chore(deps): update devdependency vitest to v3 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vitest (source)	^0.23.2 → ^3.0.0

---

When Vitest UI server is listening, arbitrary file can be read and executed

CVE-2026-47429 / GHSA-5xrq-8626-4rwp

More information

Details

Summary

Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network.

Impact

Only users that match either of the following conditions are affected:

• explicitly exposes the Vitest UI server to the network (using --api.host or api.host config option)
• running the Vitest UI or Browser Mode on Windows

Details

The API handler for /__vitest_attachment__ uses the deprecated isFileServingAllowed incorrectly.
https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77
The function expects the passed value to use cleanUrl after the check before file system related operation.
Because of this, it is possible to bypass the check by \\?\\..\\. This is not possible on Linux as Linux errors if a directory named ? does not exist.

A similar problem exists in other places as well.

• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L103-L105
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L119-L121
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/commands/fs.ts#L10-L11
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/plugin.ts#L194-L196
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/rpc.ts#L115-L121

That said, this isFileServingAllowed check does not actually prevent the API to be abused. Since the API has rerun feature and file write feature, it's possible to run arbitrary script by writing a script as a test file using saveTestFile and running it using rerun. This means exposing the API / Vitest UI is equivalent to giving script execution access.
On the browser mode side, there're readFile / writeFile / saveSnapshotFile. So exposing the browser mode is equivalent to giving file read / write access.

PoC

1. Run Vitest UI
2. Get the API token by curl http://localhost:51204/__vitest__/
3. Run curl "http://localhost:51204/__vitest_attachment__?path=C:\\path\\to\\project\\?\\..\\..\\secret.txt&contentType=text/plain&token=$TOKEN" (TOKEN is the API token)
4. curl shows the content of secret.txt that is outside the project directory

Mitigations

Vitest now ships two configuration flags, allowWrite and allowExec, that gate the privileged operations exploited by this vulnerability. Both are disabled by default whenever the API server is bound to a non-localhost host, ensuring that exposing the server to the network no longer implicitly grants write or execute capabilities to remote clients.

When these flags are disabled, the UI also enters a read-only mode: in-browser code editing and test file execution are turned off, removing the attack surface that allowed remote code execution. Many Browser Mode features are also disabled, like attachments, artifacts or snapshots. See browser.api.

Users who require the full interactive UI on a networked host must explicitly opt in by setting allowWrite and/or allowExec to true.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://github.com/vitest-dev/vitest/security/advisories/GHSA-5xrq-8626-4rwp
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/commands/fs.ts#L10-L11
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/plugin.ts#L194-L196
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/browser/src/node/rpc.ts#L115-L121
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L103-L105
• https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/vitest/src/api/setup.ts#L119-L121
• https://github.com/advisories/GHSA-5xrq-8626-4rwp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vitest-dev/vitest (vitest)

v3.2.6

Compare Source

v3.2.5

Compare Source

v3.2.4

Compare Source

   🐞 Bug Fixes

• Use correct path for optimisation of strip-literal  -  by @​mrginglymus in #​8139 (44940)
• Print uint and buffer as a simple string  -  by @​sheremet-va in #​8141 (b86bf)
• browser:
  • Show a helpful error when spying on an export  -  by @​sheremet-va in #​8178 (56007)
• cli:
  • vitest run --watch should be watch-mode  -  by @​AriPerkkio in #​8128 (657e8)
  • Use absolute path environment on Windows  -  by @​colinaaa in #​8105 (85dc0)
  • Throw error when --shard x/<count> exceeds count of test files  -  by @​AriPerkkio in #​8112 (8a18c)
• coverage:
  • Ignore SCSS in browser mode  -  by @​sheremet-va in #​8161 (0c3be)
• deps:
  • Update all non-major dependencies  -  in #​8123 (93f32)
• expect:
  • Handle async errors in expect.soft  -  by @​lzl0304 in #​8145 (68699)
• pool:
  • Auto-adjust minWorkers when only maxWorkers specified  -  by @​AriPerkkio in #​8110 (14dc0)
• reporter:
  • task.meta should be available in custom reporter's errors  -  by @​AriPerkkio in #​8115 (27df6)
• runner:
  • Preserve handler wrapping on extend  -  by @​pengooseDev in #​8153 (a9281)
• ui:
  • Ensure ui config option works correctly  -  by @​lzl0304 in #​8147 (42eeb)

