chore(deps): update dependency vitest to v1.6.1

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
vitest (source)	1.0.2 → 1.6.1

---

Release Notes

vitest-dev/vitest (vitest)

v1.6.1

Compare Source

This release includes security patches for:

• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport #​7317 to v1 - by @​hi-ogawa in #​7319

    View changes on GitHub

v1.6.0

Compare Source

   🚀 Features

• Support standalone mode  -  by @​sheremet-va in #​5565 (bdce0)
• Custom "snapshotEnvironment" option  -  by @​sheremet-va in #​5449 (30f72)
• benchmark: Support comparing benchmark result  -  by @​hi-ogawa and @​sheremet-va in #​5398 (f8d3d)
• browser: Allow injecting scripts  -  by @​sheremet-va in #​5656 (21e58)
• reporter: Support includeConsoleOutput and addFileAttribute in junit  -  by @​hi-ogawa in #​5659 (2f913)
• ui: Sort items by file name  -  by @​btea in #​5652 (1f726)

   🐞 Bug Fixes

• Keep order of arguments for .each in custom task collectors  -  by @​sheremet-va in #​5640 (7d57c)
• Call resolveId('vitest') after buildStart  -  by @​hi-ogawa in #​5646 (f5faf)
• Hash the name of the file when caching  -  by @​sheremet-va in #​5654 (c9e68)
• Don't panic on empty files in node_modules  -  by @​sheremet-va (40c29)
• Use toJSON for error serialization  -  by @​hi-ogawa in #​5526 (19a21)
• coverage:
  • Exclude *.test-d.* by default  -  by @​MindfulPol in #​5634 (bfe8a)
  • Apply vite-node's wrapper only to executed files  -  by @​AriPerkkio in #​5642 (c9883)
• vm:
  • Support network imports  -  by @​sheremet-va in #​5610 (103a6)

   🏎 Performance

• Improve performance of forks pool  -  by @​sheremet-va in #​5592 (d8304)
• Unnecessary rpc call when coverage is disabled  -  by @​AriPerkkio in #​5658 (c5712)

    View changes on GitHub

v1.5.3

Compare Source

   🐞 Bug Fixes

• Use package.json name for a workspace project if not provided  -  by @​sheremet-va in #​5608 (48fba)
• Backport jest iterable equality within object  -  by @​sukovanej in #​5621 (30e5d)
• browser: Support benchmark  -  by @​hi-ogawa in #​5622 (becab)
• reporter: Use default error formatter for JUnit  -  by @​hi-ogawa in #​5629 (20060)

    View changes on GitHub

v1.5.2

Compare Source

   🐞 Bug Fixes

• Check for null before storing in weakmap  -  by @​sheremet-va (ce368)

    View changes on GitHub

v1.5.1

Compare Source

   🚀 Features

• api: startVitest() to accept stdout and stdin  -  by @​AriPerkkio in #​5493 (780b1)
  • This is listed as a feature, but it doesn't increase the minor version because startVitest API is experimental and doesn't follow semver.

   🐞 Bug Fixes

• Close vite servers on all resolved projects  -  by @​surc54 in #​5544 (413ec)
• Fix default import.meta.env.PROD: false  -  by @​hi-ogawa in #​5561 (9c649)
• Resolve cwd correctly when initiating projects  -  by @​sheremet-va in #​5582 (ec9d7)
• Always run onTestFinished in reverse order  -  by @​sheremet-va in #​5598 (23f29)
• browser:
  • Disable fileParallelism by default on browser pool  -  by @​hi-ogawa in #​5528 (5c69f)
  • Dispose tester iframe on done  -  by @​hi-ogawa in #​5595 (b2135)
• coverage:
  • Fix bundling of v8-to-istanbul  -  by @​AriPerkkio in #​5549 (df6a4)
  • Prevent crash when cleanOnRerun is disabled  -  by @​AriPerkkio in #​5540 (ea3c1)
  • thresholds to compare files relative to root  -  by @​AriPerkkio in #​5574 (80265)
• expect:
  • Fix toEqual and toMatchObject with circular references  -  by @​hi-ogawa in #​5535 (9e641)
• vitest:
  • Fix false positive file filter match with leading slash  -  by @​hi-ogawa in #​5578 (316eb)
  • Watch the output directory correctly  -  by @​sheremet-va in #​5584 (e40f9)
  • StubEnv casts boolean on PROD/SSR/DEV  -  by @​sheremet-va in #​5590 (4da88)

