Update vitest npm packages (major)

[hash-worker]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@vitest/coverage-istanbul (source)	3.2.4 → 4.1.5
vite-plugin-dts (source)	4.5.4 → 5.0.0
vitest (source)	3.2.4 → 4.1.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

vitest-dev/vitest (@​vitest/coverage-istanbul)

v4.1.5

Compare Source

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in #​10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in #​10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in #​10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in #​10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in #​10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in #​8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in #​8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in #​10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in #​10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in #​10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in #​10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in #​9927 and #​10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in #​10154 (6abd5)

    View changes on GitHub

v4.1.4

Compare Source

   🚀 Experimental Features

• coverage:
  • Default to text reporter skipFull if agent detected  -  by @​hi-ogawa in #​10018 (53757)
• experimental:
  • Expose assertion as a public field  -  by @​sheremet-va in #​10095 (a120e)
  • Support aria snapshot  -  by @​hi-ogawa, Claude Opus 4.6 (1M context), @​AriPerkkio, Codex and @​sheremet-va in #​9668 (d4fbb)
• reporter:
  • Add filterMeta option to json reporter  -  by @​nami8824 and @​sheremet-va in #​10078 (b77de)

   🐞 Bug Fixes

• Use "black" foreground for labeled terminal message to ensure contrast  -  by @​hi-ogawa in #​10076 (203f0)
• Make expect(..., message) consistent as error message prefix  -  by @​hi-ogawa and Codex in #​10068 (a1b5f)
• Do not hoist imports whose names match class properties .  -  by @​SunsetFi in #​10093 and #​10094 (0fc4b)
• browser: Spread user server options into browser Vite server in project  -  by @​GoldStrikeArch in #​10049 (65c9d)

    View changes on GitHub

v4.1.3

Compare Source

   🚀 Experimental Features

• Add experimental.preParse flag  -  by @​sheremet-va in #​10070 (78273)
• Support browser.locators.exact option  -  by @​sheremet-va in #​10013 (48799)
• Add TestAttachment.bodyEncoding  -  by @​hi-ogawa in #​9969 (89ca0)
• Support custom snapshot matcher  -  by @​hi-ogawa, Claude Sonnet 4.6 and Codex in #​9973 (59b0e)

   🐞 Bug Fixes

• Advance fake timers with expect.poll interval  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10022 (3f5bf)
• Add @vitest/coverage-v8 and @vitest/coverage-istanbul as optional dependency  -  by @​alan-agius4 in #​10025 (146d4)
• Fix defineHelper for webkit async stack trace + update playwright 1.59.0  -  by @​hi-ogawa in #​10036 (5a5fa)
• Fix suite hook throwing errors for unused auto test-scoped fixture  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10035 (39865)
• expect:
  • Remove JestExtendError.context from verbose error reporting  -  by @​hi-ogawa in #​9983 (66751)
  • Don't leak "runner" types  -  by @​sheremet-va in #​10004 (ec204)
• snapshot:
  • Fix flagging obsolete snapshots for snapshot properties mismatch  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​9986 (6b869)
  • Export custom snapshot matcher helper from vitest  -  by @​hi-ogawa and Codex in #​10042 (691d3)
• ui:
  • Don't leak vite types  -  by @​sheremet-va in #​10005 (fdff1)
• vm:
  • Fix external module resolve error with deps optimizer query  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10024 (9dbf4)

    View changes on GitHub

v4.1.2

Compare Source

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (#​9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in #​9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in #​9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in #​9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in #​9940 (b3c99)
• pretty-format: Fix output limit over counting  -  by @​hi-ogawa in #​9965 (d3b7a)
• Disable colors if agent is detected  -  by @​sheremet-va and @​AriPerkkio in #​9851 (6f97b)

    View changes on GitHub

v4.1.1

Compare Source

   🚀 Features

• experimental:
  • Expose matchesTags to test if the current filter matches tags  -  by @​sheremet-va in #​9913 (eec53)
  • Introduce experimental.vcsProvider  -  by @​sheremet-va in #​9928 (56115)

