fix(deps): update npm to v4 - - package.json (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@vitest/coverage-v8 (source)	^3.2.4 → ^4.0.18
env-paths	^3.0.0 → ^4.0.0
vitest (source)	^3.2.4 → ^4.0.18

---

Release Notes

vitest-dev/vitest (@​vitest/coverage-v8)

v4.0.18

Compare Source

   🚀 Experimental Features

• experimental: Add onModuleRunner hook to worker.init  -  by @​sheremet-va in #​9286 (ea837)

   🐞 Bug Fixes

• Use meta.url in createRequire  -  by @​sheremet-va in #​9441 (e0572)
• browser: Hide injected data-testid attributes  -  by @​sheremet-va in #​9503 (f8989)
• ui: Process artifact attachments when generating HTML reporter  -  by @​macarie in #​9472 (22543)

    View changes on GitHub

v4.0.17

Compare Source

   🚀 Experimental Features

• Support openTelemetry for browser mode  -  by @​hi-ogawa in #​9180 (1ec3a)
• Support TRACEPARENT and TRACESTATE environment variables for OpenTelemetry context propagation  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9295 (876cb)

   🐞 Bug Fixes

• Improve asymmetric matcher diff readability by unwrapping container matchers  -  by @​Copilot, sheremet-va, hi-ogawa and @​hi-ogawa in #​9330 (b2ec7)
• Improve runner error when importing outside of test context  -  by @​sheremet-va in #​9335 (2dd3d)
• Replace crypto.randomUUID to allow insecure environments (fix #​9…  -  by @​plusgut in #​9339 and #​9 (e6a3f)
• Handle null options in addEventHandler #​9371  -  by @​ThibautMarechal in #​9372 and #​9371 (40841)
• Typo in browser.provider error  -  by @​deammer in #​9394 (4b67f)
• browser:
  • Fix process.env and import.meta.env defines in inline project  -  by @​hi-ogawa in #​9239 (b70c9)
  • Fix upload File instance  -  by @​hi-ogawa in #​9294 (b6778)
  • Fix invalid project token for artifacts assets  -  by @​hi-ogawa in #​9321 (caa7d)
  • Log ErrorEvent.message when unhandled ErrorEvent.error is null  -  by @​hi-ogawa in #​9322 (5d84e)
  • Support fileParallelism on an instance  -  by @​sheremet-va in #​9328 (15006)
• coverage:
  • Remove unnecessary istanbul-lib-source-maps usage  -  by @​AriPerkkio in #​9344 (b0940)
  • Apply patch from istanbuljs/istanbuljs#837  -  by @​AriPerkkio and sapphi-red in #​9413 and #​837 (e05ce)
• fsModuleCache:
  • Don't store importers in cache  -  by @​sheremet-va in #​9422 (75136)
  • Add importers alongside importedModules  -  by @​sheremet-va in #​9423 (59f92)
• mocker:
  • Fix mock transform with class  -  by @​hi-ogawa in #​9421 (d390e)
• pool:
  • Validate environment options when reusing the worker  -  by @​sheremet-va in #​9349 (a8a88)
  • Handle worker start failures gracefully  -  by @​AriPerkkio in #​9337 (200da)
• reporter:
  • Report test module if it failed to run  -  by @​sheremet-va in #​9272 (c7888)
• runner:
  • Respect nested test.only within describe.only  -  by @​Ujjwaljain16 in #​9021 and #​9213 (55d5d)
• typecheck:
  • Improve error message when tsc outputs help text  -  by @​Ujjwaljain16 in #​9214 (7b10a)
• ui:
  • Detect gzip by magic numbers instead of Content-Type header in html reporter  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9278 (dd033)
• webdriverio:
  • Fall back to WebDriver Classic #​9244  -  by @​JustasMonkev in #​9373 and #​9244 (c23dd)