    View changes on GitHub

v1.5.0

Compare Source

   🚀 Features

• Add configuration for diff truncation  -  by @​willieho in #​5073 and #​5333 (6797b)
• Remove unrelated noise from diff for toMatchObject()  -  by @​geersch in #​5364 (99276)
• Allow custom host for --inspect and --inspect-brk  -  by @​sheremet-va in #​5509 (61572)
• coverage: V8 to ignore empty lines, comments, types  -  by @​AriPerkkio in #​5457 (10b89)

   🐞 Bug Fixes

• describe calls not taking generic type parameters  -  by @​aryaemami59 in #​5415 (16bac)
• Prevent hang when process is mocked  -  by @​AriPerkkio in #​5430 (0ec4d)
• Don't check for "node:internal/console/" in console interceptor in case the environment is not Node.js  -  by @​sheremet-va (87d36)
• The value received by toMatch should be a string  -  by @​btea in #​5428 (67485)
• Increase stack trace limit for location, don't hardcode suite position  -  by @​sheremet-va in #​5518 (04b23)
• benchmark:
  • Run benchmark suites sequentially  -  by @​hi-ogawa in #​5444 (1f548)
  • Fix benchmark summary of single bench suite  -  by @​hi-ogawa in #​5489 (db981)
  • Table reporter for non TTY output  -  by @​hi-ogawa in #​5484 (bea23)
• expect:
  • Fix toHaveBeenNthCalledWith error message when not called  -  by @​hi-ogawa in #​5420 (e5253)
• types:
  • Pass correct type for suite factory  -  by @​sheremet-va in #​5437 (26718)
• utils:
  • Fix object diff with getter only property  -  by @​hi-ogawa in #​5466 (366d9)
• vite-node:
  • Fix isValidNodeImport to check "type": "module" first  -  by @​hi-ogawa in #​5416 (6fb15)
• vitest:
  • Correctly send console events when state changes  -  by @​sheremet-va (3463f)
  • Initiate FakeTimers on demand  -  by @​sheremet-va in #​5450 (e4e93)
  • Check unhighlighted code for code frame line limit  -  by @​hi-ogawa in #​5465 (6ae7e)
  • Correctly filter by parent folder  -  by @​sheremet-va in #​5408 (91b06)
  • Close inspector immediately if run is canceled  -  by @​sheremet-va in #​5519 (b8006)
• workspace:
  • Set CWD to config directory, allow overriding local .env  -  by @​sheremet-va in #​5476 (d4003)

    View changes on GitHub

v1.4.0

Compare Source

   🚀 Features

• Throw error when using snapshot assertion with not  -  by @​fenghan34 in #​5294 (b9d37)
• Add a flag to include test location in tasks  -  by @​sheremet-va in #​5342 (d627e)
• cli:
  • Support wildcards in --project option  -  by @​fenghan34 in #​5295 (201bd)
• config:
  • Add shuffle.files and shuffle.tests options  -  by @​fenghan34 in #​5281 (356db)
  • Deprecate cache.dir option  -  by @​fenghan34 in #​5229 (d7e8b)
• coverage:
  • Support --changed option  -  by @​AriPerkkio in #​5314 (600b4)
• vitest:
  • Support clearScreen cli flag  -  by @​hi-ogawa in #​5241 (e1735)