   🐞 Bug Fixes

• Mark TestProject.testFilesList internal properly  -  by @​sapphi-red in #​9867 (54f26)
• Detect fixture that returns without calling use  -  by @​oilater in #​9831 and #​9861 (633ae)
• Drop vite 8.beta support  -  by @​AriPerkkio in #​9862 (b78f5)
• Type regression in vi.mocked() static class methods  -  by @​purepear and @​hi-ogawa in #​9857 (90926)
• Properly re-evaluate actual modules of mocked external  -  by @​hi-ogawa in #​9898 (ae5ec)
• Preserve coverage report when html reporter overlaps  -  by @​hi-ogawa in #​9889 (2d81a)
• Provide vi.advanceTimers to the preview provider  -  by @​sheremet-va in #​9891 (1bc3e)
• Don't leak event listener in playwright provider  -  by @​sheremet-va in #​9910 (d9355)
• Open browser in --standalone mode without running tests  -  by @​sheremet-va in #​9911 (e78ad)
• Guard disposable and optional body  -  by @​sheremet-va in #​9912 (6fdb2)
• Resolve retry.condition RegExp serialization issue  -  by @​nstepien and @​hi-ogawa in #​9942 (7b605)
• collect:
  • Don't treat extra props on test return as tests  -  by @​sheremet-va in #​9871 (141e7)
• coverage:
  • Simplify provider types  -  by @​AriPerkkio in #​9931 (aaf9f)
  • Load built-in provider without module runner  -  by @​AriPerkkio in #​9939 (bf892)
• expect:
  • Soft assertions continue after .resolves/.rejects promise errors  -  by @​mixelburg, Maks Pikov, Claude Opus 4.6 (1M context) and @​hi-ogawa in #​9843 (6d74b)
  • Fix sinon-chai style API  -  by @​hi-ogawa in #​9943 (0f08d)
• pretty-format:
  • Limit output for large object  -  by @​hi-ogawa and Claude Opus 4.6 (1M context) in #​9949 (0d5f9)

    View changes on GitHub

v4.1.0

Compare Source

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

   🚀 Features

• Return a disposable from doMock()  -  by @​kirkwaiblinger in #​9332 (e3e65)
• Added chai style assertions  -  by @​ronnakamoto and @​sheremet-va in #​8842 (841df)
• Update to sinon/fake-timers v15 and add setTickMode to timer controls  -  by @​atscott and @​sheremet-va in #​8726 (4b480)
• Expose matcher types  -  by @​sheremet-va in #​9448 (3e4b9)
• Add toTestSpecification to reported tasks  -  by @​sheremet-va in #​9464 (1a470)
• Show a warning if vi.mock or vi.hoisted are declared outside of top level of the module  -  by @​sheremet-va in #​9387 (5db54)
• Track and display expectedly failed tests (.fails) in UI and CLI  -  by @​Copilot, sheremet-va and @​sheremet-va in #​9476 (77d75)
• Support tags  -  by @​sheremet-va in #​9478 (de7c8)
• Implement aroundEach and aroundAll hooks  -  by @​sheremet-va in #​9450 (2a8cb)
• Stabilize experimental features  -  by @​sheremet-va in #​9529 (b5fd2)
• Accept new or all in --update flag  -  by @​sheremet-va in #​9543 (a5acf)
• Support meta in test options  -  by @​sheremet-va in #​9535 (7d622)
• Support type inference with a new test.extend syntax  -  by @​sheremet-va in #​9550 (e5385)
• Support vite 8 beta, fix type issues in the config with different vite versions  -  by @​sheremet-va in #​9587 (99028)
• Add assertion helper to hide internal stack traces  -  by @​hi-ogawa and Claude Opus 4.6 in #​9594 (eeb0a)
• Store failure screenshots using artifacts API  -  by @​macarie in #​9588 (24603)
• Allow vitest list to statically collect tests instead of running files to collect them  -  by @​sheremet-va in #​9630 (7a8e7)
• Add --detect-async-leaks  -  by @​AriPerkkio in #​9528 (c594d)
• Implement mockThrow and mockThrowOnce  -  by @​thor-juhasz and @​sheremet-va in #​9512 (61917)
• Support update: "none" and add docs about snapshots behavior on CI  -  by @​hi-ogawa in #​9700 (05f18)
• Support playwright launchOptions with connectOptions  -  by @​hi-ogawa in #​9702 (f0ff1)
• Add page/locator.mark API to enhance playwright trace  -  by @​hi-ogawa in #​9652 (d0ee5)
• api:
  • Support tests starting or ending with test in experimental_parseSpecification  -  by @​jgillick and Jeremy Gillick in #​9235 (2f367)
  • Add filters to createSpecification  -  by @​sheremet-va in #​9336 (c8e6c)
  • Expose runTestFiles as alternative to runTestSpecifications  -  by @​sheremet-va in #​9443 (43d76)
  • Add allowWrite and allowExec options to api  -  by @​sheremet-va in #​9350 (20e00)
  • Allow passing down test cases to toTestSpecification  -  by @​sheremet-va in #​9627 (6f17d)
• browser:
  • Add userEvent.wheel API  -  by @​macarie in #​9188 (66080)
  • Add filterNode option to prettyDOM for filtering browser assertion error output  -  by @​Copilot, sheremet-va and @​sheremet-va in #​9475 (d3220)
  • Support playwright persistent context  -  by @​hi-ogawa, Claude Opus 4.6 and @​sheremet-va in #​9229 (f865d)
  • Added detailsPanelPosition option and button  -  by @​shairez in #​9525 (c8a31)
  • Use BlazeDiff instead of pixelmatch  -  by @​macarie in #​9514 (30936)
  • Add findElement and enable strict mode in webdriverio and preview  -  by @​sheremet-va in #​9677 (c3f37)
• cli:
  • Add @​bomb.sh/tab completions  -  by @​AmirSa12 and @​sheremet-va in #​8639 (200f3)
• coverage:
  • Support ignore start/stop ignore hints  -  by @​AriPerkkio in #​9204 (e59c9)
  • Add coverage.changed option to report only changed files  -  by @​kykim00 and @​AriPerkkio in #​9521 (1d939)
• experimental:
  • Add onModuleRunner hook to worker.init  -  by @​sheremet-va in #​9286 (e977f)
  • Option to disable the module runner  -  by @​sheremet-va and @​AriPerkkio in #​9210 (9be61)
  • Add importDurations: { limit, print } options  -  by @​hi-ogawa, Claude Opus 4.6 and @​sheremet-va in #​9401 (7e10f)
  • Add print and fail thresholds for importDurations  -  by @​hi-ogawa and Claude Opus 4.6 in #​9533 (3f7a5)
• fixtures:
  • Pass down file context to beforeAll/afterAll  -  by @​sheremet-va in #​9572 (c8339)
• reporters:
  • Add agent reporter to reduce ai agent token usage  -  by @​cpojer in #​9779 (3e9e0)
• runner:
  • Enhance retry options  -  by @​MazenSamehR, Matan Shavit, @​AriPerkkio and @​sheremet-va in #​9370 (9e4cf)
• ui:
  • Allow run individual test/suites  -  by @​userquin in #​9465 (73b10)
  • Add project filter/sort support  -  by @​userquin in #​8689 (0c7ea)
  • Add duration sorting to explorer  -  by @​julianhahn and @​cursoragent in #​9603 (209b1)
  • Implement filter for slow tests  -  by @​DerYeger and @​userquin in #​9705 (8880c)
• vitest:
  • Add run summary in GitHub Actions Reporter  -  by @​macarie and jhnance in #​9579 (96bfc)

