chore: vitest ツールチェーン更新で audit 脆弱性を解消#1
Conversation
vite/ws/postcss の脆弱性は vitest と vitest-pool-workers 経由の推移的依存 だったため、直接依存を更新して解消する。pool-workers の 0.14→0.16 は 破壊的変更扱いだが peer の vitest ^4.1.0 を満たし、全テストが通過する。 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several development dependencies, including @cloudflare/vitest-pool-workers, vitest, and wrangler. Feedback on the changes highlights that these dependency updates raise the required Node.js version to >=22.0.0 in the lockfile, which conflicts with the "engines": { "node": ">=18" } configuration currently specified in package.json. It is recommended to update the Node.js engine requirement in package.json to >=22 to maintain consistency and prevent installation or runtime issues in older Node.js environments.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
Pull request overview
This PR updates the Vitest + Cloudflare Workers testing toolchain dependencies to eliminate transitive npm audit vulnerabilities reported via vitest / @cloudflare/vitest-pool-workers (and related packages like wrangler, miniflare, vite, ws, postcss).
Changes:
- Bump
vitestfrom^4.1.2to^4.1.8. - Bump
@cloudflare/vitest-pool-workersfrom^0.14.1to^0.16.13. - Bump
wranglerfrom^4.80.0to^4.98.0and refresh the lockfile accordingly.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates direct devDependencies for Vitest + Workers test tooling. |
| package-lock.json | Updates the resolved dependency graph to match the new toolchain versions and remove audited vulnerabilities. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Node 18 は EOL、Node 20 もメンテナンス終了済みで、現在維持されている 最古の LTS は v22。devDeps(wrangler/miniflare/kv-asset-handler)も node>=22 を要求しており、サポート対象 Node を実態に合わせる。 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
概要
npm auditが報告した 6 件の脆弱性(vite パストラバーサル / ws メモリ開示 / postcss XSS)を解消する。いずれも vitest と@cloudflare/vitest-pool-workers経由の推移的依存だったため、直接依存を更新して対応した。変更内容
@cloudflare/vitest-pool-workersの 0.14→0.16 は破壊的変更扱いだが、peer のvitest ^4.1.0要件を満たしている。確認
npm audit: 0 vulnerabilitiesnpm run test:node: 11 passednpm run test:workers: 4 passed🤖 Generated with Claude Code