaks  -  by @​AriPerkkio in vitest-dev/vitest#9528 (c594d)
• Implement mockThrow and mockThrowOnce  -  by @​thor-juhasz and @​sheremet-va in vitest-dev/vitest#9512 (61917)
• Support update: "none" and add docs about snapshots behavior on CI  -  by @​hi-ogawa in vitest-dev/vitest#9700 (05f18)
• Support playwright launchOptions with connectOptions  -  by @​hi-ogawa in vitest-dev/vitest#9702 (f0ff1)
• Add page/locator.mark API to enhance playwright trace  -  by @​hi-ogawa in vitest-dev/vitest#9652 (d0ee5)
• api:
  • Support tests starting or ending with test in experimental_parseSpecification  -  by @​jgillick and Jeremy Gillick in vitest-dev/vitest#9235 (2f367)
  • Add filters to createSpecification  -  by @​sheremet-va in vitest-dev/vitest#9336 (c8e6c)
  • Expose runTestFiles as alternative to runTestSpecifications  -  by @​sheremet-va in vitest-dev/vitest#9443 (43d76)
  • Add allowWrite and allowExec options to api  -  by @​sheremet-va in vitest-dev/vitest#9350 (20e00)
  • Allow passing down test cases to toTestSpecification  -  by @​sheremet-va in vitest-dev/vitest#9627 (6f17d)
• browser:
  • Add userEvent.wheel API  -  by @​macarie in vitest-dev/vitest#9188 (66080)
  • Add filterNode option to prettyDOM for filtering browser assertion error output  -  by @​Copilot, sheremet-va and @​sheremet-va in vitest-dev/vitest#9475 (d3220)
  • Support playwright persistent context  -  by @​hi-ogawa, Claude Opus 4.6 and @​sheremet-va in vitest-dev/vitest#9229 (f865d)
  • Added detailsPanelPosition option and button  -  by @​shairez in vitest-dev/vitest#9525 (c8a31)
  • Use BlazeDiff instead of pixelmatch  -  by @​macarie in vitest-dev/vitest#9514 (30936)
  • Add findElement and enable strict mode in webdriverio and preview  -  by @​sheremet-va in vitest-dev/vitest#9677 (c3f37)
• cli:
  • Add @​bomb.sh/tab completions  -  by @​AmirSa12 and @​sheremet-va in vitest-dev/vitest#8639 (200f3)
• coverage:
  • Support ignore start/stop ignore hints  -  by @​AriPerkkio in vitest-dev/vitest#9204 (e59c9)
  • Add coverage.changed option to report only changed files  -  by @​kykim00 and @​AriPerkkio in vitest-dev/vitest#9521 (1d939)
• experimental:
  • Add onModuleRunner hook to worker.init  -  by @​sheremet-va in vitest-dev/vitest#9286 (e977f)
  • Option to disable the module runner  -  by @​sheremet-va and @​AriPerkkio in vitest-dev/vitest#9210 (9be61)

... (truncated)

Commits

• 4150b91 chore: release v4.1.0
• 1de0aa2 fix: correctly identify concurrent test during static analysis (#9846)
• c3cac1c fix: use isAgent check, not just TTY, for watch mode (#9841)
• eab68ba chore(deps): update all non-major dependencies (#9824)
• 031f02a fix: allow catch/finally for async assertion (#9827)
• 3e9e096 feat(reporters): add agent reporter to reduce ai agent token usage (#9779)
• 0c2c013 chore: release v4.1.0-beta.6
• 8181e06 fix: hideSkippedTests should not hide test.todo (fix #9562) (#9781)
• a8216b0 fix: manual and redirect mock shouldn't load or transform original module...
• 689a22a fix(browser): types of getCDPSession and cdp() (#9716)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[ems-pr-review]

It looks like you are reviewing a Dependabot upgrade PR! 🛠️
That’s great! Keeping our packages up to date to fix security issues in our stack is super important. Team Application Security wants to help make this process as easy and low friction as possible while still moving at pace.

We aim to merge Dependabot PRs within the below timeframes. The objectives are based on the severity of the security vulnerability we are mitigating with the upgrade:

Severity	Target Merge (days)
CRITICAL	7 days
HIGH	14 days
MEDIUM	30 days
LOW	90 days

🎯 Target merge date for this PR: 08/06/2026 🎯

FAQ

What if we aren’t vulnerable to this particular CVE? Do we still have to upgrade the package?