    View changes on GitHub

v4.0.16

Compare Source

   🐞 Bug Fixes

• Fix browser mode default testTimeout back to 15 seconds  -  by @​hi-ogawa in #​9167 (da0ad)
• Avoid crashing on process.versions stub  -  by @​AriPerkkio in #​9174 (78cfb)
• Reject calling suite function inside test  -  by @​hi-ogawa in #​9198 (1a259)
• Allow inlining fully dynamic import  -  by @​hi-ogawa in #​9137 (56851)
• Fix module graph UI on html reporter with headless browser mode  -  by @​hi-ogawa in #​9219 (60642)
• Log deprecated test.poolOptions if it's set  -  by @​sheremet-va in #​9226 (f7f6a)
• browser:
  • Import recordArtifact from the vitest package  -  by @​macarie in #​9186 (01c56)
  • Fix import.meta.env define  -  by @​hi-ogawa in #​9205 (01a9a)
  • String formatting bug when including placeholders in console.log  -  by @​michael-debs and @​hi-ogawa in #​9030 and #​9131 (84a30)
• coverage:
  • Istanbul untested files source maps are off  -  by @​AriPerkkio in #​9208 (372e8)
• experimental:
  • Export setupEnvironment for custom pools  -  by @​AriPerkkio in #​9187 (5d26b)

    View changes on GitHub

v4.0.15

Compare Source

   🚀 Experimental Features

• cache: Add opt-out on a plugin level, fix internal root cache  -  by @​sheremet-va in #​9154 (a68f7)
• reporters: Print import duration breakdown  -  by @​sheremet-va in #​9105 (122ff)

   🐞 Bug Fixes

• Keep built-in id as is in bun and deno  -  by @​sheremet-va in #​9117 (075ab)
• Use optimizeDeps.rolldownOptions to fix depreated warning + fix ssr.external: true  -  by @​hi-ogawa in #​9121 (fd8bd)
• Fix external behavior with deps.optimizer  -  by @​hi-ogawa in #​9125 (4c754)
• Very minor typo in "Chrome DevTools Protocol"  -  by @​HowToTestFrontend in #​9146 (20997)
• browser: Run toMatchScreenshot only once when used with expect.element  -  by @​macarie in #​9132 (0d2e7)
• coverage: Istanbul provider to not break source maps  -  by @​AriPerkkio in #​9040 (e4ca9)
• deps: Update dependency tinyexec to v1  -  in #​9122 (fd786)
• docs: Remove --browser.provider from docs  -  by @​sheremet-va in #​9115 (120b3)
• expect: Preserve currentTestName in extended matchers  -  by @​macarie in #​9106 (e4345)
• pool: Terminate workers on CTRL+c forceful exits  -  by @​AriPerkkio in #​9140 (d57d8)
• reporters: Show project in github reporter  -  by @​sheremet-va in #​9138 (bb65e)
• spy: Do not mock overriden method, if parent was automocked  -  by @​sheremet-va in #​9116 (1a246)
• web-worker: MessagePort objects passed to Worker.postMessage work when clone === "native"  -  by @​whitphx in #​9118 (deee8)

    View changes on GitHub

v4.0.14

Compare Source

   🚀 Experimental Features

• browser: Expose utils.configurePrettyDOM  -  by @​sheremet-va in #​9103 (2cc34)
• runner: Add full names to tasks  -  by @​macarie in #​9087 (821aa)
• ui: Add tabbed failure view for toMatchScreenshot with comparison slider  -  by @​macarie in #​8813 (c37c2)

