fix(deps): update all major dependencies (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@neondatabase/serverless (source)	0.10.4 -> 1.0.2			dependencies	major
@types/node (source)	22.13.4 -> 24.9.2			devDependencies	major
@vitest/coverage-v8 (source)	3.0.5 -> 4.0.5			devDependencies	major
actions/checkout	v4 -> v5			action	major
actions/setup-node	v4 -> v6			action	major
dotenv	16.4.7 -> 17.2.3			devDependencies	major
eslint-import-resolver-typescript	3.8.0 -> 4.4.4			devDependencies	major
vitest (source)	3.0.5 -> 4.0.5			devDependencies	major
wrangler (source)	3.109.1 -> 4.45.2			devDependencies	major
zod (source)	3.24.2 -> 4.1.12			dependencies	major

---

Release Notes

neondatabase/serverless (@​neondatabase/serverless)

v1.0.2

Compare Source

Update neon.tech references to neon.com domain.

v1.0.1

Compare Source

The package now prints a security warning to the console when a connection is made in a web browser. This behaviour can be suppressed with a new configuration option: disableWarningInBrowsers. There are a few other very minor fixes.

v1.0.0

Compare Source

Breaking change: the HTTP query template function can now only be called as a template function, not as a conventional function. This improves safety from accidental SQL-injection vulnerabilities. For example:

import { neon } from '@​neondatabase/serverless';
const sql = neon(process.env.DATABASE_URL);
const id = 1;

// this is safe and convenient, as before
const result = await sql`SELECT * FROM table WHERE id = ${id}`;

// this looks very similar and was previously allowed, but was open to SQL
// injection attacks because it uses ordinary string interpolation -- it's now
// both a TypeScript type error and a runtime error
const throws = await sql(`SELECT * FROM table WHERE id = ${id}`);

To fill the gap left by this change, the template function has two new properties: a query() function that allows manually parameterized queries, and an unsafe() function that lets you interpolate trusted arbitrary string values. For example:

// this was previously allowed, and was safe, but is now also an error so as to
// prevent the vulnerability seen above
const throws = await sql('SELECT * FROM table WHERE id = $1', [id]);

// the `query()` function is the new way to manually specify placeholders and
// values (the same way it's done by `client.query()` and `pool.query()`)
const result = await sql.query('SELECT * FROM table WHERE id = $1', [id]);

// to interpolate strings like column or table names, **only** if you know
// they're safe, use the `unsafe()` function
const table = condition ? 'table1' : 'table2'; // known-safe string values
const result = await sql`SELECT * FROM ${sql.unsafe(table)} WHERE id = ${id}`;

// but in the above case, you might prefer to do this instead
const table = condition ? sql`table1` : sql`table2`;
const result = await sql`SELECT * FROM ${table} WHERE id = ${id}`;

In addition, HTTP template queries are now fully composable, including those with parameters. For example:

const name = 'Olivia';
const limit = 1;
const whereClause = sql`WHERE name = ${name}`;
const limitClause = sql`LIMIT ${limit}`;

// compilation to raw SQL now happens lazily, at query time, so that parameter
// placeholders can be numbered appropriately
const result = await sql`SELECT * FROM table ${whereClause} ${limitClause}`;

The minimum supported version of Node is now v19 (this avoids having to do dynamic crypto imports, which can cause trouble with bundlers).

Lastly: the repository has been rearranged and refactored, .d.ts files are now generated automatically, packages are published via npm version, and comprehensive tests have been put in place. This should ease the way for future enhancements and contributions.

vitest-dev/vitest (@​vitest/coverage-v8)

v4.0.5

Compare Source

   🐞 Bug Fixes

• Respect ssr.noExternal when externalizing dependencies  -  by @​sheremet-va in #​8862 (a4f86)
• Allow module in --config  -  by @​sheremet-va in #​8864 (b9521)
• browser: Allow Locator type in selectOptions element parameter  -  by @​rzzf and @​sheremet-va in #​8848 (7ee28)
• module-runner: Don't return node builtins for getBuiltins unconditionally  -  by @​sapphi-red in #​8863 (0e858)
• pool: Rename groupId to groupOrder in error message  -  by @​Yohannfra in #​8856 (b9aab)

   🏎 Performance

• Pass testfiles at once when --no-isolate --maxWorkers=1  -  by @​AriPerkkio in #​8835 (584aa)
• expect: Optimize checking the input type  -  by @​Connormiha in #​8840 (06968)