   🐞 Bug Fixes

• Repeatable --project option  -  by @​fenghan34 in #​5265 (d1a06)
• --inspect-brk to pause before execution  -  by @​AriPerkkio in #​5355 (e77c5)
• Correct locations in test.each tasks  -  by @​sheremet-va (4f6e3)
• api:
  • Use resolvedUrls from devserver  -  by @​saitonakamura and @​hi-ogawa in #​5289 (2fef5)
• browser:
  • Add magic-string to optimizeDeps.include  -  by @​hi-ogawa in #​5278 (8f04e)
• coverage:
  • Expensive regexp hangs v8 report generation  -  by @​AriPerkkio in #​5259 (d68a7)
  • V8 to ignore type-only files  -  by @​AriPerkkio in #​5328 (c3eb8)
  • Respect source maps of pre-transpiled sources  -  by @​AriPerkkio in #​5367 (6eda4)
  • Prevent reportsDirectory from removing user's project  -  by @​AriPerkkio in #​5376 (07ec3)
• expect:
  • Show diff on toContain/toMatch assertion error  -  by @​hi-ogawa in #​5267 (8ee59)
• forks:
  • Wrap defines to support undefined values  -  by @​AriPerkkio in #​5284 (5b58b)
• typecheck:
  • Update get-tsconfig 4.7.3 to fix false circularity error  -  by @​hi-ogawa in #​5384 (bdc37)
• ui:
  • Escape html in error diff  -  by @​hi-ogawa in #​5325 (ab60b)
• vitest:
  • Loosen onConsoleLog return type  -  by @​hi-ogawa in #​5337 (6d1b1)
  • Ensure restoring terminal cursor on close  -  by @​hi-ogawa in #​5292 (0bea2)
  • Ignore timeout on websocket reporter rpc  -  by @​sheremet-va (38119)
  • Correctly override api with --no-api flag  -  by @​sheremet-va in #​5386 (51d1d)
  • Logs in beforeAll and afterAll  -  by @​fenghan34 in #​5288 (ce5ca)
• workspace:
  • Throw error when browser mode and @vitest/coverage-v8 are used  -  by @​AriPerkkio in #​5250 (29f98)

    View changes on GitHub

v1.3.1

Compare Source

   🚀 Features

• vitest: Expose parseCLI method  -  by @​sheremet-va in #​5248 (c793a)
  • This feature is not affected by SemVer because it is part of an experimental API.

   🐞 Bug Fixes

• Add task tests iteratively  -  by @​DerYeger in #​5235 (38155)
• coverage: Ignore generated TS decorators  -  by @​AriPerkkio and @​sheremet-va in #​5206 (a2804)
• ui: Auto reload coverage iframe after test run  -  by @​hi-ogawa in #​5242 (5376d)

    View changes on GitHub

v1.3.0

Compare Source

🚀 Features

• Deprecate watchExclude - by @​patak-dev in #​5171 (82885)
• browser:
  • Run test files in isolated iframes - by @​sheremet-va in #​5036 (4f401)
• config:
  • Add snapshotSerializers option - by @​fenghan34 in #​5092 (5b102)
• reporters:
  • Support custom options - by @​AriPerkkio in #​5111 (fec9c)
• runner:
  • Support automatic fixtures - by @​fenghan34 and @​sheremet-va in #​5102 (0441f)
• ui:
  • Save splitpanes size to local storage - by @​posva in #​5166 (c28b4)
• vitest:
  • Add onTestFinished hook - by @​sheremet-va in #​5128 (6f5b4)
  • Add github actions reporter - by @​hi-ogawa in #​5093 (40afb)
  • Expose jsdom global if jsdom environment is enabled - by @​sheremet-va in #​5155 (567d2)
  • Add new CLI options - by @​sheremet-va in #​5163 (4e179)
  • "test" accepts options object as the second parameter - by @​sheremet-va in #​5142 (7d9b1)
• vm:
  • Support wasm module - by @​hi-ogawa in #​5131 (5ed53)

🐞 Bug Fixes

• Fix sourcemap in vm pools - by @​hi-ogawa in #​5063 (81105)
• Don't optimize react/jsx-runtime by default when running in Node - by @​sheremet-va in #​5079 (0d2bf)
• Rpc timeout error messages to include caller - by @​AriPerkkio in #​5103 (a6e04)
• Requires fixed version across the monorepo - by @​antfu in #​5208 (68f51)
• Prevent merging of poolOptions - by @​penalosa in #​5221 (bc5b2)
• browser:
  • Don't exclude node builtins from optimization - by @​sheremet-va in #​5082 (714c9)
  • Support coverage.reportsDirectory with multiple directories - by @​AriPerkkio in #​5056 (ae73f)
• cli:
  • Parse --browser=<name> correctly - by @​AriPerkkio in #​5179 (656e2)
• coverage:
  • .tmp directory conflicts with --shard option - by @​AriPerkkio in #​5184 (5749d)
• deps:
  • Update dependency strip-literal to v2 - by @​renovate[bot] in #​5136 (ef557)
• reporters:
  • Testsuite name should include project root in Junit output - by @​fenghan34 in #​5116 (2494f)
• typecheck:
  • Fix suite collection while-loop - by @​hi-ogawa in #​5065 (35675)
• ui:
  • Fix tests duration time - by @​vovsemenv in #​5219 (58103)
• utils:
  • Fix asymmetric matcher diff inside array - by @​hi-ogawa in #​5189 (3ffcd)
• vitest:
  • Correctly report failed test files as failures in json reporter, export json reporter types - by @​sheremet-va in #​5081 (0417b)
  • Don't run typecheck tests in browser if both are enabled - by @​sheremet-va in #​5080 (1045b)
  • Handle function config inside defineWorkspace - by @​hi-ogawa in #​5089 (0bf52)
  • Remove excessive listeners when running without isolation, don't reset the state - by @​sheremet-va in #​5132 (b607f)
  • Auto-enable "github-actions" only where users didn't configure reporters - by @​hi-ogawa in #​5158 (ef044)
  • Support more array cli options - by @​hi-ogawa in #​5162 (3afe6)
  • Add types for the new global jsdom variable - by @​sheremet-va in #​5164 (0f898)
  • Expose onTestFinished globally - by @​sheremet-va (1304f)
  • Disable optimizer by default until it's stable - by @​sheremet-va in #​5156 (e1bd8)
  • Delegate snapshot options to workspace from root config - by @​hi-ogawa in #​5199 (86297)
  • Fix optimizeDeps.disabled warnings on Vite 5.1 - by @​hi-ogawa in #​5215 (1aecd)
• vm:
  • Handle disableConsoleIntercept config - by @​hi-ogawa in #​5074 (a55ad)
  • Improve error when module is not found - by @​hi-ogawa in #​5053 (79a50)

