[Snyk] Upgrade vitest from 3.1.2 to 4.0.6

[danielmason89]

Snyk has created this PR to upgrade vitest from 3.1.2 to 4.0.6.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 36 versions ahead of your current version.

• The recommended version was released 24 days ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Prototype Pollution SNYK-JS-JSYAML-13961110	222	No Known Exploit
	Directory Traversal SNYK-JS-VITE-13644406	222	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	222	Proof of Concept
	Relative Path Traversal SNYK-JS-VITE-12558116	222	Proof of Concept

Release notes

Package name: vitest

• 4.0.6 - 2025-10-31
  

     🐞 Bug Fixes

  • Don't merge errors with different diffs for reporting  -  by @ hi-ogawa in #8871 (3e19f)
  • Do not throw when importing a type from an external package  -  by @ sheremet-va in #8875 (7e6c3)
  • Improve spying types  -  by @ sheremet-va in #8878 (ca041)
  • Reuse the same environment when isolate and fileParallelism are false  -  by @ sheremet-va in #8889 (31706)
  • browser:
    • Support module tracking  -  by @ sheremet-va in #8877 (9e24a)
    • Ensure setup files are re-evaluated on each test run  -  by @ yjaaidi in #8883 and #8884 (f50ea)
  • coverage:
    • Prevent filtering out virtual files before remapping to sources  -  by @ AriPerkkio in #8860 (e3b77)
  • happy-dom:
    • Properly teardown additional keys  -  by @ sheremet-va in #8888 (10a06)
  • jsdom:
    • Pass down Node.js FormData to Request  -  by @ sheremet-va in #8880 (197ca)

      View changes on GitHub

• 4.0.5 - 2025-10-29
  

     🐞 Bug Fixes

  • Respect ssr.noExternal when externalizing dependencies, fix Svelte and Astro  -  by @ sheremet-va in #8862 (a4f86)
  • Allow module in --config  -  by @ sheremet-va in #8864 (b9521)
  • browser: Allow Locator type in selectOptions element parameter  -  by @ rzzf and @ sheremet-va in #8848 (7ee28)
  • module-runner: Don't return node builtins for getBuiltins unconditionally  -  by @ sapphi-red in #8863 (0e858)
  • pool: Rename groupId to groupOrder in error message  -  by @ Yohannfra in #8856 (b9aab)

     🏎 Performance

  • Pass testfiles at once when --no-isolate --maxWorkers=1  -  by @ AriPerkkio in #8835 (584aa)
  • expect: Optimize checking the input type  -  by @ Connormiha in #8840 (06968)

      View changes on GitHub

• 4.0.4 - 2025-10-27
  

     🐞 Bug Fixes

  • browser:
    • Correct typo  -  by @ benmccann in #8796 (ede1f)
    • Publish a missing context file for webdriverio  -  by @ sheremet-va in #8824 (7c7b6)
  • mocker:
    • Support mocking builtins without node: prefix  -  by @ sheremet-va in #8829 (06208)
  • pool:
    • Runner's error listener causing MaxListenersExceededWarning  -  by @ AriPerkkio in #8820 (d1bff)
    • Capture workers stdio to logger  -  by @ AriPerkkio in #8809 (fb95f)
  • spy:
    • Allow classes in vi.mocked utility  -  by @ sheremet-va in #8839 (f8756)
  • worker:
    • Rpc listener leak when isolate: false  -  by @ AriPerkkio in #8821 (573dc)

     🏎 Performance

  • utils: Optimized reducer to avoid creating new objects  -  by @ Connormiha in #8818 (d19ce)

      View changes on GitHub

• 4.0.3 - 2025-10-24
  

     🐞 Bug Fixes

  • Preserve reporter options from config when CLI reporters override them  -  by @ Copilot and sheremet-va in #8794 (15552)
  • browser: More stable in-source testing validation  -  by @ sheremet-va in #8793 (62297)
  • happy-dom: Support fetch globals  -  by @ sheremet-va in #8791 (0fb74)
  • init: Use correct jsx/tsx extension  -  by @ sheremet-va in #8792 (abc04)

      View changes on GitHub

• 4.0.2 - 2025-10-23
  

     🐞 Bug Fixes

  • browser:
    • Don't print the deprecation notice in node_modules  -  by @ sheremet-va in #8779 (588f7)
  • pool:
    • Assign envs before running tests to keep in sync with process.env  -  by @ sheremet-va in #8769 (26ce8)
  • spy:
    • Properly inherit implementation's length  -  by @ sheremet-va in #8778 (d4c2b)
    • Reset spies if both restoreMocks and mockReset are set in the config  -  by @ sheremet-va in #8781 (2eedb)

      View changes on GitHub

• 4.0.1 - 2025-10-22
  

     🐞 Bug Fixes

  • Move the getBuiltins check  -  by @ sheremet-va in #8765 (81000)
  • pool: Don't teardown the communication channel too soon if something is running after the test  -  by @ sheremet-va in #8767 (3fae7)

      View changes on GitHub

• 4.0.0 - 2025-10-22
  

  Vitest 4.0 is out!

