Skip to content

fix(ci): bump vitest →4.1.x to clear critical security advisory (audit green)#43

Merged
aimerdoux merged 1 commit into
mainfrom
fix/ci-vitest4-and-pglite
Jun 2, 2026
Merged

fix(ci): bump vitest →4.1.x to clear critical security advisory (audit green)#43
aimerdoux merged 1 commit into
mainfrom
fix/ci-vitest4-and-pglite

Conversation

@aimerdoux

Copy link
Copy Markdown
Owner

Phase 1 — clear the critical security advisory (CI audit → green)

pnpm audit --audit-level=critical (CI Test job, step Security audit, added in #35) has been failing on every PR and on main due to GHSA-5xrq-8626-4rwp — the Vitest UI server arbitrary file read/exec advisory affecting vitest <4.1.0, transitive across ~23 packages.

Fix (one logical change):

  • Root pnpm.overrides.vitest = ^4.1.0 — forces every instance (incl. vendored + paperclip/core + transitive) to ≥4.1.0.
  • Bumped the 7 @wavex-os/* declared ranges ^2.1.8 → ^4.1.0 to match.
  • Added root devDep vite ^6 so vitest 4's vite peer (^6||^7||^8) resolves for the test packages without disturbing onboarding-ui's own vite 5 app build.

Verified locally:

  • pnpm audit --audit-level=criticalexit 0 (criticals 3→0; moderates 7→1).
  • All @wavex-os/* + vendored suites pass on vitest 4 (auth-shim, composio-shim, db, inference-adapter, shared, paperclip-plugin-wavex, flywheel-kernel, tier-router, onboarding) — 132 passed.

⚠️ Surfaced, NOT fixed here — e2e-onboarding.test.ts is pre-existing broken

While verifying, I found the 12 e2e-onboarding failures are not the "environmental pglite" issue I previously reported — I was wrong. The real cause: the pillar walk times out (30s), so pillar 3 never persists kpi_snapshot_initial, and finalize's Monte Carlo throws kpi_snapshot_initial missing from pillar_3 → 500. There's also connector-matrix drift (supabase absent from recommendations). This reproduces on clean main under both vitest 2 and 4 — it's been invisible because the failing audit step short-circuits the job before Run tests runs.

The failing path runs through frozen vendor/wavex-os/** (finalize/mc-invocation.ts, assemble.ts, the connector decision-matrix), so per CLAUDE.md I'm not modifying it without sign-off. This PR does not touch that suite — it only clears the audit. See the PR discussion for the decision needed (fix vendor vs quarantine the suite vs track separately).

🤖 Generated with Claude Code

…dvisory

GHSA-5xrq-8626-4rwp (Vitest UI arbitrary file read/exec, <4.1.0) tripped
`pnpm audit --audit-level=critical` on every PR. Force vitest >=4.1.0 via root
pnpm.overrides (covers vendored + core/paperclip + transitive), bump the 7
@wavex-os/* declared ranges to match, and add vite ^6 as a root devDep so
vitest 4's vite peer (^6||^7||^8) resolves for the test packages without
disturbing onboarding-ui's own vite 5 app build.

Audit now exits 0 (no criticals; moderates 7->1). All @wavex-os + vendored
suites pass on vitest 4 (auth-shim, composio-shim, db, inference-adapter,
shared, paperclip-plugin-wavex, flywheel-kernel, tier-router, onboarding).
@aimerdoux aimerdoux merged commit e872882 into main Jun 2, 2026
1 check passed
@aimerdoux aimerdoux deleted the fix/ci-vitest4-and-pglite branch June 2, 2026 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant