chore: upgrade vitest from v3 to v4

[fengmk2]

• Update vitest and related packages to 4.0.15
• Migrate workspace config to use projects array (defineWorkspace -> defineConfig with test.projects)
• Remove deprecated coverage.all option
• Migrate poolOptions.forks.singleFork to maxWorkers/isolate options
• Fix incorrect import of afterEach from node:test in utils.spec.ts

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated Vitest testing framework dependencies to version 4.0.15 across the project.
  • Updated Vitest configuration to use new API patterns and worker/isolation settings.
  • Cleaned up test configuration imports and settings for consistency.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This PR upgrades Vitest from v3.1.3 to v4.0.15, updates test configuration files to align with Vitest 4's new APIs (replacing poolOptions with maxWorkers/isolate settings, switching from defineWorkspace to defineConfig), removes redundant coverage settings, and consolidates imports.

Changes

Cohort / File(s)	Summary
Vitest dependency upgrade package.json	Updates @vitest/browser, @vitest/coverage-istanbul, @vitest/ui, and vitest from 3.1.3 to 4.0.15 in devDependencies.
Vitest configuration migration vitest.config.ts, vitest.workspace.ts, packages/frontend/apps/electron/vitest.config.ts	Vitest 4.0 API changes: replaces poolOptions.forks.singleFork with maxWorkers/isolate settings; switches workspace config from defineWorkspace() to defineConfig() with nested test.projects structure; removes explicit coverage.all: false setting.
Test file import consolidation packages/frontend/core/src/modules/navigation/__tests__/utils.spec.ts	Merges separate node:test and vitest imports into a single vitest import statement.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–25 minutes

• Vitest 4.0 configuration API changes: The poolOptions to maxWorkers/isolate migration and defineWorkspace to defineConfig refactor require verification of behavioral equivalence and confirmation that test execution remains correct.
• Coverage configuration removal: Verify that removal of coverage.all: false doesn't alter intended coverage reporting behavior under the new version.
• Test file consolidation: Confirm that the import consolidation doesn't introduce unintended runtime changes (although unlikely for this case).

Poem

🐰 From version three to four we leap,
New configs help the tests run deep,
With workers pooling all our might,
And workspaces configured just right,
Vitest hops toward the light! 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: upgrading Vitest from v3 to v4, which is reflected across all modified files including dependency bumps, config migrations, and API updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between bcc892c and fb1155d.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (5)

• package.json (2 hunks)
• packages/frontend/apps/electron/vitest.config.ts (1 hunks)
• packages/frontend/core/src/modules/navigation/__tests__/utils.spec.ts (1 hunks)
• vitest.config.ts (1 hunks)
• vitest.workspace.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-11-27T03:23:11.880Z

Learnt from: CR
Repo: toeverything/AFFiNE PR: 0
File: packages/frontend/apps/ios/AGENTS.md:0-0
Timestamp: 2025-11-27T03:23:11.880Z
Learning: Applies to packages/frontend/apps/ios/**/*.{ts,tsx,js,jsx} : Follow ESLint/Prettier configuration from workspace root

Applied to files:

• vitest.workspace.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (20)

• GitHub Check: Build AFFiNE native (x86_64-unknown-linux-gnu)
• GitHub Check: E2E Mobile Test (1)
• GitHub Check: E2E Mobile Test (4)
• GitHub Check: E2E Test (5)
• GitHub Check: E2E Test (8)
• GitHub Check: E2E Test (4)
• GitHub Check: E2E BlockSuite Cross Browser Test (2, webkit)
• GitHub Check: E2E BlockSuite Cross Browser Test (1, webkit)
• GitHub Check: E2E Test (1)
• GitHub Check: E2E Test (2)
• GitHub Check: E2E BlockSuite Cross Browser Test (2, firefox)
• GitHub Check: Typecheck
• GitHub Check: E2E BlockSuite Cross Browser Test (2, chromium)
• GitHub Check: E2E BlockSuite Cross Browser Test (1, firefox)
• GitHub Check: loom thread test
• GitHub Check: miri code check
• GitHub Check: Lint
• GitHub Check: Analyze (typescript, blocksuite)
• GitHub Check: Analyze (javascript, affine)
• GitHub Check: Analyze (typescript, affine)

🔇 Additional comments (4)

packages/frontend/core/src/modules/navigation/__tests__/utils.spec.ts (1)

4-4: Good fix! Corrected import source for afterEach.

The import consolidation correctly moves afterEach from node:test to vitest. Previously, mixing Node.js's native test API with Vitest could lead to inconsistent behavior in test hooks.

vitest.config.ts (1)

68-72: LGTM! Correctly removed deprecated coverage.all option.

