chore(deps): update vitest monorepo to v4.1.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@vitest/coverage-v8 (source)	4.0.18 → 4.1.0
@vitest/ui (source)	4.0.18 → 4.1.0
vitest (source)	4.0.18 → 4.1.0

---

Release Notes

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.0

Compare Source

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

   🚀 Features

• Return a disposable from doMock()  -  by @​kirkwaiblinger in #​9332 (e3e65)
• Added chai style assertions  -  by @​ronnakamoto and @​sheremet-va in #​8842 (841df)
• Update to sinon/fake-timers v15 and add setTickMode to timer controls  -  by @​atscott and @​sheremet-va in #​8726 (4b480)
• Expose matcher types  -  by @​sheremet-va in #​9448 (3e4b9)
• Add toTestSpecification to reported tasks  -  by @​sheremet-va in #​9464 (1a470)
• Show a warning if vi.mock or vi.hoisted are declared outside of top level of the module  -  by @​sheremet-va in #​9387 (5db54)
• Track and display expectedly failed tests (.fails) in UI and CLI  -  by @​Copilot, sheremet-va and @​sheremet-va in #​9476 (77d75)
• Support tags  -  by @​sheremet-va in #​9478 (de7c8)
• Implement aroundEach and aroundAll hooks  -  by @​sheremet-va in #​9450 (2a8cb)
• Stabilize experimental features  -  by @​sheremet-va in #​9529 (b5fd2)
• Accept new or all in --update flag  -  by @​sheremet-va in #​9543 (a5acf)
• Support meta in test options  -  by @​sheremet-va in #​9535 (7d622)
• Support type inference with a new test.extend syntax  -  by @​sheremet-va in #​9550 (e5385)
• Support vite 8 beta, fix type issues in the config with different vite versions  -  by @​sheremet-va in #​9587 (99028)
• Add assertion helper to hide internal stack traces  -  by @​hi-ogawa and Claude Opus 4.6 in #​9594 (eeb0a)
• Store failure screenshots using artifacts API  -  by @​macarie in #​9588 (24603)
• Allow vitest list to statically collect tests instead of running files to collect them  -  by @​sheremet-va in #​9630 (7a8e7)
• Add --detect-async-leaks  -  by @​AriPerkkio in #​9528 (c594d)
• Implement mockThrow and mockThrowOnce  -  by @​thor-juhasz and @​sheremet-va in #​9512 (61917)
• Support update: "none" and add docs about snapshots behavior on CI  -  by @​hi-ogawa in #​9700 (05f18)
• Support playwright launchOptions with connectOptions  -  by @​hi-ogawa in #​9702 (f0ff1)
• Add page/locator.mark API to enhance playwright trace  -  by @​hi-ogawa in #​9652 (d0ee5)
• api:
  • Support tests starting or ending with test in experimental_parseSpecification  -  by @​jgillick and Jeremy Gillick in #​9235 (2f367)