View changes on GitHub

v1.2.2

Compare Source

   🐞 Bug Fixes

• coverage:
  • Remove coverage/.tmp files after run  -  by @​AriPerkkio in #​5008 (d53b8)
  • Don't crash when re-run removes earlier run's reports  -  by @​AriPerkkio in #​5022 (66898)
• expect:
  • Improve toThrow(asymmetricMatcher) failure message  -  by @​hi-ogawa in #​5000 (a199a)
• forks:
  • Set correct VITEST_POOL_ID  -  by @​AriPerkkio in #​5002 (7d0a4)
• threads:
  • Mention common work-around for the logged error  -  by @​AriPerkkio in #​5024 (915d6)
• typecheck:
  • Fix ignoreSourceErrors in run mode  -  by @​hi-ogawa in #​5044 (6dae3)
• vite-node:
  • Provide import.meta.filename and dirname  -  by @​sheremet-va in #​5011 (73148)
• vitest:
  • Expose getHooks & setHooks  -  by @​adriencaccia in #​5032 (73448)
  • Test deep dependencies change detection  -  by @​blake-newman in #​4934 (9c7c0)
  • Throw an error if vi.mock is exported  -  by @​sheremet-va in #​5034 (253df)
  • Allow useFakeTimers to fake requestIdleCallback on non browser  -  by @​hi-ogawa in #​5028 (a9a48)
  • Support older NodeJS with async import.meta.resolve  -  by @​AriPerkkio in #​5045 (cf564)
  • Don't throw an error if mocked file was already imported  -  by @​sheremet-va in #​5050 (fff1a)

    View changes on GitHub

v1.2.1

Compare Source

   🐞 Bug Fixes

• browser:
  • Apply inlined workspace config to browser mode vite server  -  by @​hi-ogawa in #​4947 (db01f)
  • Fix browser testing url for https  -  by @​hi-ogawa in #​4855 (6c1cc)
  • Don't fail when calling vi.useFakeTimers  -  by @​sheremet-va in #​4992 (6c5fe)
• coverage:
  • thresholds.autoUpdate to work with arrow function configuration files  -  by @​AriPerkkio in #​4959 (4b411)
• expect:
  • Implement chai inspect for AsymmetricMatcher  -  by @​hi-ogawa and @​sheremet-va in #​4942 (06bae)
• vite-node:
  • Externalize network imports  -  by @​hi-ogawa in #​4987 (21f57)
• vitest:
  • Handle single await vi.hoisted  -  by @​hi-ogawa in #​4962 (dcf2e)
  • Simplify hoist transform check regex to avoid expensive regex match  -  by @​hi-ogawa in #​4974 (df0db)
  • Correctly find module if it has a version query  -  by @​sheremet-va in #​4976 (952c3)
  • Check color support for intercepted console logging  -  by @​hi-ogawa in #​4966 (39a71)
  • Use development/production conditions when resolving external modules  -  by @​sheremet-va in #​4980 (8877e)
  • Throw a syntax error if vi.hoisted is directly exported  -  by @​sheremet-va in #​4969 (f8bff)

