fix(deps): upgrade vitest to ^4.1.0 to patch critical Vitest UI advisory (GHSA-5xrq-8626-4rwp) (#4837)

* fix(deps): upgrade vitest to ^4.1.0 to patch critical Vitest UI advisory (GHSA-5xrq-8626-4rwp)

- Bump vitest and @vitest/coverage-v8 to ^4.1.0 across all workspaces (only patched release for the critical 'Vitest UI server arbitrary file read/execute' advisory; no 3.x backport exists)
- Widen @sim/testing peer range to ^3.0.0 || ^4.0.0
- Migrate constructor mocks to class expressions: vitest 4 uses Reflect.construct for mocks invoked with new, and arrow/function implementations are not constructable (function expressions also get reverted to arrows by biome's useArrowFunction)
- Remove deprecated test.poolOptions from apps/sim/vitest.config.ts (options are now top-level in vitest 4)

* fix(deps): exclude vulnerable vitest 4.0.x from @sim/testing peer range

Tighten the v4 arm of the peer range to >=4.1.0 <5.0.0 so the peer
requirement cannot be satisfied by the unpatched 4.0.x builds that
GHSA-5xrq-8626-4rwp affects.

* fix(testing): make vitest 4 constructor mocks type-check cleanly

- logging-session & mcp-oauth mocks: a class passed to mockImplementation has
  a construct signature that isn't assignable to its (...args) => any parameter,
  failing tsc. Use named function declarations instead (constructable via
  Reflect.construct, assignable to mockImplementation, and not rewritten to
  arrows by biome's useArrowFunction).
- database.mock.ts: vitest 4's generic vi.fn typings no longer break the
  self-referential cycle on the transaction callback's tx param; loosen tx and
  annotate the callback's return type to resolve the implicit-any errors.

* test(isolated-vm): de-flake queue-capacity scheduler tests

The 'queue is full' and 'per-owner queued limit' tests relied on
'await sleep(1)' to assume the first request had reached the queue before
submitting the overflow request. The first request only enqueues after an
async spawn-failure chain (acquireWorker -> spawn exit -> resolve null ->
enqueue), which isn't guaranteed within 1ms under CI load — the overflow
request then found an empty queue and hit the 200ms queue-wait timeout
instead of the capacity rejection.

Replace the wall-clock barrier with a deterministic, event-driven one: hold
the single global concurrency slot (IVM_MAX_CONCURRENT=1) with an active
worker and await an explicit 'dispatched' signal (fired when the worker
receives its execute message, after the scheduler counts it active). The
follow-up requests then deterministically hit the synchronous enqueue path.
Also drops the queue-wait timeout from 200ms to 50ms, so the tests run faster.

Author: waleedlatif1

apps/realtime/package.json

@@ -43,6 +43,6 @@
     "@types/node": "24.2.1",
     "socket.io-client": "4.8.1",
     "typescript": "^5.7.3",
-    "vitest": "^3.0.8"
+    "vitest": "^4.1.0"
   }
 }

apps/sim/app/api/copilot/checkpoints/revert/route.test.ts

@@ -94,16 +94,23 @@ describe('Copilot Checkpoints Revert API Route', () => {
     vi.spyOn(Date, 'now').mockReturnValue(1640995200000)
 
     const originalDate = Date
-    vi.spyOn(global, 'Date').mockImplementation(((...args: any[]) => {
+    const buildDate = (args: any[]): Date => {
       if (args.length === 0) {
-        const mockDate = new originalDate('2024-01-01T00:00:00.000Z')
-        return mockDate
+        return new originalDate('2024-01-01T00:00:00.000Z')
       }
       if (args.length === 1) {
         return new originalDate(args[0])
       }
       return new originalDate(args[0], args[1], args[2], args[3], args[4], args[5], args[6])
-    }) as any)
+    }
+    vi.spyOn(global, 'Date').mockImplementation(
+      class {
+        constructor(...args: any[]) {
+          // biome-ignore lint/correctness/noConstructorReturn: vitest 4 constructs mocks via Reflect.construct; returning a real Date overrides the instance so `new Date(...)` yields a genuine Date the route can call .toISOString()/.getTime() on
+          return buildDate(args)
+        }
+      } as any
+    )
   })
 