  • Add filters to createSpecification  -  by @​sheremet-va in #​9336 (c8e6c)
  • Expose runTestFiles as alternative to runTestSpecifications  -  by @​sheremet-va in #​9443 (43d76)
  • Add allowWrite and allowExec options to api  -  by @​sheremet-va in #​9350 (20e00)
  • Allow passing down test cases to toTestSpecification  -  by @​sheremet-va in #​9627 (6f17d)
• browser:
  • Add userEvent.wheel API  -  by @​macarie in #​9188 (66080)
  • Add filterNode option to prettyDOM for filtering browser assertion error output  -  by @​Copilot, sheremet-va and @​sheremet-va in #​9475 (d3220)
  • Support playwright persistent context  -  by @​hi-ogawa, Claude Opus 4.6 and @​sheremet-va in #​9229 (f865d)
  • Added detailsPanelPosition option and button  -  by @​shairez in #​9525 (c8a31)
  • Use BlazeDiff instead of pixelmatch  -  by @​macarie in #​9514 (30936)
  • Add findElement and enable strict mode in webdriverio and preview  -  by @​sheremet-va in #​9677 (c3f37)
• cli:
  • Add @​bomb.sh/tab completions  -  by @​AmirSa12 and @​sheremet-va in #​8639 (200f3)
• coverage:
  • Support ignore start/stop ignore hints  -  by @​AriPerkkio in #​9204 (e59c9)
  • Add coverage.changed option to report only changed files  -  by @​kykim00 and @​AriPerkkio in #​9521 (1d939)
• experimental:
  • Add onModuleRunner hook to worker.init  -  by @​sheremet-va in #​9286 (e977f)
  • Option to disable the module runner  -  by @​sheremet-va and @​AriPerkkio in #​9210 (9be61)
  • Add importDurations: { limit, print } options  -  by @​hi-ogawa, Claude Opus 4.6 and @​sheremet-va in #​9401 (7e10f)
  • Add print and fail thresholds for importDurations  -  by @​hi-ogawa and Claude Opus 4.6 in #​9533 (3f7a5)
• fixtures:
  • Pass down file context to beforeAll/afterAll  -  by @​sheremet-va in #​9572 (c8339)
• reporters:
  • Add agent reporter to reduce ai agent token usage  -  by @​cpojer in #​9779 (3e9e0)
• runner:
  • Enhance retry options  -  by @​MazenSamehR, Matan Shavit, @​AriPerkkio and @​sheremet-va in #​9370 (9e4cf)
• ui:
  • Allow run individual test/suites  -  by @​userquin in #​9465 (73b10)
  • Add project filter/sort support  -  by @​userquin in #​8689 (0c7ea)
  • Add duration sorting to explorer  -  by @​julianhahn and @​cursoragent in #​9603 (209b1)
  • Implement filter for slow tests  -  by @​DerYeger and @​userquin in #​9705 (8880c)
• vitest:
  • Add run summary in GitHub Actions Reporter  -  by @​macarie and jhnance in #​9579 (96bfc)

