fix(deps): upgrade vitest to ^4.1.0 to patch critical Vitest UI advisory (GHSA-5xrq-8626-4rwp)

- Bump vitest and @vitest/coverage-v8 to ^4.1.0 across all workspaces (only patched release for the critical 'Vitest UI server arbitrary file read/execute' advisory; no 3.x backport exists)
- Widen @sim/testing peer range to ^3.0.0 || ^4.0.0
- Migrate constructor mocks to class expressions: vitest 4 uses Reflect.construct for mocks invoked with new, and arrow/function implementations are not constructable (function expressions also get reverted to arrows by biome's useArrowFunction)
- Remove deprecated test.poolOptions from apps/sim/vitest.config.ts (options are now top-level in vitest 4)

Author: waleedlatif1

apps/realtime/package.json

@@ -43,6 +43,6 @@
     "@types/node": "24.2.1",
     "socket.io-client": "4.8.1",
     "typescript": "^5.7.3",
-    "vitest": "^3.0.8"
+    "vitest": "^4.1.0"
   }
 }

apps/sim/app/api/copilot/checkpoints/revert/route.test.ts

@@ -94,16 +94,23 @@ describe('Copilot Checkpoints Revert API Route', () => {
     vi.spyOn(Date, 'now').mockReturnValue(1640995200000)
 
     const originalDate = Date
-    vi.spyOn(global, 'Date').mockImplementation(((...args: any[]) => {
+    const buildDate = (args: any[]): Date => {
       if (args.length === 0) {
-        const mockDate = new originalDate('2024-01-01T00:00:00.000Z')
-        return mockDate
+        return new originalDate('2024-01-01T00:00:00.000Z')
       }
       if (args.length === 1) {
         return new originalDate(args[0])
       }
       return new originalDate(args[0], args[1], args[2], args[3], args[4], args[5], args[6])
-    }) as any)
+    }
+    vi.spyOn(global, 'Date').mockImplementation(
+      class {
+        constructor(...args: any[]) {
+          // biome-ignore lint/correctness/noConstructorReturn: vitest 4 constructs mocks via Reflect.construct; returning a real Date overrides the instance so `new Date(...)` yields a genuine Date the route can call .toISOString()/.getTime() on
+          return buildDate(args)
+        }
+      } as any
+    )
   })
 
   afterEach(() => {

apps/sim/lib/copilot/request/lifecycle/start.test.ts

@@ -65,31 +65,33 @@ vi.mock('@/lib/copilot/request/session', () => ({
   startAbortPoller: vi.fn().mockReturnValue(setInterval(() => {}, 999999)),
   isExplicitStopReason: vi.fn().mockReturnValue(false),
   SSE_RESPONSE_HEADERS: {},
-  StreamWriter: vi.fn().mockImplementation(() => ({
-    attach: vi.fn().mockImplementation((ctrl: ReadableStreamDefaultController) => {
-      mockPublisherController = ctrl
-    }),
-    startKeepalive: vi.fn(),
-    stopKeepalive: vi.fn(),
-    flush: vi.fn(),
-    close: vi.fn().mockImplementation(() => {
-      try {
-        mockPublisherController?.close()
-      } catch {
-        // already closed
+  StreamWriter: vi.fn().mockImplementation(
+    class {
+      attach = vi.fn().mockImplementation((ctrl: ReadableStreamDefaultController) => {
+        mockPublisherController = ctrl
+      })
+      startKeepalive = vi.fn()
+      stopKeepalive = vi.fn()
+      flush = vi.fn()
+      close = vi.fn().mockImplementation(() => {
+        try {
+          mockPublisherController?.close()
+        } catch {
+          // already closed
+        }
+      })
+      markDisconnected = vi.fn()
+      publish = vi.fn().mockImplementation(async (event: Record<string, unknown>) => {
+        appendEvent(event)
+      })
+      get clientDisconnected() {
+        return false
+      }
+      get sawComplete() {
+        return false
       }
-    }),
-    markDisconnected: vi.fn(),
-    publish: vi.fn().mockImplementation(async (event: Record<string, unknown>) => {
-      appendEvent(event)
-    }),
-    get clientDisconnected() {
-      return false
-    },
-    get sawComplete() {
-      return false
-    },
-  })),
+    }
+  ),
 }))
 vi.mock('@/lib/copilot/request/session/sse', () => ({
   SSE_RESPONSE_HEADERS: {},