   🐞 Bug Fixes

• Deprecate several vitest/* entry points  -  by @​sheremet-va in #​9347 (fd459)
• Use meta.url in createRequire  -  by @​sheremet-va in #​9441 (e3422)
• Preact browser mode init example of render function not async  -  by @​WuMingDao in #​9375 (2bea5)
• Deprecate unused types in matcher context  -  by @​sheremet-va in #​9449 (20f87)
• Handle external/noExternal during configEnvironment hook  -  by @​hi-ogawa and Claude Opus 4.6 in #​9508 (59ea2)
• Replace default ssr environment runner with Vitest server module runner  -  by @​hi-ogawa and Claude Opus 4.6 in #​9506 (cd5db)
• Propagate experimental CLI options to child projects  -  by @​hi-ogawa and Claude Opus 4.6 in #​9531 (b624f)
• Show a warning when browser.isolate is used  -  by @​sheremet-va in #​9410 (3d48e)
• Fix vi.mock({ spy: true }) node v8 coverage  -  by @​hi-ogawa, hi-ogawa and Claude Opus 4.6 in #​9541 (687b6)
• Don't show internal ssr handler in errors  -  by @​sheremet-va in #​9547 (76c43)
• Close vitest if it failed to start  -  by @​sheremet-va in #​9573 (728ba)
• Fix ssr environment runner in project  -  by @​hi-ogawa in #​9584 (09006)
• Trim trailing white spaces in code block  -  by @​hi-ogawa in #​9591 (f78be)
• Support inline snapshot inside test.for/each  -  by @​hi-ogawa in #​9590 (615fd)
• Apply source maps for external module stack trace  -  by @​hi-ogawa in #​9152 (79e20)
• Remove the .name from statically collected test  -  by @​sheremet-va in #​9596 (b66ff)
• Don't suppress warnings on pnp  -  by @​sheremet-va in #​9602 (89cbd)
• Support snapshot with expect.soft  -  by @​iumehara, @​hi-ogawa and Claude Opus 4.6 in #​9231 (3eb2c)
• Log seed when only sequence.shuffle.tests is enabled  -  by @​kaigritun, Kai Gritun and @​sheremet-va in #​9576 (8182b)
• Externalize expect/src/utils from vitest  -  by @​hi-ogawa in #​9616 (48739)
• Ignore test.override during static collection  -  by @​sheremet-va in #​9620 (09174)
• Increase stacktrace limit for --detect-async-leaks  -  by @​AriPerkkio in #​9638 (9fd4c)
• Hanging-reporter link in cli  -  by @​flx-sta in #​9649 (7c103)
• Fix teardown timeout of aroundEach/All when inner aroundEach/All throws  -  by @​hi-ogawa in #​9657 (4ec6c)
• Fix ui mode / html reporter and coverage integration  -  by @​hi-ogawa and Claude Opus 4.6 in #​9626 (86fad)
• Don't continue when aroundEach/All setup timed out  -  by @​hi-ogawa in #​9670 (bb013)
• Align VitestRunnerConfig optional fields with SerializedConfig  -  by @​hi-ogawa in #​9661 (79520)
• Handle Symbol values in format utility  -  by @​nami8824 in #​9658 (0583f)
• Deprecate toBe* spy assertions in favor of toHaveBeen* (and toThrowError)  -  by @​sheremet-va in #​9665 (4d390)
• Don't propagate nested aroundEach/All errors but aggregate them on runner  -  by @​hi-ogawa in #​9673 (b6365)
• Show a better error if there is a pending dynamic import  -  by @​sheremet-va in #​9676 (7ef5c)
• Preserve stack trace of resolves/rejects chained assertion error  -  by @​hi-ogawa in #​9679 (c6151)
• Handle module-sync condition in vmThreads/vmForks require  -  by @​lesleh in #​9650 and #​9651 (bb203)
• Hooks should respect maxConcurrency  -  by @​hi-ogawa in #​9653 (16d13)