  To stay updated, read our blog post and check the migration guide.

     🚨 Breaking Changes

  • Remove 'basic' reporter  -  by @ AriPerkkio in #7884 (82fcf)
  • Simplify default exclude pattern  -  by @ sheremet-va in #6287 (14c50)
  • Remove deprecated getSourceMap  -  by @ sheremet-va in #8194 (ff934)
  • Replace deprecated ErrorWithDiff with TestError  -  by @ sheremet-va in #8195 (da59e)
  • Remove UserConfig type in favor of ViteUserConfig  -  by @ sheremet-va in #8196 (22f7f)
  • Remove deprecated coverage options in favor of vitest/node exports  -  by @ sheremet-va in #8197 (dc848)
  • Remove deprecated internal helpers and environment exports  -  by @ sheremet-va in #8198 (4703c)
  • Remove deprecated typecheck and runner types  -  by @ sheremet-va in #8199 (89a1c)
  • Remove Node types from the main entry point, use vitest/node instead  -  by @ sheremet-va in #8200 (1e60c)
  • Remove support for Vite 5  -  by @ sheremet-va in #8202 (cb8b0)
  • Remove deprecated types  -  by @ sheremet-va in #8203 (66bee)
  • Remove deprecated environmentMatchGlobs and poolMatchGlobs  -  by @ sheremet-va in #8205 (be11d)
  • Remove deprecated workspace option in favor of projects  -  by @ sheremet-va in #8218 (76fb7)
  • Ignore --standalone when CLI filename filter is used  -  by @ AriPerkkio in #8262 (013bf)
  • Use module-runner instead of vite-node  -  by @ sheremet-va and @ AriPerkkio in #8208 (9be01)
  • Rewrite spying implementation to make module mocking more intuitive  -  by @ sheremet-va in #8363 (9e412)
  • Remove deprecated APIs  -  by @ sheremet-va in #8428 (a1cb9)
  • Remove minWorkers and set it automatically to 0 in non watch mode  -  by @ sheremet-va in #8454 (2c2d1)
  • Verbose reporter prints tests in a list, introduce tree reporter  -  by @ sheremet-va and @ AriPerkkio in #8500 (25fd3)
  • Include shadow root contents in pretty-format output  -  by @ wkillerud in #8545 (9e722)
  • Remove deprecated order from test() API  -  by @ sheremet-va in #8594 (4d419)
  • Rewrite pools without tinypool  -  by @ AriPerkkio and @ sheremet-va in #8705 (4822d)
  • browser: Require a provider factory instead of a string  -  by @ sheremet-va in #8445 (606cb)
  • expect: Pass current equality testers to asymmetric matcher  -  by @ hi-ogawa in #6825 (965ce)
  • projects: Allow only files that have "vitest.config" or "vite.config" in the name  -  by @ sheremet-va in #8542 (304bc)
  • reporter: Remove deprecated APIs  -  by @ AriPerkkio and @ sheremet-va in #8223 (149f8)
  • runner: Set mode to todo if no function is passed down to test or describe  -  by @ sheremet-va in #8346 (1a81c)
  • snapshot: Fail test with obsolete snapshot on CI  -  by @ hi-ogawa in #7963 (4d84f)
  • spy: Support spying on classes  -  by @ sheremet-va in #6160 (abc0d)

     🚀 Features

  • Provide entity to onConsoleLog  -  by @ sheremet-va in #8159 (437d4)
  • Add onUnhandledError callback  -  by @ sheremet-va in #8162 (924cb)
  • Add spy option to vi.mockObject  -  by @ rChaoz in #8285 (81d76)
  • Don't use vite-node in coverage packages  -  by @ sheremet-va (ffdb4)
  • Clickable dashboard numbers  -  by @ shairez in #7406 (2344c)
  • Display test "path" when filtering  -  by @ userquin in #8547 (2e491)
  • Introduce separate packages for browser mode providers  -  by @ sheremet-va in #8629 (0dc93)
  • Add hooks with type-safe extra context to TestAPI  -  by @ ysfaran in #8623 (6b21c)
  • Support expect.assert for type narrowing  -  by @ sheremet-va in #8695 (fe589)
  • Add displayAnnotations option to github-options  -  by @ sheremet-va in #8706 (4a66d)
  • Add schema validation matchers  -  by @ zirkelc in #8527 (c0b25)
  • Add a way to dump transformed content  -  by @ sheremet-va in #8711 (931c0)
  • api:
    • Expose experimental_parseSpecifications  -  by