    View changes on GitHub

v4.0.4

Compare Source

   🐞 Bug Fixes

• browser:
  • Correct typo  -  by @​benmccann in #​8796 (ede1f)
  • Publish a missing context file for webdriverio  -  by @​sheremet-va in #​8824 (7c7b6)
• mocker:
  • Support mocking builtins without node: prefix  -  by @​sheremet-va in #​8829 (06208)
• pool:
  • Runner's error listener causing MaxListenersExceededWarning  -  by @​AriPerkkio in #​8820 (d1bff)
  • Capture workers stdio to logger  -  by @​AriPerkkio in #​8809 (fb95f)
• spy:
  • Allow classes in vi.mocked utility  -  by @​sheremet-va in #​8839 (f8756)
• worker:
  • Rpc listener leak when isolate: false  -  by @​AriPerkkio in #​8821 (573dc)

   🏎 Performance

• utils: Optimized reducer to avoid creating new objects  -  by @​Connormiha in #​8818 (d19ce)

    View changes on GitHub

v4.0.3

Compare Source

   🐞 Bug Fixes

• Preserve reporter options from config when CLI reporters override them  -  by @​Copilot and sheremet-va in #​8794 (15552)
• browser: More stable in-source testing validation  -  by @​sheremet-va in #​8793 (62297)
• happy-dom: Support fetch globals  -  by @​sheremet-va in #​8791 (0fb74)
• init: Use correct jsx/tsx extension  -  by @​sheremet-va in #​8792 (abc04)

    View changes on GitHub

v4.0.2

Compare Source

   🐞 Bug Fixes

• browser:
  • Don't print the deprecation notice in node_modules  -  by @​sheremet-va in #​8779 (588f7)
• pool:
  • Assign envs before running tests to keep in sync with process.env  -  by @​sheremet-va in #​8769 (26ce8)
• spy:
  • Properly inherit implementation's length  -  by @​sheremet-va in #​8778 (d4c2b)
  • Reset spies if both restoreMocks and mockReset is set in the config  -  by @​sheremet-va in #​8781 (2eedb)

    View changes on GitHub

v4.0.1

Compare Source

   🐞 Bug Fixes

• Move the getBuiltins check  -  by @​sheremet-va in #​8765 (81000)
• pool: Don't teardown the communication channel too soon if something is running after the test  -  by @​sheremet-va in #​8767 (3fae7)

    View changes on GitHub

v4.0.0

Compare Source

   🚨 Breaking Changes

• Remove 'basic' reporter  -  by @​AriPerkkio in #​7884 (82fcf)
• Simplify default exclude pattern  -  by @​sheremet-va in #​6287 (14c50)
• Remove deprecated getSourceMap  -  by @​sheremet-va in #​8194 (ff934)
• Replace deprecated ErrorWithDiff with TestError  -  by @​sheremet-va in #​8195 (da59e)
• Remove UserConfig type in favor of ViteUserConfig  -  by @​sheremet-va in #​8196 (22f7f)
• Remove deprecated coverage options in favor of vitest/node exports  -  by @​sheremet-va in #​8197 (dc848)
• Remove deprecated internal helpers and environment exports  -  by @​sheremet-va in #​8198 (4703c)
• Remove deprecated typecheck and runner types  -  by @​sheremet-va in #​8199 (89a1c)
• Remove Node types from the main entry point, use vitest/node instead  -  by @​sheremet-va in #​8200 (1e60c)
• Remove support for Vite 5  -  by @​sheremet-va in #​8202 (cb8b0)
• Remove deprecated types  -  by @​sheremet-va in #​8203 (66bee)
• Remove deprecated environmentMatchGlobs and poolMatchGlobs  -  by @​sheremet-va in #​8205 (be11d)
• Remove deprecated workspace option in favor of projects  -  by @​sheremet-va in #​8218 (76fb7)
• Ignore --standalone when CLI filename filter is used  -  by @​AriPerkkio in #​8262 (013bf)
• Use module-runner instead of vite-node  -  by @​sheremet-va and @​AriPerkkio in #​8208 (9be01)
• Rewrite spying implementation to make module mocking more intuitive  -  by @​sheremet-va in #​8363 (9e412)
• Remove deprecated APIs  -  by @​sheremet-va in #​8428 (a1cb9)
• Remove minWorkers and set it automatically to 0 in non watch mode  -  by @​sheremet-va in #​8454 (2c2d1)
• Verbose reporter prints tests in a list, introduce tree reporter  -  by @​sheremet-va and @​AriPerkkio in #​8500 (25fd3)
• Include shadow root contents in pretty-format output  -  by @​wkillerud in #​8545 (9e722)
• Remove deprecated order from test() API  -  by @​sheremet-va in #​8594 (4d419)
• Rewrite pools without tinypool  -  by @​AriPerkkio and @​sheremet-va in #​8705 (4822d)
• browser: Require a provider factory instead of a string  -  by @​sheremet-va in #​8445 (606cb)
• expect: Pass current equality testers to asymmetric matcher  -  by @​hi-ogawa in #​6825 (965ce)
• projects: Allow only files that have "vitest.config" or "vite.config" in the name  -  by @​sheremet-va in #​8542 (304bc)
• reporter: Remove deprecated APIs  -  by @​AriPerkkio and @​sheremet-va in #​8223 (149f8)
• runner: Set mode to todo if no function is passed down to test or describe  -  by @​sheremet-va in #​8346 (1a81c)
• snapshot: Fail test with obsolete snapshot on CI  -  by @​hi-ogawa in #​7963 (4d84f)
• spy: Support spying on classes  -  by @​sheremet-va in #​6160 (abc0d)