    View changes on GitHub

v1.2.0

Compare Source

   🚀 Features

• Support case-insensitive path matching in cli  -  by @​tigranmk in #​3567 and #​4911 (1326c)
• Add typeahead search  -  by @​bonyuta0204 and @​sheremet-va in #​4275 and #​4733 (480d8)
• Add syntax highlighting to error messages  -  by @​sheremet-va in #​4813 (8c969)
• Allow extending toEqual  -  by @​tigranmk and @​sheremet-va in #​2875 and #​4880 (463be)
• coverage:
  • Custom reporter support  -  by @​AriPerkkio in #​4828 (96dc6)
• ui:
  • Show unhandled errors on the ui  -  by @​spiroka and @​sheremet-va in #​4380 (7f59a)
• vitest:
  • Add --disable-console-intercept option to allow opting-out from automatic console log interception  -  by @​hi-ogawa in #​4786 (43fa6)
  • Show slow test duration in verbose reporter on CI  -  by @​hi-ogawa in #​4929 (ccb25)
  • Allow overiding package installer with public API  -  by @​sheremet-va in #​4936 (c2cce)

   🐞 Bug Fixes

• browser:
  • Support vite config server.headers  -  by @​hi-ogawa in #​4890 (55f53)
  • Fix testNamePattern config  -  by @​hi-ogawa in #​4909 (4add9)
  • Fix updating snapshot during watch mode  -  by @​hi-ogawa and @​sheremet-va in #​4867 (508fc)
  • Remove redundant test failure logging  -  by @​hi-ogawa in #​4891 (7fd44)
• happy-dom:
  • Window.close() for environment teardown  -  by @​capricorn86 in #​4931 (91719)
• utils:
  • Fix objDisplay default truncate option for test.each title  -  by @​hi-ogawa in #​4917 (9ae9d)
• vitest:
  • Fix tap reporter to handle custom error  -  by @​hi-ogawa in #​4897 (f8ba8)
  • Gracefully exit Vitest if process.exit is called inside the test  -  by @​sheremet-va in #​4903 (8e6c1)
  • Throw "cannot mock" error only in isolated pools  -  by @​sheremet-va in #​4905 (f99cc)
  • Don't throw SyntaxError when "await vi.hoisted" is used  -  by @​sheremet-va in #​4915 (ca62f)
  • Correctly parse --maxWorkers/--minWorkers  -  by @​sheremet-va in #​4924 (0e77e)
  • Show correct error when vi.hoisted is used inside vi.mock and the other way around  -  by @​sheremet-va in #​4916 (c4eac)
  • Call global teardown when using workspaces  -  by @​sheremet-va in #​4935 (528bd)
  • Use file instead of id for HMR  -  by @​sheremet-va in #​4938 (ca76f)
  • Add inlined deps to ssr.noExternal so they are added to the module graph  -  by @​sheremet-va in #​4945 (1663f)
• workspace:
  • Support overring pool and poolOptions on project level  -  by @​AriPerkkio in #​4765 (e9fe4)

    View changes on GitHub

v1.1.3

Compare Source

   🐞 Bug Fixes

• vitest:
  • Vi.mock breaks tests when using imported variables inside the factory  -  by @​sheremet-va and Dunqing in #​4873 (7719e)
  • Apply slowTestThreshold to all reporters  -  by @​hi-ogawa in #​4876 (1769c)

    View changes on GitHub

v1.1.2

Compare Source

   🐞 Bug Fixes

• Remove internal flag from UI option in the config  -  by @​sheremet-va (7b4a2)
• browser:
  • Avoid safaridriver collision  -  by @​mbland in #​4863 (345a2)
  • Resolved failure to find arbitrarily-named snapshot files when using expect(...).toMatchFileSnapshot() matcher.  -  by @​zmullett, *Zac Mullett

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
img-uploader	Error		Mar 5, 2026 8:42pm

[secure-code-warrior-for-github]

Micro-Learning Topic: External entity injection (Detected by phrase)

Matched on "XXE"

What is this? (2min video)

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP XML External Entity (XXE) Processing - OWASP community page with comprehensive information about XML external entity attacks, and links to various OWASP resources to help detect or prevent it.
• MSDN Security Briefs - XML Denial of Service Attacks and Defenses - An MSDN Magazine article that goes into detail on XML entity attacks and how to defend against them.
• OWASP XML External Entity Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing XML external entity flaws in your applications.