The removal of the deprecated all: false coverage option aligns with Vitest v4 changes while retaining the necessary Istanbul provider configuration.

packages/frontend/apps/electron/vitest.config.ts (1)

27-28: Migration to Vitest v4 poolOptions is correct.

The configuration correctly translates the old poolOptions.forks.singleFork: true pattern to maxWorkers: 1 and isolate: false according to the official Vitest v4 migration guide. This produces the intended single-worker, non-isolated test execution behavior. Note: if your tests relied on automatic module reset between files, add a setup file that calls vi.resetModules() in a beforeAll hook.

vitest.workspace.ts (1)

1-11: Workspace configuration correctly uses Vitest v4 API.

The migration from defineWorkspace([...]) to defineConfig({ test: { projects: [...] } }) is the correct approach for Vitest v4+. The glob and path-based project entries are properly formatted and will be correctly discovered and executed by Vitest.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Vitest 4.0.15 release version npm registry

💡 Result:

I couldn't find [email protected] on the npm registry. The latest 4.x release I can find is 4.0.14 (per Snyk's package info). [1][2]

Sources:

• Snyk package info showing latest 4.0.14. [1]
• Vitest blog announcing Vitest 4.0. [2]

---

🌐 Web query:

Vitest latest version 2025

💡 Result:

The latest stable Vitest release is 4.0.6 (released Oct 31, 2025). [1][2]

Sources:
[1] Vitest blog — "Vitest 4.0 is out!" (Oct 22, 2025).
[2] Package release info listing vitest 4.0.6 (published Oct 31, 2025).

---

🌐 Web query:

Vitest 4.0.15 security vulnerabilities advisories

💡 Result:

Short answer: There are no security advisories that specifically report a vulnerability in vitest v4.0.15. Two public advisories (CVE-2025-24964 and CVE-2025-24963) were disclosed in Feb 2025 that affected older major versions and were patched in the 1.x/2.x/3.x line — those issues do not list 4.x as vulnerable.

Details and sources:

• CVE-2025-24964 — critical remote code execution via the Vitest API (Cross-site WebSocket hijacking). Patched in 1.6.1, 2.1.9 and 3.0.5. [GitHub advisory / NVD]. [1][2]
• CVE-2025-24963 — browser-mode file-disclosure via __screenshot-error (path-traversal). Patched in 2.1.9 and 3.0.4. [GitHub advisory / GitLab advisory]. [3][4]

If you want, I can:

• check the vitest changelog/commit history for v4.0.15 to confirm fixes referencing these advisories, or
• scan your project's dependency tree to see if any vulnerable subpackages are present.

Sources:
[1] GitHub advisory GHSA-9crc-q9x8-hgqq (CVE-2025-24964).
[2] NVD entry CVE-2025-24964.
[3] GitHub advisory GHSA-8gvc-j273-4wm5 (CVE-2025-24963).
[4] GitLab advisory / CVE-2025-24963 summary.

---

Update Vitest packages to a valid version—4.0.15 does not exist.

Vitest 4.0.15 is not a valid release. The latest 4.0.x version is 4.0.14 (per Snyk), and the latest stable Vitest release overall is 4.0.6. Update the three packages (@vitest/browser, @vitest/coverage-istanbul, @vitest/ui) at lines 67-69 and 93 to an existing version, preferably 4.0.6 or higher (up to 4.0.14).

No security advisories affect Vitest 4.x versions; two historical CVEs (CVE-2025-24964 and CVE-2025-24963) were patched in the 1.x/2.x/3.x lines only.

🤖 Prompt for AI Agents

In package.json around lines 67-69 (and also update the related entry at line
93), the three Vitest packages "@vitest/browser", "@vitest/coverage-istanbul",
and "@vitest/ui" are pinned to a non-existent version 4.0.15; change their
versions to a valid release in the 4.0.x range (e.g., "4.0.14" or "4.0.6") by
replacing "4.0.15" with the chosen valid version in all occurrences, then run
npm/yarn install to verify resolution and update lockfile.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 47.78%. Comparing base (bcc892c) to head (9537b0a).

Additional details and impacted files

@@            Coverage Diff             @@
##           canary   #14045      +/-   ##
==========================================
- Coverage   57.15%   47.78%   -9.38%     
==========================================
  Files        2757     2184     -573     
  Lines      137728   115975   -21753     
  Branches    21155    15466    -5689     
==========================================
- Hits        78724    55420   -23304     
- Misses      56776    59932    +3156     
+ Partials     2228      623    -1605     

Flag	Coverage Δ
server-test	77.29% <ø> (-1.18%)	⬇️
unittest	14.33% <ø> (-17.66%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.