   🐞 Bug Fixes

• Externalize before caching  -  by @​sheremet-va in #​9077 (e1b2e)
• Collect the duration of external imports  -  by @​sheremet-va in #​9097 (3326c)
• Rename collect to import, remove prepare  -  by @​sheremet-va in #​9091 (1256b)
• browser:
  • Unsubscribe onCancel on rpc destroy  -  by @​AriPerkkio in #​9088 (f5b72)
  • Revert the viewport scaling in non-ui mode #​9018  -  by @​sheremet-va in #​9072 and #​9018 (64502)
• coverage:
  • Invalidate circular modules correctly on rerun with coverage  -  by @​aicest in #​9096 (6f22c)
• expect:
  • Allow function as standard schema  -  by @​hi-ogawa in #​9099 (ed8a2)
• jsdom:
  • Reuse abort signals if possible  -  by @​sheremet-va in #​9090 (2c468)
• pool:
  • Init VITEST_POOL_ID + VITEST_WORKER_ID before environment setup  -  by @​AriPerkkio in #​9085 (37918)
• web-worker:
  • postMessage to send ports to workers  -  by @​whitphx and @​AriPerkkio in #​9078 (9d176)

   🏎 Performance

• Replace debug with obug  -  by @​sxzz and @​AriPerkkio in #​9057 (acc51)

    View changes on GitHub

v4.0.13

Compare Source

   🐞 Bug Fixes

• types:
  • Don't use type from Vite 7.1  -  by @​sheremet-va in #​9071 (6356b)
  • Don't import node.js dependent types in vitest/browser  -  by @​sheremet-va in #​9068 (332af)

   🏎 Performance

• Avoid fetchModule roundtrip if the module is cached  -  by @​sheremet-va in #​9075 (b27e0)
• experimental: If fsCacheModule is enabled, read from the memory when possible  -  by @​sheremet-va in #​9076 (6b9a1)

    View changes on GitHub

v4.0.12

Compare Source

   🐞 Bug Fixes

• Inherit fsModuleCachePath by default  -  by @​sheremet-va in #​9063 (9a8bc)
• Don't import from @opentelemetry/api in public types  -  by @​sheremet-va in #​9066 (e944a)

    View changes on GitHub

v4.0.11

Compare Source

   🚀 Experimental Features

• api: Add extensible test artifact API  -  by @​macarie in #​8987 (77292)
  • See more at https://vitest.dev/api/advanced/artifacts
• expect: Provide task in MatchState  -  by @​macarie in #​9022 (afd1f)
• experimental: Support OpenTelemetry traces  -  by @​sheremet-va in #​8994 (d6d33)
  • See more at https://vitest.dev/guide/open-telemetry

   🏎 Performance

• experimental: Add file system cache  -  by @​sheremet-va in #​9026 (1b147)
  • See more at https://vitest.dev/config/experimental#experimental-fsmodulecache

    View changes on GitHub

v4.0.10

Compare Source

   🐞 Bug Fixes

• Remove onCancel when worker is terminated  -  by @​sheremet-va in #​9033 (6d7f0)
• browser:
  • Don't scale the iframe if UI is disabled  -  by @​sheremet-va in #​9018 (5406e)
  • Handle dependency stack traces with external source maps. Resolves: #​9003  -  by @​iclectic in #​9016 and #​9003 (57ae5)
• bun:
  • Parsing of stack trace for bun runtime  -  by @​nazarhussain in #​9032 (f3ec6)
• core:
  • Prevent starting new run when cancelling  -  by @​AriPerkkio in #​8991 (eb98d)
• pool:
  • Prevent writing to closed worker  -  by @​AriPerkkio and @​sheremet-va in #​9023 (042c6)
• reporters:
  • Report correct test run duration at the end  -  by @​sheremet-va in #​8969 (bc3a6)
• ui:
  • Use execution time from ws reporter (onFinished)  -  by @​userquin in #​8975 (f56dc)

    View changes on GitHub

v4.0.9

Compare Source

   🚀 Experimental Features

• expect: Add Set support to toBeOneOf  -  by @​tim-we and @​sheremet-va in #​8906 (a415d)