    View changes on GitHub

v3.2.3

Compare Source

   🚀 Features

• browser: Use base url instead of vitest  -  by @​sheremet-va in #​8126 (1d8eb)
• ui: Show test annotations and metadata in the test report tab  -  by @​sheremet-va in #​8093 (c69be)

   🐞 Bug Fixes

• Rerun tests when project's setup file is changed  -  by @​sheremet-va in #​8097 (0f335)
• Revert expect.any return type  -  by @​sheremet-va in #​8129 (47514)
• Run only the name plugin last, not all config plugins  -  by @​sheremet-va in #​8130 (83862)
• pool:
  • Throw if user's tests use process.send()  -  by @​AriPerkkio in #​8125 (dfe81)
• runner:
  • Fast sequential task updates missing  -  by @​AriPerkkio in #​8121 (7bd11)
  • Comments between fixture destructures  -  by @​AriPerkkio in #​8127 (dc469)
• vite-node:
  • Unable to handle errors where sourcemap mapping empty  -  by @​blake-newman and @​hi-ogawa in #​8071 (8aa25)

    View changes on GitHub

v3.2.2

Compare Source

   🚀 Features

• Support rolldown-vite  -  by @​sheremet-va and @​hi-ogawa in #​7509 (c8d62)

   🐞 Bug Fixes

• browser:
  • Calculate prepare time from createTesters call on the main thread  -  by @​sheremet-va in #​8101 (142c7)
  • Optimize build output and always prebundle vitest  -  by @​sheremet-va (00a39)
  • Make custom locators available in vitest-browser-* packages  -  by @​sheremet-va in #​8103 (247ef)
• expect:
  • Ensure we can always self toEqual  -  by @​dubzzz in #​8094 (02ec8)
• reporter:
  • Allow dot reporter to work in non interactive terminals  -  by @​bstephen1 and @​AriPerkkio in #​7994 (6db9f)

    View changes on GitHub

v3.2.1

Compare Source

   🐞 Bug Fixes

• Use sha1 instead of md5 for hashing  -  by @​sheremet-va (e4c73)
• expect:
  • Fix chai import in dts  -  by @​hi-ogawa in #​8077 (a7593)
  • Export DeeplyAllowMatchers  -  by @​sheremet-va in #​8078 (30ab4)

    View changes on GitHub

v3.2.0

Compare Source

   🚀 Features

• Provide ctx.signal  -  by @​sheremet-va in #​7878 (e761f)
• Support custom colors for test.name  -  by @​AriPerkkio in #​7809 (4af5d)
• Add vi.mockObject to automock any object  -  by @​hi-ogawa and @​sheremet-va in #​7761 (465bd)
• Introduce watchTriggerPatterns option  -  by @​sheremet-va in #​7778 (a0675)
• Deprecate workspace in favor of projects  -  by @​sheremet-va and @​AriPerkkio in #​7923 (41beb)
• Explicit Resource Management support in mocked functions  -  by @​EskiMojo14 in #​7927 (b67d3)
• Add sequence.groupOrder option  -  by @​sheremet-va in #​7852 (d1a1d)
• Initial support for Temporal equality  -  by @​dirkluijk in #​8007 (52bd7)
• Support Vite 7  -  by @​sheremet-va in #​8003 (1716b)
• Track module execution totalTime and selfTime  -  by @​abrenneke in #​8027 (95961)
• Annotation API  -  by @​sheremet-va in #​7953 (b03f2)
• browser:
  • Implement connect option for playwright browser provider  -  by @​egfx-notifications and @​sheremet-va in #​7915 (029c0)
  • Add screenshot.save option  -  by @​sheremet-va in #​7777 (d9f51)
  • Custom locators API  -  by @​sheremet-va in #​7993 (e6fbd)
• coverage:
  • V8 experimental AST-aware remapping  -  by @​AriPerkkio in #​7736 (78a3d)
• reporter:
  • Add onWritePath option to github-actions  -  by @​nwalters512 and @​AriPerkkio in #​8015 (abd3b)
• vitest:
  • Allow per-file and per-worker fixtures  -  by @​sheremet-va and @​AriPerkkio in #​7704 (9cbfc)