   🐞 Bug Fixes

• Deprecate several vitest/* entry points  -  by @​sheremet-va in #​9347 (fd459)
• Use meta.url in createRequire  -  by @​sheremet-va in #​9441 (e3422)
• Preact browser mode init example of render function not async  -  by @​WuMingDao in #​9375 (2bea5)
• Deprecate unused types in matcher context  -  by @​sheremet-va in #​9449 (20f87)
• Handle external/noExternal during configEnvironment hook  -  by @​hi-ogawa and Claude Opus 4.6 in #​9508 (59ea2)
• Replace default ssr environment runner with Vitest server module runner  -  by @​hi-ogawa and Claude Opus 4.6 in #​9506 (cd5db)
• Propagate experimental CLI options to child projects  -  by @​hi-ogawa and Claude Opus 4.6 in #​9531 (b624f)
• Show a warning when browser.isolate is used  -  by @​sheremet-va in #​9410 (3d48e)
• Fix vi.mock({ spy: true }) node v8 coverage  -  by @​hi-ogawa, hi-ogawa and Claude Opus 4.6 in #​9541 (687b6)
• Don't show internal ssr handler in errors  -  by @​sheremet-va in #​9547 (76c43)
• Close vitest if it failed to start  -  by @​sheremet-va in #​9573 (728ba)
• Fix ssr environment runner in project  -  by @​hi-ogawa in #​9584 (09006)
• Trim trailing white spaces in code block  -  by @​hi-ogawa in #​9591 (f78be)
• Support inline snapshot inside test.for/each  -  by @​hi-ogawa in #​9590 (615fd)
• Apply source maps for external module stack trace  -  by @​hi-ogawa in #​9152 (79e20)
• Remove the .name from statically collected test  -  by @​sheremet-va in #​9596 (b66ff)
• Don't suppress warnings on pnp  -  by @​sheremet-va in #​9602 (89cbd)
• Support snapshot with expect.soft  -  by @​iumehara, @​hi-ogawa and Claude Opus 4.6 in #​9231 (3eb2c)
• Log seed when only sequence.shuffle.tests is enabled  -  by @​kaigritun, Kai Gritun and @​sheremet-va in #​9576 (8182b)
• Externalize expect/src/utils from vitest  -  by @​hi-ogawa in #​9616 (48739)
• Ignore test.override during static collection  -  by @​sheremet-va in #​9620 (09174)
• Increase stacktrace limit for --detect-async-leaks  -  by @​AriPerkkio in #​9638 (9fd4c)
• Hanging-reporter link in cli  -  by @​flx-sta in #​9649 (7c103)
• Fix teardown timeout of aroundEach/All when inner aroundEach/All throws  -  by @​hi-ogawa in #​9657 (4ec6c)
• Fix ui mode / html reporter and coverage integration  -  by @​hi-ogawa and Claude Opus 4.6 in #​9626 (86fad)
• Don't continue when aroundEach/All setup timed out  -  by @​hi-ogawa in #​9670 (bb013)
• Align VitestRunnerConfig optional fields with SerializedConfig  -  by @​hi-ogawa in #​9661 (79520)
• Handle Symbol values in format utility  -  by @​nami8824 in #​9658 (0583f)
• Deprecate toBe* spy assertions in favor of toHaveBeen* (and toThrowError)  -  by @​sheremet-va in #​9665 (4d390)
• Don't propagate nested aroundEach/All errors but aggregate them on runner  -  by @​hi-ogawa in #​9673 (b6365)
• Show a better error if there is a pending dynamic import  -  by @​sheremet-va in #​9676 (7ef5c)
• Preserve stack trace of resolves/rejects chained assertion error  -  by @​hi-ogawa in #​9679 (c6151)
• Handle module-sync condition in vmThreads/vmForks require  -  by @​lesleh in #​9650 and #​9651 (bb203)
• Hooks should respect maxConcurrency  -  by @​hi-ogawa in #​9653 (16d13)
• Recursively autospy module object  -  by @​hi-ogawa in #​9687 (695a8)
• Remove trailing spaces from diff error log  -  by @​hi-ogawa and @​sheremet-va in #​9680 (395d1)
• Respect project resolve.conditions for externals  -  by @​hi-ogawa in #​9717 (1d498)
• Use object for WeakMap instead of a symbol to support webcontainers  -  by @​sheremet-va in #​9731 (c5225)
• Fix re-mocking virtual module  -  by @​hi-ogawa in #​9748 (3cbbb)
• Cancelling should stop current test immediately  -  by @​AriPerkkio in #​9729 (0cb2f)
• Make mockObject change backwards compatible  -  by @​sheremet-va in #​9744 (84c69)
• Fix URL.name on jsdom  -  by @​hi-ogawa in #​9767 (031f3)
• Save and restore module graph in blob reporter  -  by @​hi-ogawa in #​9740 (84355)