   🐞 Bug Fixes

• browser: Add favicon icons to the browser mode ui  -  by @​userquin in #​8972 (353ee)
• forks: Increase worker start timeout  -  by @​AriPerkkio in #​9027 (5e750)
• jsdom: Cloned request is an instance of Request  -  by @​sheremet-va in #​8985 (506a9)
• ui: Collect file/suite/test duration correctly  -  by @​userquin in #​8976 (8016d)

    View changes on GitHub

v4.0.8

Compare Source

   🐞 Bug Fixes

• Workaround noExternal merging bug on Vite 6  -  by @​hi-ogawa in #​8950 (bcb13)
• Missed context.d.ts file  -  by @​termorey in #​8965 (9044d)
• Incorrect error message for non-awaited expect.element()  -  by @​StyleShit in #​8954 (9638d)
• browser: Cleanup frame-ancestors from CSP header at coverage middleware  -  by @​userquin in #​8941 (1f730)
• deps: Update all non-major dependencies  -  by @​sheremet-va in #​8636 (da8b9)
• forks: Do not fail with Windows Defender enabled  -  by @​sheremet-va in #​8967 (c79f4)
• runner: Properly encode Uint8Array body in annotations  -  by @​Livan-pro in #​8951 (997ca)
• spy: Copy static properties if spy is initialised with vi.fn(), fix types for vi.spyOn(obj, class)  -  by @​sheremet-va in #​8956 (75e7f)
• webdriverio: When no argument is passed to the .click interaction command, the webdriver command should also have no argument  -  by @​julienw in #​8937 (069e6)

    View changes on GitHub

v4.0.7

Compare Source

   🐞 Bug Fixes

• Bind process in case global is overwritten  -  by @​AriPerkkio in #​8916 (6240d)
• Create environment once per worker with isolate: false  -  by @​sheremet-va in #​8915 (c9078)
• Add Locator as a possible element type in toContainElement() matcher  -  by @​vitalybaev in #​8910 and #​8927 (35a27)
• browser: Inherit isolate option, deprecate browser.isolate/browser.fileParallelism  -  by @​sheremet-va in #​8890 (9d2b4)
• cli: Parse --execArgv as array  -  by @​AriPerkkio in #​8924 (751c3)
• jsdom: Support URL.createObjectURL, FormData.set(prop, blob)  -  by @​sheremet-va in #​8935 (a1b73)
• pool: Avoid --require argument when running in deno  -  by @​pi0 in #​8897 (d41fa)
• typecheck: Handle re-runs outside tsc  -  by @​AriPerkkio in #​8920 (fdb2e)

   🏎 Performance

• pool:
  • Sort test files by project by default  -  by @​AriPerkkio in #​8914 (680a6)
• reporters:
  • Optimize getting the tests stats  -  by @​Connormiha in #​8908 (06d62)
  • Remove unnecessary Array.from call  -  by @​Connormiha in #​8907 (b6014)

    View changes on GitHub

v4.0.6

Compare Source

   🐞 Bug Fixes

• Don't merge errors with different diffs for reporting  -  by @​hi-ogawa in #​8871 (3e19f)
• Do not throw when importing a type from an external package  -  by @​sheremet-va in #​8875 (7e6c3)
• Improve spying types  -  by @​sheremet-va in #​8878 (ca041)
• Reuse the same environment when isolate and fileParallelism are false  -  by @​sheremet-va in #​8889 (31706)
• browser:
  • Support module tracking  -  by @​sheremet-va in #​8877 (9e24a)
  • Ensure setup files are re-evaluated on each test run  -  by @​yjaaidi in #​8883 and #​8884 (f50ea)
• coverage:
  • Prevent filtering out virtual files before remapping to sources  -  by @​AriPerkkio in #​8860 (e3b77)
• happy-dom:
  • Properly teardown additional keys  -  by @​sheremet-va in #​8888 (10a06)
• jsdom:
  • Pass down Node.js FormData to Request  -  by @​sheremet-va in #​8880 (197ca)