   🐞 Bug Fixes

• Replace micromatch with picomatch  -  by @​sapphi-red in #​7951 (df076)
• Try to catch unhandled error outside of a test  -  by @​sheremet-va in #​7968 (46421)
• Generate a separate config for "vitest init browser" instead of a workspace file  -  by @​sheremet-va in #​7934 (e84e2)
• Switch ExpectStatic any types to AsymmetricMatcher<unknown>, with DeeplyAllowMatchers<T>  -  by @​JoshuaKGoldberg in #​7016 (8ec44)
• Remove unused exports  -  by @​sheremet-va in #​7618 (33d05)
• Throw an error if typechecker failed to spawn  -  by @​sheremet-va in #​7990 (0e960)
• Ignore non-string stack properties  -  by @​sheremet-va in #​7995 (330f9)
• Apply browser CLI options only if the project has the browser set in the config already  -  by @​sheremet-va in #​7984 (70358)
• Ensure errors keep their message and stack after toJSON serialisation  -  by @​sheremet-va in #​8053 (3bdf0)
• browser:
  • Resolve FS commands relative to the project root  -  by @​sheremet-va in #​7896 (69ac9)
  • Run tests serially if provider doesn't provide a mocker  -  by @​sheremet-va in #​8032 (227a9)
  • Resolve upload files relative to the project root  -  by @​sheremet-va in #​8042 (b9a31)
  • Await mocker invalidation to avoid race condition with "mock wasn't registered"  -  by @​sheremet-va in #​8021 (b34ff)
  • Share vite cache with the project cache  -  by @​sheremet-va in #​8049 (0cbad)
  • Add this type to locators.extend  -  by @​sheremet-va in #​8069 (70fb0)
• cache:
  • Preserve test results from previous runs  -  by @​macko911 in #​8043 (d6ef0)
• cli:
  • Add built-in reporters list to --help output  -  by @​pengooseDev in #​7955 (ef6ef)
  • Parse --silent values properly  -  by @​AriPerkkio in #​8055 (8fad7)
• coverage:
  • Istanbul provider to not use Vite preserved query params  -  by @​AriPerkkio in #​7939 (a05d4)
  • Browser + v8 in source tests missing  -  by @​AriPerkkio in #​7946 (51cd8)
  • In-source test cases excluded  -  by @​AriPerkkio in #​7985 (407c0)
• dev:
  • Fix relay of custom equality testers  -  by @​StefanLiebscher in #​6140 (6dc1d)
• expect:
  • Unbundle @types/chai  -  by @​hi-ogawa in #​7937 (525f5)
  • Support type-safe declaration of custom matchers  -  by @​kettanaito and @​sheremet-va in #​7656 (e996b)
• reporters:
  • Check the test result again when tests are rerunning  -  by @​sheremet-va in #​8063 (35e31)
• spy:
  • Copy over static properties from the function  -  by @​sheremet-va in #​7780 (9b9f0)
• typecheck:
  • Don't panic during vitest list command  -  by @​sheremet-va in #​7933 (ba6da)
  • Avoid creating a temporary tsconfig file when typechecking  -  by @​sheremet-va in #​7967 (34f43)
• vite-node:
  • Add __vite_ssr_exportName__  -  by @​hi-ogawa in #​7925 (76091)
• vitest:
  • Adjust getWorkerMemoryLimit priority for vmForks  -  by @​pengooseDev in #​7960 (5a91e)
• wdio:
  • Don't scale browser in headless mode  -  by @​sheremet-va in #​8033 (c23b0)

    View changes on GitHub

v3.1.4

Compare Source

   🐞 Bug Fixes

• Apply browser CLI options only if the project has the browser set in the config already  -  by @​sheremet-va in #​8002 (64f2b)

    View changes on GitHub

v3.1.3

Compare Source

   🐞 Bug Fixes

• Correctly resolve vitest import if inline: true is set  -  by @​sheremet-va in #​7856 (a83f3)
• Fix fixture parsing with lowered async with esbuild 0.25.3  -  by @​hi-ogawa in #​7921 (c5c85)
• Remove event-catcher code  -  by @​sheremet-va in #​7898 (deb1b)
• Reset mocks on test retry/repeat  -  by @​sheremet-va in #​7897 (2fa76)
• Ignore failures on writeToCache  -  by @​orgads in #​7893 (8c7f7)
• browser: Correctly inherit CLI options  -  by @​sheremet-va in #​7858 (03660)
• deps: Update all non-major dependencies  -  in #​7867 (67ef7)
• reporters: --merge-reports to show each total run times  -  by @​AriPerkkio in #​7877 (d613b)

