Skip to content

fix(security): upgrade vitest to ^4.1.0 and tmp to ^0.2.6#828

Merged
BYK merged 3 commits into
masterfrom
fix/security-vitest-tmp
Jun 4, 2026
Merged

fix(security): upgrade vitest to ^4.1.0 and tmp to ^0.2.6#828
BYK merged 3 commits into
masterfrom
fix/security-vitest-tmp

Conversation

@BYK
Copy link
Copy Markdown
Member

@BYK BYK commented Jun 4, 2026

Summary

Resolves all 4 open Dependabot alerts on this repository.

Security Fixes

Package Severity CVE Fix
vitest CRITICAL CVE-2026-47429 ^3.0.2 -> ^4.1.0 (resolved 4.1.8)
tmp HIGH CVE-2026-44705 0.2.4 -> ^0.2.6 (resolved 0.2.7)

CVE-2026-47429 (vitest): When Vitest UI server is listening, arbitrary files can be read and executed. Fixed in vitest >= 4.1.0.

CVE-2026-44705 (tmp): Path traversal via unsanitized prefix/postfix enables directory escape. Low practical risk for this codebase since the only usage (src/utils/files.ts:119) uses a hardcoded prefix: 'craft-' — but still important to patch.

Test Fixes for Vitest 4.x Compatibility

Vitest 4 changed how mocks handle constructors — arrow functions can no longer be used with new. Three test files were updated:

  • gcsAPI.test.ts: Replace arrow functions in Storage/Bucket mock constructors with function expressions
  • githubApi.test.ts: Replace arrow function in Octokit mock constructor with function expression
  • awsLambdaLayerManager.test.ts: Replace arrow function in Lambda mock constructor with function expression

E2E Test Reliability Fix

Fixed prepare-dry-run.e2e.test.ts failures in environments with tag.gpgsign=true in global git config (e.g., CI with TERM=dumb):

  • Disable GPG signing (commit.gpgsign, tag.gpgsign) in all test git repos
  • Centralize CLI subprocess environment into a CLI_ENV constant

Verification

  • All 1023 tests pass (1 skipped)
  • Build passes
  • Lint passes (0 errors, 7 pre-existing warnings)

@BYK
fix(security): upgrade vitest to ^4.1.0 and tmp to ^0.2.6
dc1f893 
Resolves 4 open Dependabot alerts:

- CVE-2026-47429 (CRITICAL): vitest UI server arbitrary file read/exec
  Upgrade vitest from ^3.0.2 to ^4.1.0 (resolved 4.1.8)

- CVE-2026-44705 (HIGH): tmp path traversal via unsanitized prefix/postfix
  Upgrade tmp from 0.2.4 to ^0.2.6 (resolved 0.2.7)

Test fixes for vitest 4.x compatibility:
- Replace arrow functions with function expressions in vi.mock()
  constructor implementations (gcsAPI, githubApi, awsLambdaLayerManager)
  since vitest 4 requires constructable functions for mocks called with new
- Fix e2e tests: disable GPG signing in test repos and centralize CLI
  environment into CLI_ENV constant to handle non-interactive terminals
- Update obsolete snapshots
@BYK
fix: vitest 4.x type compatibility for Mock and inferred types
8939c47 
- Add explicit Mock type annotations in src/__mocks__/logger.ts to avoid
  TS2742 error (inferred type references internal @vitest/spy package)
- Cast getGitHubClient through unknown in github.test.ts to fix TS2348
  (Mock<Procedure | Constructable> is not directly callable)
@BYK BYK merged commit fa28b71 into master Jun 4, 2026
21 checks passed
@BYK BYK deleted the fix/security-vitest-tmp branch June 4, 2026 20:56
@sentry-release-bot sentry-release-bot Bot mentioned this pull request Jun 4, 2026
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BYK