    View changes on GitHub

v4.0.5

Compare Source

   🐞 Bug Fixes

• Respect ssr.noExternal when externalizing dependencies  -  by @​sheremet-va in #​8862 (a4f86)
• Allow module in --config  -  by @​sheremet-va in #​8864 (b9521)
• browser: Allow Locator type in selectOptions element parameter  -  by @​rzzf and @​sheremet-va in #​8848 (7ee28)
• module-runner: Don't return node builtins for getBuiltins unconditionally  -  by @​sapphi-red in #​8863 (0e858)
• pool: Rename groupId to groupOrder in error message  -  by @​Yohannfra in #​8856 (b9aab)

   🏎 Performance

• Pass testfiles at once when --no-isolate --maxWorkers=1  -  by @​AriPerkkio in #​8835 (584aa)
• expect: Optimize checking the input type  -  by @​Connormiha in #​8840 (06968)

    View changes on GitHub

v4.0.4

Compare Source

   🐞 Bug Fixes

• browser:
  • Correct typo  -  by @​benmccann in #​8796 (ede1f)
  • Publish a missing context file for webdriverio  -  by @​sheremet-va in #​8824 (7c7b6)
• mocker:
  • Support mocking builtins without node: prefix  -  by @​sheremet-va in #​8829 (06208)
• pool:
  • Runner's error listener causing MaxListenersExceededWarning  -  by @​AriPerkkio in #​8820 (d1bff)
  • Capture workers stdio to logger  -  by @​AriPerkkio in #​8809 (fb95f)
• spy:
  • Allow classes in vi.mocked utility  -  by @​sheremet-va in #​8839 (f8756)
• worker:
  • Rpc listener leak when isolate: false  -  by @​AriPerkkio in #​8821 (573dc)

   🏎 Performance

• utils: Optimized reducer to avoid creating new objects  -  by @​Connormiha in #​8818 (d19ce)

    View changes on GitHub

v4.0.3

Compare Source

   🐞 Bug Fixes

• Preserve reporter options from config when CLI reporters override them  -  by @​Copilot and sheremet-va in #​8794 (15552)
• browser: More stable in-source testing validation  -  by @​sheremet-va in #​8793 (62297)
• happy-dom: Support fetch globals  -  by @​sheremet-va in #​8791 (0fb74)
• init: Use correct jsx/tsx extension  -  by @​sheremet-va in #​8792 (abc04)

    View changes on GitHub

v4.0.2

Compare Source

   🐞 Bug Fixes

• browser:
  • Don't print the deprecation notice in node_modules  -  by @​sheremet-va in #​8779 (588f7)
• pool:
  • Assign envs before running tests to keep in sync with process.env  -  by @​sheremet-va in #​8769 (26ce8)
• spy:
  • Properly inherit implementation's length  -  by @​sheremet-va in #​8778 (d4c2b)
  • Reset spies if both restoreMocks and mockReset is set in the config  -  by @​sheremet-va in #​8781 (2eedb)

    View changes on GitHub

v4.0.1

Compare Source

   🐞 Bug Fixes

• Move the getBuiltins check  -  by @​sheremet-va in #​8765 (81000)
• pool: Don't teardown the communication channel too soon if something is running after the test  -  by @​sheremet-va in #​8767 (3fae7)