apps/sim/lib/core/config/redis.test.ts

@@ -6,7 +6,13 @@ const { MockRedisConstructor } = vi.hoisted(() => ({
 }))
 
 const mockRedisInstance = createMockRedis()
-MockRedisConstructor.mockImplementation(() => mockRedisInstance)
+MockRedisConstructor.mockImplementation(
+  class {
+    constructor() {
+      Object.assign(this, mockRedisInstance)
+    }
+  }
+)
 
 vi.mock('@/lib/core/config/env', () => createEnvMock({ REDIS_URL: 'redis://localhost:6379' }))
 vi.mock('ioredis', () => ({
@@ -26,7 +32,13 @@ describe('redis config', () => {
     vi.clearAllMocks()
     vi.useFakeTimers()
     resetForTesting()
-    MockRedisConstructor.mockImplementation(() => mockRedisInstance)
+    MockRedisConstructor.mockImplementation(
+      class {
+        constructor() {
+          Object.assign(this, mockRedisInstance)
+        }
+      }
+    )
   })
 
   afterEach(() => {
@@ -197,10 +209,14 @@ describe('redis config', () => {
   describe('retryStrategy', () => {
     function captureRetryStrategy(): (times: number) => number {
       let capturedConfig: Record<string, unknown> = {}
-      MockRedisConstructor.mockImplementation((_url: string, config: Record<string, unknown>) => {
-        capturedConfig = config
-        return { ping: vi.fn(), on: vi.fn() }
-      })
+      MockRedisConstructor.mockImplementation(
+        class {
+          constructor(_url: string, config: Record<string, unknown>) {
+            capturedConfig = config
+            Object.assign(this, { ping: vi.fn(), on: vi.fn() })
+          }
+        }
+      )
 
       getRedisClient()
 

apps/sim/lib/core/rate-limiter/storage/factory.test.ts

@@ -19,11 +19,19 @@ vi.mock('@/lib/core/storage', () => ({
 }))
 
 vi.mock('@/lib/core/rate-limiter/storage/db-token-bucket', () => ({
-  DbTokenBucket: vi.fn(() => ({ type: 'db' })),
+  DbTokenBucket: vi.fn().mockImplementation(
+    class {
+      type = 'db'
+    }
+  ),
 }))
 
 vi.mock('@/lib/core/rate-limiter/storage/redis-token-bucket', () => ({
-  RedisTokenBucket: vi.fn(() => ({ type: 'redis' })),
+  RedisTokenBucket: vi.fn().mockImplementation(
+    class {
+      type = 'redis'
+    }
+  ),
 }))
 
 import { createStorageAdapter, resetStorageAdapter } from '@/lib/core/rate-limiter/storage/factory'

apps/sim/lib/data-drains/destinations/azure_blob.test.ts

@@ -12,8 +12,12 @@ const { mockUpload, mockDeleteIfExists, BlobServiceClientCtor, StorageSharedKeyC
     return {
       mockUpload,
       mockDeleteIfExists,
-      BlobServiceClientCtor: vi.fn(() => ({ getContainerClient: vi.fn(() => containerClient) })),
-      StorageSharedKeyCredentialCtor: vi.fn(),
+      BlobServiceClientCtor: vi.fn().mockImplementation(
+        class {
+          getContainerClient = vi.fn(() => containerClient)
+        }
+      ),
+      StorageSharedKeyCredentialCtor: vi.fn().mockImplementation(class {}),
     }
   })
 

apps/sim/lib/data-drains/destinations/bigquery.test.ts

@@ -17,7 +17,11 @@ const { mockGetAccessToken, JWTCtor, loggerInstance } = vi.hoisted(() => {
   }
   return {
     mockGetAccessToken,
-    JWTCtor: vi.fn(() => ({ getAccessToken: mockGetAccessToken })),
+    JWTCtor: vi.fn().mockImplementation(
+      class {
+        getAccessToken = mockGetAccessToken
+      }
+    ),
     loggerInstance,
   }
 })

