build(deps-dev): Bump vitest from 4.0.7 to 4.0.8

[dependabot]

Bumps vitest from 4.0.7 to 4.0.8.

Release notes

Sourced from vitest's releases.

v4.0.8

   🐞 Bug Fixes

• Workaround noExternal merging bug on Vite 6  -  by @​hi-ogawa in vitest-dev/vitest#8950 (bcb13)
• Missed context.d.ts file  -  by @​termorey in vitest-dev/vitest#8965 (9044d)
• Incorrect error message for non-awaited expect.element()  -  by @​StyleShit in vitest-dev/vitest#8954 (9638d)
• browser: Cleanup frame-ancestors from CSP header at coverage middleware  -  by @​userquin in vitest-dev/vitest#8941 (1f730)
• deps: Update all non-major dependencies  -  by @​sheremet-va in vitest-dev/vitest#8636 (da8b9)
• forks: Do not fail with Windows Defender enabled  -  by @​sheremet-va in vitest-dev/vitest#8967 (c79f4)
• runner: Properly encode Uint8Array body in annotations  -  by @​Livan-pro in vitest-dev/vitest#8951 (997ca)
• spy: Copy static properties if spy is initialised with vi.fn(), fix types for vi.spyOn(obj, class)  -  by @​sheremet-va in vitest-dev/vitest#8956 (75e7f)
• webdriverio: When no argument is passed to the .click interaction command, the webdriver command should also have no argument  -  by @​julienw in vitest-dev/vitest#8937 (069e6)

    View changes on GitHub

Commits

• 46bfd09 chore: release v4.0.8
• c79f47c fix(forks): do not fail with Windows Defender enabled (#8967)
• 7ed99cd chore: remove unnecessery values() call for set (#8964)
• 9a9323b chore(deps): update dependency @​antfu/eslint-config to v6 (#8832)
• 46b3529 chore(deps): update dependency jsdom to v27 (#8700)
• 65292c3 docs: update structure (#8625)
• da8b93a fix(deps): update all non-major dependencies (#8636)
• bcb132f fix: workaround noExternal merging bug on Vite 6 (#8950)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[cloudflare-workers-and-pages]

Deploying blinklabs-vpn with    Cloudflare Pages

Latest commit:	6080430
Status:	🚫  Build failed.

View logs

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[fossabot]

[fossabot]

✓ Safe to upgrade

I recommend merging this upgrade because this is a minor patch update that includes 14 bug fixes with no breaking changes detected in the codebase. The project's vitest configuration uses standard settings without any deprecated APIs (poolMatchGlobs, deps.external, or browser.testerScripts), and the test suite uses only stable vitest APIs for mocking, assertions, and test lifecycle hooks. While the CVE-2025-24964 security vulnerability affects all vitest versions, it only impacts users who enable the Vitest UI feature and requires an attacker to have network access during test execution - a scenario unlikely in typical CI/CD environments. The project includes a test:ui script but this is intended for local development debugging rather than production use.

What we checked

• Vitest upgraded from ^4.0.7 to ^4.0.8 - patch version update ^[1]
• Vitest configuration uses only stable, non-deprecated settings (globals, environment, setupFiles, css, coverage) - no breaking changes apply ^[2]
• Test files use standard vitest imports (describe, it, expect, beforeEach, vi) that are stable across v4 versions ^[3]
• API tests use vi.fn() and vi.resetAllMocks() - standard vitest mocking APIs with no compatibility issues ^[4]
• test:ui script is available for optional local debugging, but CVE-2025-24964 only affects development usage where attacker network access during testing is highly improbable ^[5]
• Migration guide confirms breaking changes only affect poolMatchGlobs, deps.external, and browser.testerScripts - none of which are used in this project ^[6]

Dependency Usage

Vitest serves as the comprehensive testing framework for this Cardano-based VPN frontend application, providing quality assurance across critical components including wallet integration, API client functionality, and React hooks for reference data management. The framework is deeply integrated into the build toolchain through Vite configuration and TypeScript globals, with test scripts available for development, UI-based testing, and coverage reporting. Test coverage spans three key architectural layers: component testing for the WalletConnection UI, API client testing for backend communication, and custom React hook testing for data fetching patterns.