   🚀 Features

• Provide entity to onConsoleLog  -  by @​sheremet-va in #​8159 (437d4)
• Add onUnhandledError callback  -  by @​sheremet-va in #​8162 (924cb)
• Add spy option to vi.mockObject  -  by @​rChaoz in #​8285 (81d76)
• Don't use vite-node in coverage packages  -  by @​sheremet-va (ffdb4)
• Clickable dashboard numbers  -  by @​shairez in #​7406 (2344c)
• Display test "path" when filtering  -  by @​userquin in #​8547 (2e491)
• Introduce separate packages for browser mode providers  -  by @​sheremet-va in #​8629 (0dc93)
• Add hooks with type-safe extra context to TestAPI  -  by @​ysfaran in #​8623 (6b21c)
• Support expect.assert for type narrowing  -  by @​sheremet-va in #​8695 (fe589)
• Add displayAnnotations option to github-options  -  by @​sheremet-va in #​8706 (4a66d)
• Add schema validation matchers  -  by @​zirkelc in #​8527 (c0b25)
• Add a way to dump transformed content  -  by @​sheremet-va in #​8711 (931c0)
• api:
  • Expose experimental_parseSpecifications  -  by @​sheremet-va in #​8408 (fdeb2)
  • Expose Vitest watcher  -  by @​sheremet-va in #​8413 (aaa6e)
  • Add enableCoverage and disableCoverage methods  -  by @​sheremet-va and @​AriPerkkio in #​8412 (61eb7)
  • Add getGlobalTestNamePattern method  -  by @​sheremet-va in #​8438 (bdb70)
  • Add relativeModuleId to TestModule  -  by @​sheremet-va in #​8505 (3be09)
  • Add getSeed method  -  by @​sheremet-va in #​8592 (438c4)
• browser:
  • Support toBeInViewport utility method to assert element is in viewport or not  -  by @​Shinyaigeek in #​8234 (ceed5)
  • Add qwik to the vitest init cli command  -  by @​thejackshelton in #​8330 (1638b)
  • Introduce toMatchScreenshot for Visual Regression Testing  -  by @​macarie in #​8041 (d45f9)
  • Add trackUnhandledErrors option  -  by @​sheremet-va in #​8386 (c0ec0)
  • Support iframe locator with playwright provider  -  by @​sheremet-va in #​8016 (57b2c)
  • Add length property to locators, toHaveLength now accepts locators  -  by @​sheremet-va in #​8512 (2308c)
  • Support playwright tracing  -  by @​sheremet-va in #​8584 (1aac5)
  • Expose options on BrowserProviderOption  -  by @​sheremet-va in #​8609 (0d0e5)
  • Support --inspect option in webdriverio  -  by @​sheremet-va in #​8613 (38adc)
  • Support custom screenshot comparison algorithms  -  by @​macarie in #​8687 (e63b1)
• coverage:
  • autoUpdate to support percentage formatting  -  by @​Battjmo and @​AriPerkkio in #​8456 (99e01)
• expect:
  • Support toBeNullable expect function to check provided value is nullish  -  by @​Shinyaigeek and @​sheremet-va in #​8294 (eeec5)
• mocker:
  • Add automocker entry  -  by @​sheremet-va in #​8301 (e9c92)