    View changes on GitHub

v4.0.0

Compare Source

   🚨 Breaking Changes

• Remove 'basic' reporter  -  by @​AriPerkkio in #​7884 (82fcf)
• Simplify default exclude pattern  -  by @​sheremet-va in #​6287 (14c50)
• Remove deprecated getSourceMap  -  by @​sheremet-va in #​8194 (ff934)
• Replace deprecated ErrorWithDiff with TestError  -  by @​sheremet-va in #​8195 (da59e)
• Remove UserConfig type in favor of ViteUserConfig  -  by @​sheremet-va in #​8196 (22f7f)
• Remove deprecated coverage options in favor of vitest/node exports  -  by @​sheremet-va in #​8197 (dc848)
• Remove deprecated internal helpers and environment exports  -  by @​sheremet-va in #​8198 (4703c)
• Remove deprecated typecheck and runner types  -  by @​sheremet-va in #​8199 (89a1c)
• Remove Node types from the main entry point, use vitest/node instead  -  by @​sheremet-va in #​8200 (1e60c)
• Remove support for Vite 5  -  by @​sheremet-va in #​8202 (cb8b0)
• Remove deprecated types  -  by @​sheremet-va in #​8203 (66bee)
• Remove deprecated environmentMatchGlobs and poolMatchGlobs  -  by @​sheremet-va in #​8205 (be11d)
• Remove deprecated workspace option in favor of projects  -  by @​sheremet-va in #​8218 (76fb7)
• Ignore --standalone when CLI filename filter is used  -  by @​AriPerkkio in #​8262 (013bf)
• Use module-runner instead of vite-node  -  by @​sheremet-va and @​AriPerkkio in #​8208 (9be01)
• Rewrite spying implementation to make module mocking more intuitive  -  by @​sheremet-va in #​8363 (9e412)
• Remove deprecated APIs  -  by @​sheremet-va in #​8428 (a1cb9)
• Remove minWorkers and set it automatically to 0 in non watch mode  -  by @​sheremet-va in #​8454 (2c2d1)
• Verbose reporter prints tests in a list, introduce tree reporter  -  by @​sheremet-va and @​AriPerkkio in #​8500 (25fd3)
• Include shadow root contents in pretty-format output  -  by [@​wkiller

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@standard-schema/spec	1.1.0	Unknown	Unknown
npm/@vitest/coverage-v8	4.0.18	Unknown	Unknown
npm/@vitest/expect	4.0.18	Unknown	Unknown
npm/@vitest/mocker	4.0.18	Unknown	Unknown
npm/@vitest/pretty-format	4.0.18	Unknown	Unknown
npm/@vitest/runner	4.0.18	Unknown	Unknown
npm/@vitest/snapshot	4.0.18	Unknown	Unknown
npm/@vitest/spy	4.0.18	Unknown	Unknown
npm/@vitest/utils	4.0.18	Unknown	Unknown
npm/ast-v8-to-istanbul	0.3.11	Unknown	Unknown
npm/chai	6.2.2	🟢 6.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 8 Found 7/8 approved changesets -- score normalized to 8 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained 🟢 10 25 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 10 all dependencies are pinned Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 6 4 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/env-paths	4.0.0	🟢 4.6	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 4 3 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 4 Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/is-safe-filename	0.1.1	Unknown	Unknown
npm/js-tokens	10.0.0	🟢 4.1	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 6 8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6 Code-Review ⚠️ 0 Found 2/23 approved changesets -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/magic-string	0.30.21	🟢 3.3	Details Check Score Reason Code-Review 🟢 3 Found 10/30 approved changesets -- score normalized to 3 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 6 4 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/magicast	0.5.2	Unknown	Unknown
npm/obug	2.1.1	Unknown	Unknown
npm/std-env	3.10.0	Unknown	Unknown
npm/tinyexec	1.0.2	Unknown	Unknown
npm/tinyrainbow	3.0.3	Unknown	Unknown
npm/vitest	4.0.18	Unknown	Unknown

Scanned Files

• package-lock.json

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name	Link
🔨 Latest commit	fab2079
🔍 Latest deploy log	https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/6986a74ff6849c000844a525

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.83%. Comparing base (94d807d) to head (b901a71).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #893   +/-   ##
=======================================
  Coverage   82.83%   82.83%           
=======================================
  Files          66       66           
  Lines        2784     2784           
  Branches      334      334           
=======================================
  Hits         2306     2306           
  Misses        431      431           
  Partials       47       47           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[06kellyjac]

Requires Eslint v9+