    View changes on GitHub

v3.1.2

Compare Source

   🐞 Bug Fixes

• Add global chai variable in vitest/globals (fix: #​7474)  -  by @​Jay-Karia in #​7771 and #​7474 (d9297)
• Prevent modifying test.exclude when same object passed in coverage.exclude  -  by @​AriPerkkio in #​7774 (c3751)
• Fix already hoisted mock  -  by @​hi-ogawa in #​7815 (773b1)
• Fix test.scoped inheritance  -  by @​hi-ogawa in #​7814 (db6c3)
• Remove pointer-events-none after resizing the left panel  -  by @​alexprudhomme in #​7811 (a7e77)
• Default to run mode when stdin is not a TTY  -  by @​kentonv, @​hi-ogawa and @​sheremet-va in #​7673 (6358f)
• Use happy-dom/jsdom types for envionmentOptions  -  by @​hi-ogawa in #​7795 (67430)
• browser:
  • Fix transform error before browser server initialization  -  by @​hi-ogawa in #​7783 (5f762)
  • Fix mocking from outside of root  -  by @​hi-ogawa in #​7789 (03f55)
  • Scale iframe for non ui case  -  by @​hi-ogawa in #​6512 (c3374)
• coverage:
  • await profiler calls  -  by @​AriPerkkio in #​7763 (795a6)
  • Expose profiling timers  -  by @​AriPerkkio in #​7820 (5652b)
• deps:
  • Update all non-major dependencies  -  in #​7765 (7c3df)
  • Update all non-major dependencies  -  in #​7831 (15701)
• runner:
  • Correctly call test hooks and teardown functions  -  by @​sheremet-va in #​7775 (3c00c)
  • Show stacktrace on test timeout error  -  by @​hi-ogawa in #​7799 (df33b)
• ui:
  • Load panel sizes from storage on initial load  -  by @​userquin in #​7265 (6555d)
• vite-node:
  • Named export should overwrite export all  -  by @​hi-ogawa in #​7846 (5ba0d)
  • Add ERR_MODULE_NOT_FOUND code error if module cannot be loaded  -  by @​sheremet-va in #​7776 (f9eac)

   🏎 Performance

• browser: Improve browser parallelisation  -  by @​sheremet-va in #​7665 (816a5)

    View changes on GitHub

v3.1.1

Compare Source

   🐞 Bug Fixes

• reporter:
  • Report tests in correct order  -  by @​sheremet-va in #​7752 (b166e)
  • Print test only once in the verbose mode  -  by @​sheremet-va in #​7738 (69ca4)

    View changes on GitHub

v3.1.0

Compare Source

🚀 Features

• Introduce %$ option to add number of the test to its title - by @​kemuridama in #​7412 (df347)
• Add diff.maxDepth option and set non-Infinity value as a default to reduce crash - by @​hi-ogawa in #​7481 (eacab)
• Allow array element for test.each/for title formatting - by @​hi-ogawa in #​7522 (ea3d6)
• Add "configureVitest" plugin hook - by @​sheremet-va and @​AriPerkkio in #​7349 (20a5d)
• Support --configLoader CLI option - by @​Carnageous and @​hi-ogawa in #​7574 (2a852)
• Added vitest-browser-lit to vitest init browser and docs - by @​EskiMojo14 and @​hi-ogawa in #​7705 (5659a)
• Use providers request interception for module mocking - by @​sheremet-va in #​7576 (7883a)
• browser:
  • Introduce and, or and filter locators - by @​sheremet-va and @​AriPerkkio in #​7463 (63949)
• reporter:
  • Always render test time - by @​AriPerkkio and @​spamshaker in #​7529 (5eba6)
  • --silent=passed-only to log failed tasks only - by @​AriPerkkio in #​7530 (f9e1c)
• runner:
  • Add test.scoped to override test.extend fixtures per-suite - by @​sheremet-va in #​7233 (e5851)
• vitest:
  • Allow conditional context.skip(boolean) - by @​sheremet-va and @​AriPerkkio in #​7659 (6adec)
  • Support rolldown-vite in NormalizeUrlPlugin - by @​sapphi-red and @​sheremet-va in #​7739 (1ef31)