• Don't silence reporter errors from test runtime events handler in normal run and --merge-reports  -  by @​hi-ogawa in #​9727 (4072d)
• Fix vi.importActual() for virtual modules  -  by @​hi-ogawa and Claude Opus 4.6 in #​9772 (1e89e)
• Throw FixtureAccessError if suite hook accesses undefined fixture  -  by @​sheremet-va in #​9786 (fc2ce)
• Allow hyphens in project config file name pattern  -  by @​Koutaro-Hanabusa and @​hi-ogawa in #​9760 (33e96)
• Manual and redirect mock shouldn't load or transform original module  -  by @​hi-ogawa and Claude Opus 4.6 in #​9774 (a8216)
• hideSkippedTests should not hide test.todo  -  by @​oilater in #​9562 and #​9781 (8181e)
• Allow catch/finally for async assertion  -  by @​hi-ogawa in #​9827 (031f0)
• Resolve fixture overrides from test's suite in beforeEach hooks  -  by @​hi-ogawa and Claude Opus 4.6 in #​9826 (99e52)
• Use isAgent check, not just TTY, for watch mode  -  by @​sheremet-va in #​9841 (c3cac)
• Use performance.now to measure test timeout duration  -  by @​hi-ogawa and Claude Opus 4.6 in #​9795 (f48a6)
• Correctly identify concurrent test during static analysis  -  by @​sheremet-va in #​9846 (1de0a)
• browser:
  • Avoid updating screenshots when toMatchScreenshot passes  -  by @​macarie in #​9289 (46aab)
  • Hide injected data-testid attributes  -  by @​sheremet-va in #​9503 (c8d2c)
  • Throw an error if iframe was reloaded  -  by @​sheremet-va in #​9516 (73a81)
  • Encode projectName in browser client URL  -  by @​dkkim0122 in #​9523 (5b164)
  • Don't take failure screenshot if tests have artifacts created by toMatchScreenshot  -  by @​macarie in #​9552 (83ca0)
  • Remove --remote-debugging-address from chrome args  -  by @​hi-ogawa and @​AriPerkkio in #​9712 (f09bb)
  • Make sure userEvent actions support ensureAwaited  -  by @​sheremet-va in #​9732 (97685)
  • Types of getCDPSession and cdp()  -  by @​AriPerkkio in #​9716 (689a2)
  • Skip esbuild.legalComments when using rolldown-vite  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9803 (3505f)
• chai:
  • Don't allow deepEqual in the config because it's not serializable  -  by @​sheremet-va in #​9666 (9ee99)
• coverage:
  • Infer transform mode for uncovered files  -  by @​AriPerkkio in #​9435 (f3967)
  • thresholds.autoUpdate to preserve ending whitespace  -  by @​AriPerkkio in #​9436 (7e534)
• deps:
  • Update all non-major dependencies  -  by @​hi-ogawa in #​9192 (90c30)
  • Update all non-major dependencies  -  in #​9485 (c0118)
  • Update all non-major dependencies  -  in #​9567 (13c9e)
• docs:
  • Fix old /config/#option hash links causing hydration errors  -  by @​hi-ogawa, Claude Opus 4.6 and @​sheremet-va in #​9610 (a603c)
• expect:
  • toMatchObject(Map/Set) should expect Map/Set on left hand side  -  by @​hi-ogawa and Claude Opus 4.6 in #​9532 (381da)
  • Fix objectContaining with proxy  -  by @​hi-ogawa and Claude Opus 4.6 in #​9554 (7ce34)
  • Support arbitrary value equality for toThrow and make Error detection robust  -  by @​hi-ogawa and Claude Opus 4.6 in #​9570 (de215)
• mock:
  • Inject helpers after hashbang if present  -  by @​sheremet-va in #​9545 (65432)
• mocker:
  • Update vite's peer dependency range  -  by @​sheremet-va in #​9808 (36f9a)
• reporter:
  • dot reporter leaves pending tests  -  by @​AriPerkkio in #​9684 (4d793)
• runner:
  • Mark repeated tests as finished on last run  -  by @​AriPerkkio in #​9707 (cc735)
• spy:
  • Support deep partial in vi.mocked  -  by @​j2h30728 in #​8152 and #​9493 (71cb5)
  • Fallback to object accessor if descriptor's value is undefined  -  by @​sheremet-va in #​9511 (6f181)
  • Throw correct errors when shorthand methods are used on a class  -  by @​sheremet-va in #​9513 (5d0fd)
• types:
  • bench.reporters no longer gives type errors when passing file name string paths  -  by @​Bertie690 in #​9695 (093c8)
• ui:
  • Process artifact attachments when generating HTML reporter  -  by @​macarie in #​9472 (96eb9)
  • Don't fail if --ui and --root are specified together  -  by @​sheremet-va in #​9536 (d9305)