   🐞 Bug Fixes

• Allow overriding globals in types  -  by @​sheremet-va in #​8215 (2248b)
• Remove unused dependencies  -  by @​AriPerkkio in #​8184 (feadc)
• Distribute test files to shards more evenly  -  by @​Shinyaigeek and @​AriPerkkio in #​8288 (7b489)
• Use suite's timeout when test.extend  -  by @​AriPerkkio in #​8278 (43977)
• Support snapshot with no object key sorting  -  by @​hi-ogawa and @​sheremet-va in #​8136 (e85e3)
• Annotation location always points to the test file  -  by @​sheremet-va in #​8315 (88071)
• Add --changed flag support to vitest list command  -  by @​haakonjackfloat in #​8270 and #​8272 (e71a5)
• Prevent rpc timeout on slow thread blocking synchronous methods  -  by @​AriPerkkio and @​sheremet-va in #​8297 (bea87)
• Forbid setting environment to browser  -  by @​sheremet-va in #​8334 (0417a)
• Invalidate modules in all module graphs when the file is changed  -  by @​sheremet-va in #​8352 (94ab3)
• Screenshot masks with Playwright provider  -  by @​macarie in #​8357 (459ef)
• Configure oxc instead of esbuild on rolldown-vite  -  by @​hi-ogawa in #​8378 (e922e)
• Make sure test errors always have stacks property in Node.js context  -  by @​sheremet-va in #​8392 (b825e)
• Support import.meta.resolve on Vite 7  -  by @​hi-ogawa in #​8493 (549d3)
• Show the assertion error first when expect.poll assertion fails  -  by @​sheremet-va in #​8483 (fb450)
• Override fake timers when useFakeTimers is called multiple times  -  by @​sheremet-va in #​8504 (ed7e3)
• Custom expect messages for expect.extend matchers  -  by @​lzl0304 in #​8520 (96945)
• Process sourcemaps for stack traces from globalSetup files  -  by @​sheremet-va in #​8534 (8978a)
• Resolve performance issue when throwing errors with stackTraceLimit = 0  -  by @​Copilot, sheremet-va and @​AriPerkkio in #​8531 (6d5b5)
• Avoid recursively applying $ and % formatting to test.for/each title  -  by @​hi-ogawa in #​8557 (ea6d7)
• Replace wildcard exports "./*" with specific files in vitest package  -  by @​hi-ogawa in #​8560 (ce746)
• Don't publish unused d.ts files  -  by @​sheremet-va in #​8562 (42dfd)
• Remove loupe dependencies from optimizeDeps.include for browser mode  -  by @​jake-danton in #​8570 (cdcf7)
• Update engines field to drop Node 18 support  -  by @​sheremet-va in #​8608 (9a0bf)
• Correctly inherit test options on extended tests  -  by @​sheremet-va in #​8618 (15c09)
• Update @​types/node peer deps  -  by @​sheremet-va (ee6b2)
• Re-export CDP Session directly from playwright  -  by @​mrginglymus in #​8702 (9553a)
• Disable trackUnhandledErrors if inspector is enabled  -  by @​sheremet-va in #​8732 (acac7)
• base option doesn't crash vitest  -  by @​sheremet-va in #​8760 (9f0ec)
• browser:
  • Run in-source tests only when the file itsels is a test file  -  by @​sheremet-va in #​8204 (bdd2e)
  • locator.element() returns HTMLElement or SVGElement  -  by @​sheremet-va in #​8440 (c1ac1)
  • Don't import from vite directly  -  by @​sheremet-va in #​8541 (d7fca)
  • Update expect.element type to match the implementation  -  by @​sheremet-va in #​8597 (b2804)
  • Throw an error if iframe is not accessible anymore  -  by @​sheremet-va in #​8601 (6acdc)
  • Stop creating unnecessary directories when taking screenshots  -  by @​macarie in #​8605 (b1c8f)
  • Always define commands  -  by @​sheremet-va in #​8626 (acbe0)
  • Exclude deprecated context import from optimization  -  by @​sheremet-va in #​8658 (a96ea)
  • Allow importing BrowserCommand if no browser package is installed  -  by @​sheremet-va in #​8666 (95c36)
  • Define an export for browser/utils  -  by @​sheremet-va in #​8678 (529ab)