🐞 Bug Fixes

• Update test stats regularly - by @​hi-ogawa in #​7700 (b7953)
• Fix vm tests flakiness - by @​sheremet-va in #​7741 (2702c)
• Set diff.expand: false as default - by @​hi-ogawa in #​7697 (f3420)
• browser:
  • Correctly calculate timeout in hooks when actions are performed - by @​sheremet-va in #​7747 (a5505)
• deps:
  • Update all non-major dependencies - by @​hi-ogawa in #​7600 (7fc5a)
• reporter:
  • --hideSkippedTests should hide suites too - by @​AriPerkkio in #​7695 (ba9b5)
  • Report tests in correct order - by @​sheremet-va in #​7752 (b166e)
  • Print test only once in the verbose mode - by @​sheremet-va in #​7738 (69ca4)
• snapshot:
  • Fix indent normalization - by @​hi-ogawa in #​7400 (82997)
  • This change can cause small amount of very old snapshots to be updated, but there will be no functional change to how they work.

🏎 Performance

• browser: Fork jest-dom instead of bundling it - by @​sheremet-va in #​7605 (12762)

View changes on GitHub

v3.0.9

Compare Source

   🐞 Bug Fixes

• Typings of ctx.skip() as never  -  by @​sirlancelot in #​7608 (09f35)
• Cleanup vitest in public resolveConfig API  -  by @​hi-ogawa in #​7623 (db14a)
• Fix toHaveBeenCalledWith(asymmetricMatcher) with undefined arguments  -  by @​hi-ogawa in #​7624 (0fb21)
• Race condition in RPC filesystem cache.  -  by @​dts in #​7531 (b7f55)
• Fix getState().testPath during collection with no isolation  -  by @​hi-ogawa in #​7640 (3fb3f)
• Support custom toString method in %s format  -  by @​pengooseDev in #​7637 (46d93)
• browser:
  • Fail playwright timeouts earlier than a test timeout  -  by @​sheremet-va and @​hi-ogawa in #​7565 (5eb4c)
  • Remove @​testing-library/dom from dependencies #​7555)"  -  by @​sheremet-va in #​7628 and #​7555 (94b27)
• coverage:
  • Browser mode + coverage.all  -  by @​AriPerkkio in #​7597 (422ba)
• runner:
  • Show stacktrace on hook timeout error  -  by @​hi-ogawa in #​7502 (268a1)
• vite-node:
  • Fix source map of inlined node_modules  -  by @​hi-ogawa in #​7557 (34aa3)
  • Fix missing buildStart  -  by @​hi-ogawa in #​7652 (29f5a)
• web-worker:
  • Ensure removeEventListener is bound to worker  -  by @​joelgallant in #​7631 (ff42b)

    View changes on GitHub

v3.0.8

Compare Source

   🐞 Bug Fixes

• Fix fetch cache multiple writes  -  by @​hi-ogawa in #​7546 (1a8b4)
• Use browser.isolate instead of config.isolate  -  by @​sheremet-va in #​7560 (4b5ed)
• Remove vestigial spy stub, import directly from @vitest/spy  -  by @​mrginglymus in #​7575 (7f7ff)
• Correctly split the argv string  -  by @​btea in #​7533 (4325a)
• browser:
  • Remove @​testing-library/dom from dependencies  -  by @​sheremet-va in #​7555 (5387a)
  • Improve source map handling for bundled files  -  by @​sheremet-va in #​7534 (e2c57)
  • Print related test file and potential test in unhandled errors  -  by @​sheremet-va in #​7564 (fee90)
• runner:
  • Fix beforeEach/All cleanup callback timeout  -  by @​hi-ogawa in #​7500 (0c292)
  • Fix and simplify Task.suite initialization  -  by @​hi-ogawa in #​7414 (ca9ff)
• snapshot:
  • Allow inline snapshot calls on same location with same snapshot  -  by @​jycouet and @​hi-ogawa in #​7464 (d5cb8)
• vite-node:
  • Fix buildStart on Vite 6  -  by @​hi-ogawa in #​7480 (c0f47)