• Vitest configuration uses only stable, non-deprecated settings (globals, environment, setupFiles, css, coverage) - no breaking changes apply
  

  vpn-frontend/vite.config.ts

  Line 40 in dea8715

  test: {

• Test files use standard vitest imports (describe, it, expect, beforeEach, vi) that are stable across v4 versions
  

  vpn-frontend/src/components/__tests__/WalletConnection.test.tsx

  Line 1 in dea8715

  import { describe, it, expect, beforeEach, vi } from "vitest";

View 1 more usage

• API tests use vi.fn() and vi.resetAllMocks() - standard vitest mocking APIs with no compatibility issues
  

  vpn-frontend/src/api/__tests__/client.test.ts

  Line 1 in dea8715

  import { describe, it, expect, beforeEach, vi } from "vitest";

Less Important Usages (4)

These usages were analyzed but no breaking changes were detected:

vitest

• vpn-frontend/vite.config.ts

  Line 2 in dea8715

  import { defineConfig } from "vitest/config";

• vpn-frontend/src/test/setup.ts

  Line 2 in dea8715

  import { afterEach, vi } from "vitest";

• vpn-frontend/src/test/utils.tsx

  Line 5 in dea8715

  import { vi } from "vitest";

• vpn-frontend/src/api/hooks/__tests__/useRefData.test.tsx

  Line 1 in dea8715

  import { describe, it, expect, beforeEach, vi } from "vitest";

Changes

This vitest update includes 14 bug fixes addressing issues in browser coverage middleware CSP handling, webdriverio click interactions without arguments, Uint8Array body encoding in test annotations, spy static property copying, Windows Defender fork failures, and Vite 6 noExternal merging. The update also adds a missing context.d.ts TypeScript definition file and includes dependency updates for jsdom, happy-dom, magic-string, std-env, birpc, and strip-literal.

• docs: minor improvements for "expect" documentation (#8936) (c322752) (v4.0.8, changelog)
• chore: typo in error (#8939) (1ba8e3c) (v4.0.8, changelog)
• chore: remove unused AI output (#8943) (865073c) (v4.0.8, changelog)

