Upgrade vitest + @vitest/coverage-istanbul 3.1.1 → 4.1.8 (major)
Dependabot FlowFuse/flowfuse#7361. Bumps vitest and @vitest/coverage-istanbul together (they must move in lockstep). Major v3 → v4 jump — CI is failing and this needs migration work before it can land.
Triage checks:
Security note: our current 3.1.1 is itself vulnerable to GHSA-5xrq-8626-4rwp (critical, Vitest UI server RCE, fixed in 3.2.6). Target 4.1.8 is patched for both known criticals. So staying on 3.1.1 isn't free — if v4 is deferred, we should at least bump to ≥3.2.6.
Impact: vitest drives the frontend unit tests only — test:unit:frontend / cover:unit:frontend, via config/vitest.config.ts. The forge/system suites use mocha and are unaffected. So the failure surface is the frontend spec suite + coverage.
The work: this is a real migration, not a one-line edit. Follow the vitest v4 migration guide against config/vitest.config.ts and the frontend specs, get UI unit tests green, then confirm Postgres/Trivy failures are addressed (and rule out whether they're transitive fallout from this bump or pre-existing).
Decision: held — major bump with a red suite. Assign an owner familiar with the frontend tests, schedule the v4 migration, and merge once CI is green. If that slips, bump to ≥3.2.6 in the meantime to close the open advisory.
Upgrade vitest + @vitest/coverage-istanbul 3.1.1 → 4.1.8 (major)
Dependabot FlowFuse/flowfuse#7361. Bumps
vitestand@vitest/coverage-istanbultogether (they must move in lockstep). Major v3 → v4 jump — CI is failing and this needs migration work before it can land.Triage checks:
6a8396b: UI unit tests ✗, Postgres tests ✗, Trivy ✗ (Backend, UI OS/EE, TS drift pass)package-lock.jsonwith the other open npm PRs, so@dependabot rebaseafter any of them lands)Security note: our current 3.1.1 is itself vulnerable to GHSA-5xrq-8626-4rwp (critical, Vitest UI server RCE, fixed in 3.2.6). Target 4.1.8 is patched for both known criticals. So staying on 3.1.1 isn't free — if v4 is deferred, we should at least bump to ≥3.2.6.
Impact: vitest drives the frontend unit tests only —
test:unit:frontend/cover:unit:frontend, viaconfig/vitest.config.ts. The forge/system suites use mocha and are unaffected. So the failure surface is the frontend spec suite + coverage.The work: this is a real migration, not a one-line edit. Follow the vitest v4 migration guide against
config/vitest.config.tsand the frontend specs, get UI unit tests green, then confirm Postgres/Trivy failures are addressed (and rule out whether they're transitive fallout from this bump or pre-existing).Decision: held — major bump with a red suite. Assign an owner familiar with the frontend tests, schedule the v4 migration, and merge once CI is green. If that slips, bump to ≥3.2.6 in the meantime to close the open advisory.