• Recursively autospy module object  -  by @​hi-ogawa in #​9687 (695a8)
• Remove trailing spaces from diff error log  -  by @​hi-ogawa and @​sheremet-va in #​9680 (395d1)
• Respect project resolve.conditions for externals  -  by @​hi-ogawa in #​9717 (1d498)
• Use object for WeakMap instead of a symbol to support webcontainers  -  by @​sheremet-va in #​9731 (c5225)
• Fix re-mocking virtual module  -  by @​hi-ogawa in #​9748 (3cbbb)
• Cancelling should stop current test immediately  -  by @​AriPerkkio in #​9729 (0cb2f)
• Make mockObject change backwards compatible  -  by @​sheremet-va in #​9744 (84c69)
• Fix URL.name on jsdom  -  by @​hi-ogawa in #​9767 (031f3)
• Save and restore module graph in blob reporter  -  by @​hi-ogawa in #​9740 (84355)
• Don't silence reporter errors from test runtime events handler in normal run and --merge-reports  -  by @​hi-ogawa in #​9727 (4072d)
• Fix vi.importActual() for virtual modules  -  by @​hi-ogawa and Claude Opus 4.6 in #​9772 (1e89e)
• Throw FixtureAccessError if suite hook accesses undefined fixture  -  by @​sheremet-va in #​9786 (fc2ce)
• Allow hyphens in project config file name pattern  -  by @​Koutaro-Hanabusa and @​hi-ogawa in #​9760 (33e96)
• Manual and redirect mock shouldn't load or transform original module  -  by @​hi-ogawa and Claude Opus 4.6 in #​9774 (a8216)
• hideSkippedTests should not hide test.todo  -  by @​oilater in #​9562 and #​9781 (8181e)
• Allow catch/finally for async assertion  -  by @​hi-ogawa in #​9827 (031f0)
• Resolve fixture overrides from test's suite in beforeEach hooks  -  by @​hi-ogawa and Claude Opus 4.6 in #​9826 (99e52)
• Use isAgent check, not just TTY, for watch mode  -  by @​sheremet-va in #​9841 (c3cac)
• Use performance.now to measure test timeout duration  -  by @​hi-ogawa and Claude Opus 4.6 in #​9795 (f48a6)
• Correctly identify concurrent test during static analysis  -  by @​sheremet-va in #​9846 (1de0a)
• browser:
  • Avoid updating screenshots when toMatchScreenshot passes  -  by @​macarie in #​9289 (46aab)
  • Hide injected data-testid attributes  -  by @​sheremet-va in #​9503 (c8d2c)
  • Throw an error if iframe was reloaded  -  by @​sheremet-va in #​9516 (73a81)
  • Encode projectName in browser client URL  -  by @​dkkim0122 in #​9523 (5b164)
  • Don't take failure screenshot if tests have artifacts created by toMatchScreenshot  -  by @​macarie in #​9552 (83ca0)
  • Remove --remote-debugging-address from chrome args  -  by @​hi-ogawa and @​AriPerkkio in #​9712 (f09bb)
  • Make sure userEvent actions support ensureAwaited  -  by @​sheremet-va in #​9732 (97685)
  • Types of getCDPSession and cdp()  -  by @​AriPerkkio in #​9716 (689a2)
  • Skip esbuild.legalComments when using rolldown-vite  -  by @​Copilot, hi-ogawa and @​hi-ogawa in #​9803 (3505f)
• chai:
  • Don't allow deepEqual in the config because it's not serializable  -  by @​sheremet-va in #​9666 (9ee99)
• coverage:
  • Infer transform mode for uncovered files  -  by @​AriPerkkio in #​9435 (f3967)
  • thresholds.autoUpdate to preserve ending whitespace  -  by @​AriPerkkio in #​9436 (7e534)
• deps:
  • Update all non-major dependencies  -  by @​hi-ogawa in #​9192 [(90c30)](https://redirec