  • Allow service workers to mock the network in chromium without breaking vi.mock  -  by @​Georgegriff and @​sheremet-va in #​8668 (87108)
  • Support sync not.toBeInTheDocument()  -  by @​sheremet-va in #​8751 (f5d06)
• core:
  • Fix objectContaining expect utility to have more compatibility to jest's one  -  by @​Shinyaigeek in #​8241 (480be)
• coverage:
  • Include files based on --project filter  -  by @​gtbuchanan in #​7885 (761be)
  • Prevent encoding filenames of uncovered files  -  by @​AriPerkkio in #​8239 (8a998)
  • Handle query param based transforms correctly  -  by @​AriPerkkio in #​8418 (a400a)
  • Enforce order of vitest:coverage-transform plugin  -  by @​AriPerkkio in #​8477 (ff517)
  • V8 to ignore Vite's generated cjs import helpers  -  by @​mrginglymus and @​AriPerkkio in #​8718 (35816)
  • Keep only strings in coverage.exclude  -  by @​sheremet-va in #​8731 (c9c30)
• deps:
  • Update all non-major dependencies  -  by @​sheremet-va in #​8235 (a1e57)
  • Update all non-major dependencies  -  in #​8328 (aa79e)
  • Update all non-major dependencies  -  in #​8348 (13f94)
  • Update all non-major dependencies  -  by @​sheremet-va in #​8382 (704eb)
  • Update all non-major dependencies  -  in #​8550 (048f7)
• jsdom:
  • Override globals that Fetch API relies on  -  by @​sheremet-va in #​8390 (05b41)
  • Support AbortSignal API  -  by @​sheremet-va in #​8704 (f6690)
• mocker:
  • Fix regexpHoistable to allow whitespace before parentheses  -  by @​cszhjh in #​8231 (a0f9a)
• module-runner:
  • Resolve resolvedSources correctly  -  by @​sheremet-va in #​8736 (8fc52)
  • Support getBuiltins  -  by @​sheremet-va in #​8746 (87bb8)
• pool:
  • Properly reuse the vm pool  -  by @​sheremet-va in #​8758 (08498)
• reporter:
  • Invisible CLI menus when vitest --standalone  -  by @​AriPerkkio in #​8248 (37cc2)
• rolldown-vite:
  • Properly disable minifier in the browser client  -  by @​sheremet-va in #​8306 (f55bb)
• runner:
  • Don't bundle runner with utils  -  by @​sheremet-va in #​8496 (2b4b0)
• spy:
  • Fix spyOn types with optional method  -  by @​sheremet-va in #​8499 (d3afa)
  • Can respy on an exported method  -  by @​sheremet-va in #​8521 (bf450)
  • Don't fail when spying on static getters  -  by @​sheremet-va in #​8589 (ac1d9)
• types:
  • Ensure Chai declaration merge works with TS-Go  -  by @​LukeAbby in #​8188 (5261d)
  • Allow returning a promise from defineConfig  -  by @​sheremet-va in #​8651 (c3474)
• ui:
  • Keep the same tab open when clicking on different tests  -  by @​sheremet-va in #​8599 (3e535)
• utils:
  • Remove ast export  -  by @​bluwy in #​8435 (21622)
• vitest:
  • Override config.include option with config.browser.instances[].include option if it is specified  -  by @​Shinyaigeek in #​8260 (010fc)
• watch:
  • Filename filter runs duplicate tests in workspaces  -  by @​AriPerkkio in #​8250 (932d8)
• wdio:
  • Wait for the driver to be properly closed  -  by @​sheremet-va in #​8305 (c16ab)
  • Properly construct the shadow root selector if there are multiple elements  -  by @​sheremet-va in #​8354 (28765)

   🏎 Performance

• Avoid spawning extra workers if no tests will run there  -  by [@​sheremet-va](https://redirect.git

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (988a527) to head (73056b0).

Additional details and impacted files

@@            Coverage Diff            @@
##              main       #18   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            4         4           
  Lines           35         8   -27     
  Branches         2         0    -2     
=========================================
- Hits            35         8   -27     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.