   🏎 Performance

• pretty-format: Combine DOMElement plugins  -  by @​sheremet-va in #​9581 (da85a)

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - "after 7pm every weekday,before 5am every weekday" in timezone Europe/Madrid, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 285cd3c.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Vulnerabilities

yarn.lock

Name	Version	Vulnerability	Severity
flatted	3.4.0	Prototype Pollution via parse() in NodeJS flatted	high

Only included vulnerabilities with severity moderate or higher.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/flatted	3.4.0	🟢 4.3	Details Check Score Reason Code-Review ⚠️ 0 Found 1/14 approved changesets -- score normalized to 0 Maintained 🟢 10 26 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 4 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2
npm/@emnapi/core	1.9.1	🟢 3.8	Details Check Score Reason Code-Review ⚠️ 0 Found 1/30 approved changesets -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 17 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@emnapi/runtime	1.9.1	🟢 3.8	Details Check Score Reason Code-Review ⚠️ 0 Found 1/30 approved changesets -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 17 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@emnapi/wasi-threads	1.2.0	🟢 3.8	Details Check Score Reason Code-Review ⚠️ 0 Found 1/30 approved changesets -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 17 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@napi-rs/wasm-runtime	1.1.1	🟢 5.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 1/9 approved changesets -- score normalized to 1 Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 9 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@oxc-project/types	0.122.0	Unknown	Unknown
npm/@rolldown/binding-android-arm64	1.0.0-rc.11	Unknown	Unknown
npm/@rolldown/binding-darwin-arm64	1.0.0-rc.11	Unknown	Unknown
npm/@rolldown/binding-darwin-x64	1.0.0-rc.11	Unknown	Unknown
npm/@rolldown/binding-freebsd-x64	1.0.0-rc.11	Unknown	Unknown
npm/@rolldown/binding-linux-arm-gnueabihf	1.0.0-rc.11	Unknown	Unknown
npm/@rolldown/binding-linux-arm64-gnu	1.0.0-rc.11	Unknown	Unknown
npm/@rolldown/binding-linux-arm64-musl	1.0.0-rc.11	Unknown	Unknown
npm/@rolldown/binding-linux-ppc64-gnu	1.0.0-rc.11	Unknown	Unknown
npm/@rolldown/binding-linux-s390x-gnu	1.0.0-rc.11	Unknown	Unknown
npm/@rolldown/binding-linux-x64-gnu	1.0.0-rc.11	Unknown	Unknown
npm/@rolldown/binding-linux-x64-musl	1.0.0-rc.11	Unknown	Unknown
npm/@rolldown/binding-openharmony-arm64	1.0.0-rc.11	Unknown	Unknown
npm/@rolldown/binding-wasm32-wasi	1.0.0-rc.11	Unknown	Unknown
npm/@rolldown/binding-win32-arm64-msvc	1.0.0-rc.11	Unknown	Unknown
npm/@rolldown/binding-win32-x64-msvc	1.0.0-rc.11	Unknown	Unknown
npm/@rolldown/pluginutils	1.0.0-rc.11	Unknown	Unknown
npm/@tybys/wasm-util	0.10.1	Unknown	Unknown
npm/@vitest/coverage-v8	4.1.1	Unknown	Unknown
npm/@vitest/expect	4.1.1	Unknown	Unknown
npm/@vitest/mocker	4.1.1	Unknown	Unknown
npm/@vitest/pretty-format	4.1.1	Unknown	Unknown
npm/@vitest/runner	4.1.1	Unknown	Unknown
npm/@vitest/snapshot	4.1.1	Unknown	Unknown
npm/@vitest/spy	4.1.1	Unknown	Unknown
npm/@vitest/ui	4.1.1	Unknown	Unknown
npm/@vitest/utils	4.1.1	Unknown	Unknown
npm/ast-v8-to-istanbul	1.0.0	Unknown	Unknown
npm/convert-source-map	2.0.0	🟢 3.9	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 4 Found 12/30 approved changesets -- score normalized to 4 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/detect-libc	2.1.2	🟢 3.8	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 8 binaries present in source code Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/lightningcss	1.32.0	Unknown	Unknown
npm/lightningcss-android-arm64	1.32.0	Unknown	Unknown
npm/lightningcss-darwin-arm64	1.32.0	Unknown	Unknown
npm/lightningcss-darwin-x64	1.32.0	Unknown	Unknown
npm/lightningcss-freebsd-x64	1.32.0	Unknown	Unknown
npm/lightningcss-linux-arm-gnueabihf	1.32.0	Unknown	Unknown
npm/lightningcss-linux-arm64-gnu	1.32.0	Unknown	Unknown
npm/lightningcss-linux-arm64-musl	1.32.0	Unknown	Unknown
npm/lightningcss-linux-x64-gnu	1.32.0	Unknown	Unknown
npm/lightningcss-linux-x64-musl	1.32.0	Unknown	Unknown
npm/lightningcss-win32-arm64-msvc	1.32.0	Unknown	Unknown
npm/lightningcss-win32-x64-msvc	1.32.0	Unknown	Unknown
npm/rolldown	1.0.0-rc.11	Unknown	Unknown
npm/std-env	4.0.0	Unknown	Unknown
npm/vite	8.0.2	🟢 6.5	Details Check Score Reason Code-Review 🟢 6 Found 17/25 approved changesets -- score normalized to 6 Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 6 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Binary-Artifacts 🟢 5 binaries present in source code Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected SAST 🟢 3 SAST tool is not run on all commits -- score normalized to 3
npm/vitest	4.1.1	Unknown	Unknown

Scanned Files

• yarn.lock