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 4am every weekday,every weekend"
• Automerge
  • "before 4am every weekday,every weekend"

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.49%. Comparing base (775f4cc) to head (db2532d).
⚠️ Report is 10 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8129   +/-   ##
=======================================
  Coverage   62.49%   62.49%           
=======================================
  Files        1318     1320    +2     
  Lines      134235   134276   +41     
  Branches     5521     5511   -10     
=======================================
+ Hits        83894    83921   +27     
- Misses      49426    49440   +14     
  Partials      915      915           

Flag	Coverage Δ
apps.hash-ai-worker-ts	1.40% <ø> (+<0.01%)	⬆️
apps.hash-api	0.00% <ø> (ø)
blockprotocol.type-system	40.84% <ø> (ø)
local.claude-hooks	0.00% <ø> (ø)
local.harpc-client	51.49% <ø> (+0.25%)	⬆️
local.hash-graph-sdk	9.63% <ø> (ø)
local.hash-isomorphic-utils	0.00% <ø> (ø)
rust.antsi	0.00% <ø> (ø)
rust.error-stack	90.87% <ø> (ø)
rust.harpc-codec	84.70% <ø> (ø)
rust.harpc-net	96.19% <ø> (ø)
rust.harpc-tower	67.03% <ø> (ø)
rust.harpc-types	0.00% <ø> (ø)
rust.harpc-wire-protocol	92.23% <ø> (ø)
rust.hash-codec	72.76% <ø> (ø)
rust.hash-graph-api	2.52% <ø> (ø)
rust.hash-graph-authorization	62.34% <ø> (ø)
rust.hash-graph-postgres-store	26.38% <ø> (ø)
rust.hash-graph-store	37.76% <ø> (ø)
rust.hash-graph-temporal-versioning	47.95% <ø> (ø)
rust.hash-graph-types	0.00% <ø> (ø)
rust.hash-graph-validation	83.45% <ø> (ø)
rust.hashql-ast	87.23% <ø> (ø)
rust.hashql-compiletest	29.69% <ø> (ø)
rust.hashql-core	82.29% <ø> (ø)
rust.hashql-diagnostics	72.43% <ø> (ø)
rust.hashql-eval	69.13% <ø> (ø)
rust.hashql-hir	89.06% <ø> (ø)
rust.hashql-mir	92.64% <ø> (ø)
rust.hashql-syntax-jexpr	94.05% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cursor]

PR Summary

Medium Risk
Major-version upgrade of the unit test runner/coverage tooling across multiple workspaces may break test runs or CI due to config/behavior changes, though production code is untouched.

Overview
Updates test tooling across the monorepo by bumping vitest and @vitest/coverage-istanbul from 3.2.4 to 4.1.5 in multiple package.json files (apps, libs, tests, and Claude hooks).

Also bumps vite-plugin-dts from 4.5.4 to 5.0.0 in @hashintel/ds-components.

^{Reviewed by Cursor Bugbot for commit 71b6874. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ds-theme	Ready	Preview, Comment	May 14, 2026 10:26am
hash	Error		May 14, 2026 10:26am
hashdotdesign	Ready	Preview, Comment	May 14, 2026 10:26am
hashdotdesign-tokens	Error		May 14, 2026 10:26am
petrinaut	Error		May 14, 2026 10:26am

[codspeed-hq]

Merging this PR will not alter performance

✅ 80 untouched benchmarks

---

_{Comparing deps/js/major-vitest-npm-packages (db2532d) with main (775f4cc)¹}

Footnotes

1. No successful run was found on main (6f130ab) during the generation of this report, so 775f4cc was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[vercel]

Deployment failed with the following error:

Creating the Deployment Timed Out.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable autofix in the Cursor dashboard.}

[semgrep-code-hashintel]

Risk: Affected versions of vite are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor / Missing Authentication for Critical Function. This occurs because the Vite Dev Server WebSocket improperly exposes the fetchModule method, allowing unauthenticated remote attackers to bypass filesystem restrictions and read arbitrary files from the host machine

Manual Review Advice: A vulnerability from this advisory is reachable if you enable vite dev server using --host flag and websocket is not disabled

Fix: Upgrade this library to at least version 8.0.5 at hash/yarn.lock:45627.

Reference(s): GHSA-p9ff-h696-f583, CVE-2026-39363

🎉 Fixed in commit 3f42185 🎉

[semgrep-code-hashintel]

Risk: Affected versions of vite are vulnerable to Improper Access Control / Incorrect Behavior Order. Vite's dev server can bypass server.fs.deny protections: if the server is exposed to the network and a denied file is within an allowed directory, an attacker can retrieve sensitive files such as .env or certificate files by requesting them with query parameters like ?raw, ?import&raw, or ?import&url&inline.

