chore: Bump vitest from 3.1.1 to 3.2.6

[dependabot]

Bumps vitest from 3.1.1 to 3.2.6.

Release notes

Sourced from vitest's releases.

v3.2.6

   🐞 Bug Fixes

• Pin last supported vite-node version  -  by @​sheremet-va (16f12)

    View changes on GitHub

v3.2.5

   🚀 Features

• api: Add allowWrite and allowExec options to api [backport to v3]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10445 (af88b)

   🐞 Bug Fixes

• browser: Disable client cdp API when allowWrite/allowExec: false [backport to v3]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10456 (385a1)

    View changes on GitHub

v3.2.4

   🐞 Bug Fixes

• Use correct path for optimisation of strip-literal  -  by @​mrginglymus in vitest-dev/vitest#8139 (44940)
• Print uint and buffer as a simple string  -  by @​sheremet-va in vitest-dev/vitest#8141 (b86bf)
• browser:
  • Show a helpful error when spying on an export  -  by @​sheremet-va in vitest-dev/vitest#8178 (56007)
• cli:
  • vitest run --watch should be watch-mode  -  by @​AriPerkkio in vitest-dev/vitest#8128 (657e8)
  • Use absolute path environment on Windows  -  by @​colinaaa in vitest-dev/vitest#8105 (85dc0)
  • Throw error when --shard x/<count> exceeds count of test files  -  by @​AriPerkkio in vitest-dev/vitest#8112 (8a18c)
• coverage:
  • Ignore SCSS in browser mode  -  by @​sheremet-va in vitest-dev/vitest#8161 (0c3be)
• deps:
  • Update all non-major dependencies  -  in vitest-dev/vitest#8123 (93f32)
• expect:
  • Handle async errors in expect.soft  -  by @​lzl0304 in vitest-dev/vitest#8145 (68699)
• pool:
  • Auto-adjust minWorkers when only maxWorkers specified  -  by @​AriPerkkio in vitest-dev/vitest#8110 (14dc0)
• reporter:
  • task.meta should be available in custom reporter's errors  -  by @​AriPerkkio in vitest-dev/vitest#8115 (27df6)
• runner:
  • Preserve handler wrapping on extend  -  by @​pengooseDev in vitest-dev/vitest#8153 (a9281)
• ui:
  • Ensure ui config option works correctly  -  by @​lzl0304 in vitest-dev/vitest#8147 (42eeb)

    View changes on GitHub

v3.2.3

   🚀 Features

• browser: Use base url instead of vitest  -  by @​sheremet-va in vitest-dev/vitest#8126 (1d8eb)

... (truncated)

Commits

• b6d56f8 chore: release v3.2.6
• 16f120d fix: pin last supported vite-node version
• 2cbad0a chore: release v3.2.5
• 385a1ae fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• af88b1f feat(api): add allowWrite and allowExec options to api [backport to v3]...
• c666d14 chore: release v3.2.4
• 8a18c8e fix(cli): throw error when --shard x/\<count> exceeds count of test files (#...
• 8abd7cc chore(deps): update tinypool (#8174)
• 93f3200 fix(deps): update all non-major dependencies (#8123)
• 0c3be6f fix(coverage): ignore SCSS in browser mode (#8161)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	vitest@​3.1.1 ⏵ 3.2.6	+11	+75
	nanoid@​3.3.11 ⏵ 3.3.15			-1

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm es-module-lexer is 60.0% likely to have a medium risk anomaly Notes: This es-module-lexer component appears legitimate in its intended role but contains a significant risk surface: (a) an eval-based sink that can execute code derived from untrusted module input, and (b) an embedded wasm blob loaded at runtime that could be manipulated via supply chain compromise. The combination means using this parser with untrusted code or in an unsafe host environment could enable arbitrary code execution or behavior modification. The code shows no obvious exfiltration or persistence mechanisms, but the eval path is unacceptable in many security models and requires strict sandboxing or replacement with safer parsing patterns. Recommend using only trusted inputs, hardening the eval path (remove or heavily restrict), and validating the wasm blob integrity via checksums/signatures in the build/publish process. Confidence: 0.60 Severity: 0.66 From: ? → npm/vitest@3.2.6 → npm/eslint-plugin-jsdoc@50.6.3 → npm/webpack@5.99.5 → npm/es-module-lexer@1.7.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-module-lexer@1.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm esbuild is 90.0% likely to have a medium risk anomaly Notes: The esbuild package uses a postinstall install.js script to download platform-specific binaries from registry sources and verify them via hashes. While hash verification reduces risk, the elevated postinstall action creates a potential code-execution surface if the script is tampered with. Audit install.js and its endpoints, ensure artifacts are strictly verified against known hashes, and test in controlled environments before deployment. Confidence: 0.90 Severity: 0.60 From: ? → npm/vitest@3.2.6 → npm/esbuild@0.28.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.28.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm rollup is 74.0% likely to have a medium risk anomaly Notes: No direct evidence of hidden malware behavior (no explicit network exfiltration, credential theft, or system command execution is visible). The dominant security concern is that this build tooling intentionally enables arbitrary code execution via new Function() for inline plugin arguments and via dynamic require()/import() of plugins and configs based on runtime-provided strings/paths, plus a stdin-to-module loader and codegen+temp-file+import for transpiled configs. If an attacker can influence CLI/CI inputs (e.g., --plugin, config path, or plugin argument text), the risk is high for build-time arbitrary code execution. Confidence: 0.74 Severity: 0.68 From: ? → npm/vitest@3.2.6 → npm/vite@6.4.3 → npm/rollup@4.62.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rollup@4.62.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm rollup is 70.0% likely to have a medium risk anomaly Notes: No clear malware/backdoor behavior is evident in this fragment. The main security-relevant issue is that watch hooks can execute arbitrary OS commands synchronously via child_process.execSync, with command strings sourced directly from command.watch (and potentially from config-loaded values). This is only acceptable when the watch configuration is fully trusted; otherwise it represents a high-impact arbitrary command execution risk. Signal/exit interception and global emitter usage are unusual but appear aimed at orderly shutdown rather than malicious activity. Confidence: 0.70 Severity: 0.62 From: ? → npm/vitest@3.2.6 → npm/vite@6.4.3 → npm/rollup@4.62.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rollup@4.62.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm vite-node is 65.0% likely to have a medium risk anomaly Notes: The fragment represents a legitimate module runner with sophisticated module resolution, interop, and VM-based execution. No explicit malicious payload is present. However, the combination of dynamic fetching, transformation, and VM execution constitutes a high-risk surface area if untrusted modules are loaded. Strengthening input trust boundaries, restricting the VM context, and limiting error leakage are recommended to mitigate supply-chain and runtime risks. Confidence: 0.65 Severity: 0.60 From: ? → npm/vitest@3.2.6 → npm/vite-node@3.2.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite-node@3.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report