fix(ci): bump vitest →4.1.x to clear critical security advisory (audit green)#43
Merged
Conversation
…dvisory GHSA-5xrq-8626-4rwp (Vitest UI arbitrary file read/exec, <4.1.0) tripped `pnpm audit --audit-level=critical` on every PR. Force vitest >=4.1.0 via root pnpm.overrides (covers vendored + core/paperclip + transitive), bump the 7 @wavex-os/* declared ranges to match, and add vite ^6 as a root devDep so vitest 4's vite peer (^6||^7||^8) resolves for the test packages without disturbing onboarding-ui's own vite 5 app build. Audit now exits 0 (no criticals; moderates 7->1). All @wavex-os + vendored suites pass on vitest 4 (auth-shim, composio-shim, db, inference-adapter, shared, paperclip-plugin-wavex, flywheel-kernel, tier-router, onboarding).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Phase 1 — clear the critical security advisory (CI audit → green)
pnpm audit --audit-level=critical(CITestjob, stepSecurity audit, added in #35) has been failing on every PR and onmaindue to GHSA-5xrq-8626-4rwp — the Vitest UI server arbitrary file read/exec advisory affectingvitest <4.1.0, transitive across ~23 packages.Fix (one logical change):
pnpm.overrides.vitest = ^4.1.0— forces every instance (incl. vendored +paperclip/core + transitive) to ≥4.1.0.@wavex-os/*declared ranges^2.1.8 → ^4.1.0to match.vite ^6so vitest 4's vite peer (^6||^7||^8) resolves for the test packages without disturbingonboarding-ui's own vite 5 app build.Verified locally:
pnpm audit --audit-level=critical→ exit 0 (criticals 3→0; moderates 7→1).@wavex-os/*+ vendored suites pass on vitest 4 (auth-shim, composio-shim, db, inference-adapter, shared, paperclip-plugin-wavex, flywheel-kernel, tier-router, onboarding) — 132 passed.e2e-onboarding.test.tsis pre-existing brokenWhile verifying, I found the 12
e2e-onboardingfailures are not the "environmental pglite" issue I previously reported — I was wrong. The real cause: the pillar walk times out (30s), so pillar 3 never persistskpi_snapshot_initial, and finalize's Monte Carlo throwskpi_snapshot_initial missing from pillar_3→ 500. There's also connector-matrix drift (supabaseabsent from recommendations). This reproduces on cleanmainunder both vitest 2 and 4 — it's been invisible because the failing audit step short-circuits the job beforeRun testsruns.The failing path runs through frozen
vendor/wavex-os/**(finalize/mc-invocation.ts,assemble.ts, the connector decision-matrix), so perCLAUDE.mdI'm not modifying it without sign-off. This PR does not touch that suite — it only clears the audit. See the PR discussion for the decision needed (fix vendor vs quarantine the suite vs track separately).🤖 Generated with Claude Code