Manual Review Advice: A vulnerability from this advisory is reachable if you enable vite dev server using --host flag and have sensitive data in deny list

Fix: Upgrade this library to at least version 8.0.5 at hash/yarn.lock:45627.

Reference(s): GHSA-v2wj-q39q-566r, CVE-2026-39364

✨ Fixed in commit 3f42185 ✨

[github-actions]

Benchmark results

@rust/hash-graph-benches – Integrations

policy_resolution_large

Function	Value	Mean	Flame graphs
resolve_policies_for_actor	user: empty, selectivity: high, policies: 2002	$$27.9 \mathrm{ms} \pm 182 \mathrm{μs}\left({\color{gray}1.73 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: low, policies: 1	$$3.58 \mathrm{ms} \pm 20.0 \mathrm{μs}\left({\color{red}6.22 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: medium, policies: 1001	$$13.7 \mathrm{ms} \pm 97.5 \mathrm{μs}\left({\color{red}11.2 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: high, policies: 3314	$$43.6 \mathrm{ms} \pm 349 \mathrm{μs}\left({\color{gray}2.13 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: low, policies: 1	$$16.0 \mathrm{ms} \pm 147 \mathrm{μs}\left({\color{red}14.1 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: medium, policies: 1526	$$24.8 \mathrm{ms} \pm 195 \mathrm{μs}\left({\color{gray}3.74 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: high, policies: 2078	$$28.7 \mathrm{ms} \pm 196 \mathrm{μs}\left({\color{gray}2.44 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: low, policies: 1	$$3.94 \mathrm{ms} \pm 28.0 \mathrm{μs}\left({\color{red}7.59 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: medium, policies: 1033	$$14.6 \mathrm{ms} \pm 113 \mathrm{μs}\left({\color{red}9.80 \mathrm{\%}}\right) $$	Flame Graph

policy_resolution_medium

Function	Value	Mean	Flame graphs
resolve_policies_for_actor	user: empty, selectivity: high, policies: 102	$$3.81 \mathrm{ms} \pm 21.2 \mathrm{μs}\left({\color{gray}1.95 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: low, policies: 1	$$2.98 \mathrm{ms} \pm 16.1 \mathrm{μs}\left({\color{gray}1.17 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: medium, policies: 51	$$3.37 \mathrm{ms} \pm 18.3 \mathrm{μs}\left({\color{gray}1.23 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: high, policies: 269	$$5.23 \mathrm{ms} \pm 32.0 \mathrm{μs}\left({\color{gray}1.97 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: low, policies: 1	$$3.57 \mathrm{ms} \pm 22.0 \mathrm{μs}\left({\color{gray}1.77 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: medium, policies: 107	$$4.14 \mathrm{ms} \pm 28.7 \mathrm{μs}\left({\color{gray}1.55 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: high, policies: 133	$$4.43 \mathrm{ms} \pm 27.5 \mathrm{μs}\left({\color{gray}1.28 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: low, policies: 1	$$3.48 \mathrm{ms} \pm 23.0 \mathrm{μs}\left({\color{gray}1.92 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: medium, policies: 63	$$4.16 \mathrm{ms} \pm 32.4 \mathrm{μs}\left({\color{gray}2.87 \mathrm{\%}}\right) $$	Flame Graph

policy_resolution_none

Function	Value	Mean	Flame graphs
resolve_policies_for_actor	user: empty, selectivity: high, policies: 2	$$2.56 \mathrm{ms} \pm 17.1 \mathrm{μs}\left({\color{gray}0.004 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: low, policies: 1	$$2.47 \mathrm{ms} \pm 12.8 \mathrm{μs}\left({\color{gray}-0.089 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: medium, policies: 1	$$2.53 \mathrm{ms} \pm 17.5 \mathrm{μs}\left({\color{gray}0.079 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: high, policies: 8	$$2.84 \mathrm{ms} \pm 17.2 \mathrm{μs}\left({\color{gray}0.202 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: low, policies: 1	$$2.63 \mathrm{ms} \pm 23.4 \mathrm{μs}\left({\color{gray}0.448 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: medium, policies: 3	$$2.81 \mathrm{ms} \pm 15.6 \mathrm{μs}\left({\color{gray}-0.396 \mathrm{\%}}\right) $$	Flame Graph