It’s still a good idea to upgrade the package if we can. With new code patterns and paths being introduced every day, we have no guarantee that we won’t later make ourselves vulnerable. Keeping packages up to date as a matter of due course is also good hygiene.

What if we’re not vulnerable and upgrading is going to be a lot of work?

In these cases it’s a good idea to list out the steps you took to confirm we are not vulnerable in this PR. The PR can then be closed and the corresponding Dependabot Alert should be dismissed with the triage steps included as a comment. Please get in touch with Team Application Security via #ask-security before dismissing any CRITICAL alerts.

This is a major version upgrade that requires substantial code refactoring. What should I do?

If the upgrade requires substantial refactoring then it is possible that we will miss the objectives we have outlined above. In these cases, you should add the dependabot-refactor-required label to this PR and ping #ask-security for further advice.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​vitest@​4.1.0

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Recently published: npm @rollup/rollup-android-arm-eabi published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-android-arm-eabi@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-android-arm-eabi@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-android-arm64 published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-android-arm64@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-android-arm64@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-darwin-arm64 published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-darwin-arm64@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-darwin-arm64@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-darwin-x64 published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-darwin-x64@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-darwin-x64@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-freebsd-arm64 published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-freebsd-arm64@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-freebsd-arm64@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-freebsd-x64 published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-freebsd-x64@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-freebsd-x64@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-linux-arm-gnueabihf published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-linux-arm-gnueabihf@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-linux-arm-gnueabihf@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-linux-arm-musleabihf published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-linux-arm-musleabihf@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-linux-arm-musleabihf@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-linux-arm64-gnu published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-linux-arm64-gnu@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-linux-arm64-gnu@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-linux-arm64-musl published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-linux-arm64-musl@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-linux-arm64-musl@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-linux-loong64-gnu published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-linux-loong64-gnu@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-linux-loong64-gnu@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-linux-loong64-musl published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-linux-loong64-musl@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-linux-loong64-musl@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-linux-ppc64-gnu published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-linux-ppc64-gnu@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-linux-ppc64-gnu@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-linux-ppc64-musl published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-linux-ppc64-musl@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-linux-ppc64-musl@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-linux-riscv64-gnu published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-linux-riscv64-gnu@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-linux-riscv64-gnu@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-linux-riscv64-musl published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-linux-riscv64-musl@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-linux-riscv64-musl@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-linux-s390x-gnu published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-linux-s390x-gnu@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-linux-s390x-gnu@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-linux-x64-gnu published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-linux-x64-gnu@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-linux-x64-gnu@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-linux-x64-musl published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-linux-x64-musl@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-linux-x64-musl@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-openbsd-x64 published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-openbsd-x64@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-openbsd-x64@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-openharmony-arm64 published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-openharmony-arm64@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-openharmony-arm64@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-win32-arm64-msvc published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-win32-arm64-msvc@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-win32-arm64-msvc@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-win32-ia32-msvc published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-win32-ia32-msvc@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-win32-ia32-msvc@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-win32-x64-gnu published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-win32-x64-gnu@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-win32-x64-gnu@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm @rollup/rollup-win32-x64-msvc published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/@rollup/rollup-win32-x64-msvc@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rollup/rollup-win32-x64-msvc@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Recently published: npm rollup published 16 hours ago Location: Package overview From: pnpm-lock.yaml → npm/vitest@4.1.0 → npm/rollup@4.61.0 ℹ Read more on: This package | This alert | What are recently published artifacts? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should either be allowlisted to allow recently-published versions, or an older version should be used instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rollup@4.61.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[ems-security-compliance]

@dependabot rebase

[dependabot]

Sorry, only users with push access can use that command.

[ems-security-compliance]

@dependabot rebase

[dependabot]

Sorry, only users with push access can use that command.

[ems-security-compliance]

@dependabot rebase

[dependabot]

Sorry, only users with push access can use that command.

[ems-security-compliance]

@dependabot rebase

[dependabot]

Sorry, only users with push access can use that command.

[ems-security-compliance]

@dependabot rebase

[dependabot]

Sorry, only users with push access can use that command.

[ems-security-compliance]

@dependabot rebase

[dependabot]

Sorry, only users with push access can use that command.

[ems-security-compliance]

@dependabot rebase

[dependabot]

Sorry, only users with push access can use that command.