View 40 more changes

• fix(browser): cleanup frame-ancestors from CSP header at coverage middleware (#8941) (1f73037) (v4.0.8, changelog)
• chore: remove unused deps in pnpm-workspace.yaml (#8949) (97aed74) (v4.0.8, changelog)
• fix(webdriverio): When no argument is passed to the .click interaction command, the webdriver command should also have no argument (#8937) (069e6db) (v4.0.8, changelog)
• fix(runner): properly encode Uint8Array body in annotations (#8951) (997ca5a) (v4.0.8, changelog)
• workaround noExternal merging bug on Vite 6 (#8950) (bcb132f) (v4.0.8, changelog)
• fix(spy): copy static properties if spy is initialised with vi.fn(), fix types for vi.spyOn(obj, class) (#8956) (75e7fcc) (v4.0.8, changelog)
• docs: fix server.debug property names (#8930) (a304410) (v4.0.8, changelog)
• chore(deps): update actions/upload-artifact action to v5 (#8831) (f72b50d) (v4.0.8, changelog)
• fix(deps): update all non-major dependencies (#8636) (da8b93a) (v4.0.8, changelog)
• docs: update structure (#8625) (65292c3) (v4.0.8, changelog)
• docs: update comparisons.md (#8763) (f98bfb4) (v4.0.8, changelog)
• chore(deps): update dependency jsdom to v27 (#8700) (46b3529) (v4.0.8, changelog)
• docs: return comparisons (77aa316) (v4.0.8, changelog)
• chore(deps): update dependency @​antfu/eslint-config to v6 (#8832) (9a9323b) (v4.0.8, changelog)
• chore(deps): update dependency splitpanes to v4 (#8701) (c84a396) (v4.0.8, changelog)
• missed context.d.ts file (#8965) (9044d93) (v4.0.8, changelog)
• chore: remove unnecessery values() call for set (#8964) (7ed99cd) (v4.0.8, changelog)
• fix(forks): do not fail with Windows Defender enabled (#8967) (c79f47c) (v4.0.8, changelog)
• docs: Update incorrect export name on the mocking modules page (#8962) (e8b459d) (v4.0.8, changelog)
• incorrect error message for non-awaited expect.element() (#8954) (9638db0) (v4.0.8, changelog)
• chore: release v4.0.8 (46bfd09) (v4.0.8, changelog)
• Workaround noExternal merging bug on Vite 6  -  by @​hi-ogawa in https://redirect.github.com/vitest-dev/vitest/issues/8950 (bcb13) (vv4.0.8, release notes)
• Missed context.d.ts file  -  by @​termorey in https://redirect.github.com/vitest-dev/vitest/issues/8965 (9044d) (vv4.0.8, release notes)
• Incorrect error message for non-awaited expect.element()  -  by @​StyleShit in https://redirect.github.com/vitest-dev/vitest/issues/8954 (9638d) (vv4.0.8, release notes)
• browser: Cleanup frame-ancestors from CSP header at coverage middleware  -  by @​userquin in https://redirect.github.com/vitest-dev/vitest/issues/8941 (1f730) (vv4.0.8, release notes)
• deps: Update all non-major dependencies  -  by @​sheremet-va in https://redirect.github.com/vitest-dev/vitest/issues/8636 (da8b9) (vv4.0.8, release notes)
• forks: Do not fail with Windows Defender enabled  -  by @​sheremet-va in https://redirect.github.com/vitest-dev/vitest/issues/8967 (c79f4) (vv4.0.8, release notes)
• runner: Properly encode Uint8Array body in annotations  -  by @​Livan-pro in https://redirect.github.com/vitest-dev/vitest/issues/8951 (997ca) (vv4.0.8, release notes)
• spy: Copy static properties if spy is initialised with vi.fn(), fix types for vi.spyOn(obj, class)  -  by @​sheremet-va in https://redirect.github.com/vitest-dev/vitest/issues/8956 (75e7f) (vv4.0.8, release notes)
• webdriverio: When no argument is passed to the .click interaction command, the webdriver command should also have no argument  -  by @​julienw in https://redirect.github.com/vitest-dev/vitest/issues/8937 (069e6) (vv4.0.8, release notes)
• Updated magic-string dependency from ^0.30.19 to ^0.30.21 (v4.0.8, other)
• Updated std-env dependency from ^3.9.0 to ^3.10.0 (v4.0.8, other)
• Updated birpc dependency from ^2.5.0 to ^2.7.0 (v4.0.8, other)
• Updated jsdom dependency from ^26.1.0 to ^27.1.0 (v4.0.8, other)
• Updated happy-dom dependency from ^20.0.0 to ^20.0.10 (v4.0.8, other)
• Updated strip-literal dependency from ^3.0.0 to ^3.1.0 (v4.0.8, other)
• Updated all @​vitest/* packages to version 4.0.8 for consistency (v4.0.8, other)
• Reformatted built JavaScript files from minified comma-operator style to more readable standard format (v4.0.8, other)
• Added clarifying comment explaining vi.resetConfig() is called after tests because user might call vi.setConfig() in setupFile (v4.0.8, other)
• Updated birpc repository URL from github.com/antfu/birpc to github.com/antfu-collective/birpc in LICENSE (v4.0.8, other)

References (6)

[1]: Vitest upgraded from ^4.0.7 to ^4.0.8 - patch version update

vpn-frontend/package.json

Line 53 in dea8715

"vitest": "^4.0.8"

[2]: Vitest configuration uses only stable, non-deprecated settings (globals, environment, setupFiles, css, coverage) - no breaking changes apply

vpn-frontend/vite.config.ts

Line 40 in dea8715

test: {

[3]: Test files use standard vitest imports (describe, it, expect, beforeEach, vi) that are stable across v4 versions

vpn-frontend/src/components/__tests__/WalletConnection.test.tsx

Line 1 in dea8715

import { describe, it, expect, beforeEach, vi } from "vitest";

[4]: API tests use vi.fn() and vi.resetAllMocks() - standard vitest mocking APIs with no compatibility issues

vpn-frontend/src/api/__tests__/client.test.ts

Line 1 in dea8715

import { describe, it, expect, beforeEach, vi } from "vitest";

[5]: test:ui script is available for optional local debugging, but CVE-2025-24964 only affects development usage where attacker network access during testing is highly improbable

vpn-frontend/package.json

Line 12 in dea8715

"test:ui": "vitest --ui",

[6]: Migration guide confirms breaking changes only affect poolMatchGlobs, deps.external, and browser.testerScripts - none of which are used in this project (source link)

---

fossabot analyzed this PR using static analysis and dependency research.

[dependabot]

Superseded by #159.