apps/sim/lib/data-drains/destinations/gcs.test.ts

@@ -7,7 +7,11 @@ const { mockGetAccessToken, JWTCtor } = vi.hoisted(() => {
   const mockGetAccessToken = vi.fn(async () => ({ token: 'fake-access-token' }))
   return {
     mockGetAccessToken,
-    JWTCtor: vi.fn(() => ({ getAccessToken: mockGetAccessToken })),
+    JWTCtor: vi.fn().mockImplementation(
+      class {
+        getAccessToken = mockGetAccessToken
+      }
+    ),
   }
 })
 

apps/sim/lib/data-drains/destinations/s3.test.ts

@@ -10,9 +10,30 @@ const { mockSend, mockDestroy, S3ClientCtor, PutObjectCommandCtor, DeleteObjectC
     return {
       mockSend,
       mockDestroy,
-      S3ClientCtor: vi.fn(() => ({ send: mockSend, destroy: mockDestroy })),
-      PutObjectCommandCtor: vi.fn((args: unknown) => ({ __cmd: 'put', args })),
-      DeleteObjectCommandCtor: vi.fn((args: unknown) => ({ __cmd: 'delete', args })),
+      S3ClientCtor: vi.fn().mockImplementation(
+        class {
+          send = mockSend
+          destroy = mockDestroy
+        }
+      ),
+      PutObjectCommandCtor: vi.fn().mockImplementation(
+        class {
+          __cmd = 'put'
+          args: unknown
+          constructor(args: unknown) {
+            this.args = args
+          }
+        }
+      ),
+      DeleteObjectCommandCtor: vi.fn().mockImplementation(
+        class {
+          __cmd = 'delete'
+          args: unknown
+          constructor(args: unknown) {
+            this.args = args
+          }
+        }
+      ),
     }
   })
 

apps/sim/lib/mcp/client.test.ts

@@ -10,25 +10,33 @@ import { beforeEach, describe, expect, it, vi } from 'vitest'
 let capturedNotificationHandler: (() => Promise<void>) | null = null
 
 vi.mock('@modelcontextprotocol/sdk/client/index.js', () => ({
-  Client: vi.fn().mockImplementation(() => ({
-    connect: vi.fn().mockResolvedValue(undefined),
-    close: vi.fn().mockResolvedValue(undefined),
-    getServerVersion: vi.fn().mockReturnValue('2025-06-18'),
-    getServerCapabilities: vi.fn().mockReturnValue({ tools: { listChanged: true } }),
-    setNotificationHandler: vi
-      .fn()
-      .mockImplementation((_schema: unknown, handler: () => Promise<void>) => {
-        capturedNotificationHandler = handler
-      }),
-    listTools: vi.fn().mockResolvedValue({ tools: [] }),
-  })),
+  Client: vi.fn().mockImplementation(
+    class {
+      constructor() {
+        Object.assign(this, {
+          connect: vi.fn().mockResolvedValue(undefined),
+          close: vi.fn().mockResolvedValue(undefined),
+          getServerVersion: vi.fn().mockReturnValue('2025-06-18'),
+          getServerCapabilities: vi.fn().mockReturnValue({ tools: { listChanged: true } }),
+          setNotificationHandler: vi
+            .fn()
+            .mockImplementation((_schema: unknown, handler: () => Promise<void>) => {
+              capturedNotificationHandler = handler
+            }),
+          listTools: vi.fn().mockResolvedValue({ tools: [] }),
+        })
+      }
+    }
+  ),
 }))
 
 vi.mock('@modelcontextprotocol/sdk/client/streamableHttp.js', () => ({
-  StreamableHTTPClientTransport: vi.fn().mockImplementation(() => ({
-    onclose: null,
-    sessionId: 'test-session',
-  })),
+  StreamableHTTPClientTransport: vi.fn().mockImplementation(
+    class {
+      onclose: null = null
+      sessionId = 'test-session'
+    }
+  ),
 }))
 
 vi.mock('@modelcontextprotocol/sdk/types.js', () => ({