policy_resolution_small

Function	Value	Mean	Flame graphs
resolve_policies_for_actor	user: empty, selectivity: high, policies: 52	$$3.01 \mathrm{ms} \pm 17.9 \mathrm{μs}\left({\color{gray}-0.885 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: low, policies: 1	$$2.74 \mathrm{ms} \pm 15.1 \mathrm{μs}\left({\color{gray}1.02 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: medium, policies: 25	$$2.96 \mathrm{ms} \pm 13.2 \mathrm{μs}\left({\color{gray}-0.367 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: high, policies: 94	$$3.48 \mathrm{ms} \pm 24.7 \mathrm{μs}\left({\color{gray}2.75 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: low, policies: 1	$$2.98 \mathrm{ms} \pm 20.9 \mathrm{μs}\left({\color{gray}2.29 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: medium, policies: 26	$$3.34 \mathrm{ms} \pm 20.3 \mathrm{μs}\left({\color{gray}3.66 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: high, policies: 66	$$3.34 \mathrm{ms} \pm 20.6 \mathrm{μs}\left({\color{gray}0.881 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: low, policies: 1	$$2.92 \mathrm{ms} \pm 16.1 \mathrm{μs}\left({\color{gray}0.280 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: medium, policies: 29	$$3.34 \mathrm{ms} \pm 19.5 \mathrm{μs}\left({\color{gray}-0.300 \mathrm{\%}}\right) $$	Flame Graph

read_scaling_complete

Function	Value	Mean	Flame graphs
entity_by_id;one_depth	1 entities	$$53.8 \mathrm{ms} \pm 351 \mathrm{μs}\left({\color{gray}0.324 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;one_depth	10 entities	$$44.9 \mathrm{ms} \pm 198 \mathrm{μs}\left({\color{gray}-1.389 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;one_depth	25 entities	$$48.8 \mathrm{ms} \pm 230 \mathrm{μs}\left({\color{gray}-4.055 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;one_depth	5 entities	$$43.0 \mathrm{ms} \pm 168 \mathrm{μs}\left({\color{gray}-1.297 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;one_depth	50 entities	$$61.2 \mathrm{ms} \pm 403 \mathrm{μs}\left({\color{gray}-3.797 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;two_depth	1 entities	$$61.0 \mathrm{ms} \pm 336 \mathrm{μs}\left({\color{gray}-1.803 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;two_depth	10 entities	$$55.5 \mathrm{ms} \pm 451 \mathrm{μs}\left({\color{gray}-0.439 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;two_depth	25 entities	$$95.6 \mathrm{ms} \pm 578 \mathrm{μs}\left({\color{lightgreen}-7.102 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;two_depth	5 entities	$$45.2 \mathrm{ms} \pm 217 \mathrm{μs}\left({\color{gray}-0.741 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;two_depth	50 entities	$$289 \mathrm{ms} \pm 909 \mathrm{μs}\left({\color{gray}-0.954 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;zero_depth	1 entities	$$18.9 \mathrm{ms} \pm 81.6 \mathrm{μs}\left({\color{gray}-0.964 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;zero_depth	10 entities	$$19.4 \mathrm{ms} \pm 102 \mathrm{μs}\left({\color{gray}-0.193 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;zero_depth	25 entities	$$19.8 \mathrm{ms} \pm 107 \mathrm{μs}\left({\color{gray}-0.547 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;zero_depth	5 entities	$$19.0 \mathrm{ms} \pm 87.8 \mathrm{μs}\left({\color{gray}1.01 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;zero_depth	50 entities	$$25.1 \mathrm{ms} \pm 123 \mathrm{μs}\left({\color{gray}-0.623 \mathrm{\%}}\right) $$	Flame Graph

read_scaling_linkless

Function	Value	Mean	Flame graphs
entity_by_id	1 entities	$$19.3 \mathrm{ms} \pm 110 \mathrm{μs}\left({\color{gray}0.898 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	10 entities	$$18.9 \mathrm{ms} \pm 125 \mathrm{μs}\left({\color{gray}-1.034 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	100 entities	$$19.0 \mathrm{ms} \pm 99.5 \mathrm{μs}\left({\color{gray}-2.756 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	1000 entities	$$19.7 \mathrm{ms} \pm 107 \mathrm{μs}\left({\color{gray}-2.168 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	10000 entities	$$26.8 \mathrm{ms} \pm 239 \mathrm{μs}\left({\color{gray}1.14 \mathrm{\%}}\right) $$	Flame Graph

representative_read_entity

Function	Value	Mean	Flame graphs
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/block/v/1	$$36.8 \mathrm{ms} \pm 359 \mathrm{μs}\left({\color{gray}4.74 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/book/v/1	$$34.2 \mathrm{ms} \pm 277 \mathrm{μs}\left({\color{gray}1.61 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/building/v/1	$$36.8 \mathrm{ms} \pm 360 \mathrm{μs}\left({\color{gray}3.33 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/organization/v/1	$$35.5 \mathrm{ms} \pm 270 \mathrm{μs}\left({\color{gray}1.52 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/page/v/2	$$33.8 \mathrm{ms} \pm 254 \mathrm{μs}\left({\color{gray}0.433 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/person/v/1	$$34.0 \mathrm{ms} \pm 311 \mathrm{μs}\left({\color{gray}-0.493 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/playlist/v/1	$$33.5 \mathrm{ms} \pm 272 \mathrm{μs}\left({\color{gray}-3.946 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/song/v/1	$$33.4 \mathrm{ms} \pm 339 \mathrm{μs}\left({\color{gray}-2.020 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/uk-address/v/1	$$35.5 \mathrm{ms} \pm 309 \mathrm{μs}\left({\color{gray}-0.566 \mathrm{\%}}\right) $$	Flame Graph