   afterEach(() => {

apps/sim/lib/copilot/request/lifecycle/start.test.ts

@@ -65,31 +65,33 @@ vi.mock('@/lib/copilot/request/session', () => ({
   startAbortPoller: vi.fn().mockReturnValue(setInterval(() => {}, 999999)),
   isExplicitStopReason: vi.fn().mockReturnValue(false),
   SSE_RESPONSE_HEADERS: {},
-  StreamWriter: vi.fn().mockImplementation(() => ({
-    attach: vi.fn().mockImplementation((ctrl: ReadableStreamDefaultController) => {
-      mockPublisherController = ctrl
-    }),
-    startKeepalive: vi.fn(),
-    stopKeepalive: vi.fn(),
-    flush: vi.fn(),
-    close: vi.fn().mockImplementation(() => {
-      try {
-        mockPublisherController?.close()
-      } catch {
-        // already closed
+  StreamWriter: vi.fn().mockImplementation(
+    class {
+      attach = vi.fn().mockImplementation((ctrl: ReadableStreamDefaultController) => {
+        mockPublisherController = ctrl
+      })
+      startKeepalive = vi.fn()
+      stopKeepalive = vi.fn()
+      flush = vi.fn()
+      close = vi.fn().mockImplementation(() => {
+        try {
+          mockPublisherController?.close()
+        } catch {
+          // already closed
+        }
+      })
+      markDisconnected = vi.fn()
+      publish = vi.fn().mockImplementation(async (event: Record<string, unknown>) => {
+        appendEvent(event)
+      })
+      get clientDisconnected() {
+        return false
+      }
+      get sawComplete() {
+        return false
       }
-    }),
-    markDisconnected: vi.fn(),
-    publish: vi.fn().mockImplementation(async (event: Record<string, unknown>) => {
-      appendEvent(event)
-    }),
-    get clientDisconnected() {
-      return false
-    },
-    get sawComplete() {
-      return false
-    },
-  })),
+    }
+  ),
 }))
 vi.mock('@/lib/copilot/request/session/sse', () => ({
   SSE_RESPONSE_HEADERS: {},

apps/sim/lib/core/config/redis.test.ts

@@ -6,7 +6,13 @@ const { MockRedisConstructor } = vi.hoisted(() => ({
 }))
 
 const mockRedisInstance = createMockRedis()
-MockRedisConstructor.mockImplementation(() => mockRedisInstance)
+MockRedisConstructor.mockImplementation(
+  class {
+    constructor() {
+      Object.assign(this, mockRedisInstance)
+    }
+  }
+)
 
 vi.mock('@/lib/core/config/env', () => createEnvMock({ REDIS_URL: 'redis://localhost:6379' }))
 vi.mock('ioredis', () => ({
@@ -26,7 +32,13 @@ describe('redis config', () => {
     vi.clearAllMocks()
     vi.useFakeTimers()
     resetForTesting()
-    MockRedisConstructor.mockImplementation(() => mockRedisInstance)
+    MockRedisConstructor.mockImplementation(
+      class {
+        constructor() {
+          Object.assign(this, mockRedisInstance)
+        }
+      }
+    )
   })
 
   afterEach(() => {
@@ -197,10 +209,14 @@ describe('redis config', () => {
   describe('retryStrategy', () => {
     function captureRetryStrategy(): (times: number) => number {
       let capturedConfig: Record<string, unknown> = {}
-      MockRedisConstructor.mockImplementation((_url: string, config: Record<string, unknown>) => {
-        capturedConfig = config
-        return { ping: vi.fn(), on: vi.fn() }
-      })
+      MockRedisConstructor.mockImplementation(
+        class {
+          constructor(_url: string, config: Record<string, unknown>) {
+            capturedConfig = config
+            Object.assign(this, { ping: vi.fn(), on: vi.fn() })
+          }
+        }
+      )
 