    [View changes on GitHub](http

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 13, reused 0, downloaded 10, added 0
Progress: resolved 17, reused 0, downloaded 17, added 0
Progress: resolved 18, reused 0, downloaded 17, added 0
Progress: resolved 43, reused 0, downloaded 27, added 0
Progress: resolved 71, reused 0, downloaded 52, added 0
Progress: resolved 88, reused 0, downloaded 65, added 0
Progress: resolved 111, reused 0, downloaded 91, added 0
Progress: resolved 139, reused 0, downloaded 112, added 0
Progress: resolved 160, reused 0, downloaded 137, added 0
Progress: resolved 179, reused 0, downloaded 164, added 0
Progress: resolved 195, reused 0, downloaded 181, added 0
Progress: resolved 220, reused 0, downloaded 205, added 0
Progress: resolved 260, reused 0, downloaded 239, added 0
Progress: resolved 295, reused 0, downloaded 284, added 0
Progress: resolved 333, reused 0, downloaded 297, added 0
 WARN  deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
Progress: resolved 388, reused 0, downloaded 348, added 0
Progress: resolved 430, reused 0, downloaded 389, added 0
Progress: resolved 463, reused 0, downloaded 426, added 0
Progress: resolved 523, reused 0, downloaded 481, added 0
Progress: resolved 545, reused 0, downloaded 501, added 0
Progress: resolved 581, reused 0, downloaded 550, added 0
 WARN  deprecated loupe@2.3.4: Please upgrade to 2.3.7 which fixes GHSA-4q6p-r6v2-jvc5
Progress: resolved 646, reused 0, downloaded 555, added 0
Progress: resolved 717, reused 0, downloaded 603, added 0
Progress: resolved 751, reused 0, downloaded 642, added 0
Progress: resolved 795, reused 0, downloaded 650, added 0
Progress: resolved 815, reused 0, downloaded 669, added 0
Progress: resolved 846, reused 0, downloaded 703, added 0
Progress: resolved 888, reused 0, downloaded 748, added 0
Progress: resolved 920, reused 0, downloaded 780, added 0
Progress: resolved 956, reused 0, downloaded 815, added 0
Progress: resolved 1011, reused 0, downloaded 869, added 0
Progress: resolved 1049, reused 0, downloaded 910, added 0
Progress: resolved 1101, reused 0, downloaded 959, added 0
Progress: resolved 1104, reused 0, downloaded 978, added 0
Progress: resolved 1127, reused 0, downloaded 1002, added 0

 ERR_PNPM_PEER_DEP_ISSUES  Unmet peer dependencies

.
├─┬ @ow3/stacks 0.30.4
│ ├─┬ @intlify/vite-plugin-vue-i18n 6.0.1
│ │ └─┬ @intlify/bundle-utils 12.0.0-alpha.3
│ │   └─┬ oxc-transform 0.96.0
│ │     └─┬ @oxc-transform/binding-wasm32-wasi 0.96.0
│ │       └─┬ @napi-rs/wasm-runtime 1.1.4
│ │         ├── ✕ missing peer @emnapi/core@^1.7.1
│ │         └── ✕ missing peer @emnapi/runtime@^1.7.1
│ ├─┬ vitepress 1.0.0-alpha.13
│ │ └─┬ @docsearch/js 3.2.1
│ │   └─┬ @docsearch/react 3.2.1
│ │     └─┬ @algolia/autocomplete-preset-algolia 1.7.1
│ │       └── ✕ missing peer @algolia/client-search@^4.9.1
│ └─┬ commitizen 4.2.5
│   └─┬ cz-conventional-changelog 3.3.0
│     └─┬ @commitlint/load 18.6.1
│       └─┬ cosmiconfig 8.3.6
│         └── ✕ unmet peer typescript@>=4.9.5: found 4.8.3
└─┬ vitest 3.2.6
  └─┬ vite 7.3.5
    └── ✕ unmet peer @types/node@"^20.19.0 || >=22.12.0": found 18.7.17
Peer dependencies that should be installed:
  @algolia/client-search@^4.9.1
  @emnapi/core@^1.7.1
  @emnapi/runtime@^1.7.1

hint: If you want peer dependencies to be automatically installed, add "auto-install-peers=true" to an .npmrc file at the root of your project.
hint: If you don't want pnpm to fail on peer dependency issues, add "strict-peer-dependencies=false" to an .npmrc file at the root of your project.