representative_read_entity_type

Function	Value	Mean	Flame graphs
get_entity_type_by_id	Account ID: bf5a9ef5-dc3b-43cf-a291-6210c0321eba	$$8.47 \mathrm{ms} \pm 44.1 \mathrm{μs}\left({\color{gray}-0.361 \mathrm{\%}}\right) $$	Flame Graph

representative_read_multiple_entities

Function	Value	Mean	Flame graphs
entity_by_property	traversal_paths=0	0	$$94.9 \mathrm{ms} \pm 650 \mathrm{μs}\left({\color{gray}0.061 \mathrm{\%}}\right) $$
entity_by_property	traversal_paths=255	1,resolve_depths=inherit:1;values:255;properties:255;links:127;link_dests:126;type:true	$$148 \mathrm{ms} \pm 656 \mathrm{μs}\left({\color{gray}-1.127 \mathrm{\%}}\right) $$
entity_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:0;properties:0;links:0;link_dests:0;type:false	$$103 \mathrm{ms} \pm 671 \mathrm{μs}\left({\color{gray}-0.171 \mathrm{\%}}\right) $$
entity_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:0;properties:0;links:1;link_dests:0;type:true	$$111 \mathrm{ms} \pm 620 \mathrm{μs}\left({\color{gray}-0.358 \mathrm{\%}}\right) $$
entity_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:0;properties:2;links:1;link_dests:0;type:true	$$118 \mathrm{ms} \pm 647 \mathrm{μs}\left({\color{gray}-0.986 \mathrm{\%}}\right) $$
entity_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:2;properties:2;links:1;link_dests:0;type:true	$$128 \mathrm{ms} \pm 679 \mathrm{μs}\left({\color{gray}0.450 \mathrm{\%}}\right) $$
link_by_source_by_property	traversal_paths=0	0	$$104 \mathrm{ms} \pm 472 \mathrm{μs}\left({\color{gray}-0.589 \mathrm{\%}}\right) $$
link_by_source_by_property	traversal_paths=255	1,resolve_depths=inherit:1;values:255;properties:255;links:127;link_dests:126;type:true	$$134 \mathrm{ms} \pm 558 \mathrm{μs}\left({\color{gray}-2.835 \mathrm{\%}}\right) $$
link_by_source_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:0;properties:0;links:0;link_dests:0;type:false	$$111 \mathrm{ms} \pm 532 \mathrm{μs}\left({\color{gray}-3.836 \mathrm{\%}}\right) $$
link_by_source_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:0;properties:0;links:1;link_dests:0;type:true	$$121 \mathrm{ms} \pm 600 \mathrm{μs}\left({\color{gray}-4.005 \mathrm{\%}}\right) $$
link_by_source_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:0;properties:2;links:1;link_dests:0;type:true	$$123 \mathrm{ms} \pm 560 \mathrm{μs}\left({\color{gray}-2.360 \mathrm{\%}}\right) $$
link_by_source_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:2;properties:2;links:1;link_dests:0;type:true	$$123 \mathrm{ms} \pm 628 \mathrm{μs}\left({\color{gray}-1.366 \mathrm{\%}}\right) $$

scenarios

Function	Value	Mean	Flame graphs
full_test	query-limited	$$156 \mathrm{ms} \pm 2.44 \mathrm{ms}\left({\color{lightgreen}-14.942 \mathrm{\%}}\right) $$	Flame Graph
full_test	query-unlimited	$$149 \mathrm{ms} \pm 560 \mathrm{μs}\left({\color{gray}0.015 \mathrm{\%}}\right) $$	Flame Graph
linked_queries	query-limited	$$41.8 \mathrm{ms} \pm 185 \mathrm{μs}\left({\color{red}5.16 \mathrm{\%}}\right) $$	Flame Graph
linked_queries	query-unlimited	$$537 \mathrm{ms} \pm 1.12 \mathrm{ms}\left({\color{gray}-0.578 \mathrm{\%}}\right) $$	Flame Graph

[hash-worker]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

error This project's package.json defines "packageManager": "yarn@4.12.0". However the current global version of Yarn is 1.22.22.

Presence of the "packageManager" field indicates that the project is meant to be used with Corepack, a tool included by default with all official Node.js distributions starting from 16.9 and 14.19.
Corepack must currently be enabled by running corepack enable in your terminal. For more information, check out https://yarnpkg.com/corepack.