       getRedisClient()
 

apps/sim/lib/core/rate-limiter/storage/factory.test.ts

@@ -19,11 +19,19 @@ vi.mock('@/lib/core/storage', () => ({
 }))
 
 vi.mock('@/lib/core/rate-limiter/storage/db-token-bucket', () => ({
-  DbTokenBucket: vi.fn(() => ({ type: 'db' })),
+  DbTokenBucket: vi.fn().mockImplementation(
+    class {
+      type = 'db'
+    }
+  ),
 }))
 
 vi.mock('@/lib/core/rate-limiter/storage/redis-token-bucket', () => ({
-  RedisTokenBucket: vi.fn(() => ({ type: 'redis' })),
+  RedisTokenBucket: vi.fn().mockImplementation(
+    class {
+      type = 'redis'
+    }
+  ),
 }))
 
 import { createStorageAdapter, resetStorageAdapter } from '@/lib/core/rate-limiter/storage/factory'

apps/sim/lib/data-drains/destinations/azure_blob.test.ts

@@ -12,8 +12,12 @@ const { mockUpload, mockDeleteIfExists, BlobServiceClientCtor, StorageSharedKeyC
     return {
       mockUpload,
       mockDeleteIfExists,
-      BlobServiceClientCtor: vi.fn(() => ({ getContainerClient: vi.fn(() => containerClient) })),
-      StorageSharedKeyCredentialCtor: vi.fn(),
+      BlobServiceClientCtor: vi.fn().mockImplementation(
+        class {
+          getContainerClient = vi.fn(() => containerClient)
+        }
+      ),
+      StorageSharedKeyCredentialCtor: vi.fn().mockImplementation(class {}),
     }
   })
 

apps/sim/lib/data-drains/destinations/bigquery.test.ts

@@ -17,7 +17,11 @@ const { mockGetAccessToken, JWTCtor, loggerInstance } = vi.hoisted(() => {
   }
   return {
     mockGetAccessToken,
-    JWTCtor: vi.fn(() => ({ getAccessToken: mockGetAccessToken })),
+    JWTCtor: vi.fn().mockImplementation(
+      class {
+        getAccessToken = mockGetAccessToken
+      }
+    ),
     loggerInstance,
   }
 })

apps/sim/lib/data-drains/destinations/gcs.test.ts

@@ -7,7 +7,11 @@ const { mockGetAccessToken, JWTCtor } = vi.hoisted(() => {
   const mockGetAccessToken = vi.fn(async () => ({ token: 'fake-access-token' }))
   return {
     mockGetAccessToken,
-    JWTCtor: vi.fn(() => ({ getAccessToken: mockGetAccessToken })),
+    JWTCtor: vi.fn().mockImplementation(
+      class {
+        getAccessToken = mockGetAccessToken
+      }
+    ),
   }
 })
 

apps/sim/lib/data-drains/destinations/s3.test.ts

@@ -10,9 +10,30 @@ const { mockSend, mockDestroy, S3ClientCtor, PutObjectCommandCtor, DeleteObjectC
     return {
       mockSend,
       mockDestroy,
-      S3ClientCtor: vi.fn(() => ({ send: mockSend, destroy: mockDestroy })),
-      PutObjectCommandCtor: vi.fn((args: unknown) => ({ __cmd: 'put', args })),
-      DeleteObjectCommandCtor: vi.fn((args: unknown) => ({ __cmd: 'delete', args })),
+      S3ClientCtor: vi.fn().mockImplementation(
+        class {
+          send = mockSend
+          destroy = mockDestroy
+        }
+      ),
+      PutObjectCommandCtor: vi.fn().mockImplementation(
+        class {
+          __cmd = 'put'
+          args: unknown
+          constructor(args: unknown) {
+            this.args = args
+          }
+        }
+      ),
+      DeleteObjectCommandCtor: vi.fn().mockImplementation(
+        class {
+          __cmd = 'delete'
+          args: unknown
+          constructor(args: unknown) {
+            this.args = args
+          }
+        }
+      ),
     }
   })