chore: bump the vitest group across 1 directory with 2 updates

[dependabot]

Bumps the vitest group with 2 updates in the / directory: @cloudflare/vitest-pool-workers and vitest.

Updates @cloudflare/vitest-pool-workers from 0.10.1 to 0.16.13

Release notes

Sourced from @​cloudflare/vitest-pool-workers's releases.

@​cloudflare/vitest-pool-workers@​0.16.13

Patch Changes

• Updated dependencies [c6c61b5, c6c61b5, a3eea27, 7a6b1a4, 7539a9b, 1fdd8de, 3b8b80a, 0bb2d55, 8400fb9, b502d54, 7949f81, d462013, c2280cd, 3b8b80a, ea12b58, acf7817]:
  • wrangler@4.98.0
  • miniflare@4.20260603.0

@​cloudflare/vitest-pool-workers@​0.16.12

Patch Changes

• #14152 3d7992e Thanks @​petebacondarwin! - Fix module resolution failing when project path contains spaces

  When a project lived under a directory with spaces (e.g. /Users/me/Documents/Master CMS/project), the vitest pool would fail with No such module "threads.js" before any test executed. The module fallback service now uses the rawSpecifier from workerd's fallback request to correctly decode file:// URLs, avoiding the double-encoding of spaces (%20 → %2520) that occurred when workerd resolved these URLs as relative paths.

• #14105 337e912 Thanks @​dario-piotrowicz! - Remove trailing periods from URLs in terminal output

  URLs printed to the terminal with a sentence-ending period (e.g. https://example.com/path.) would include the period when clicked in some terminal emulators, causing 404 errors. This removes trailing periods from all URLs displayed in CLI output across wrangler, miniflare, vitest-pool-workers, and workers-utils.

• #14112 3a746ac Thanks @​penalosa! - Pin non-bundled runtime dependencies to exact versions

  Dependencies that are not bundled into a package's published output are installed directly into consumers' dependency trees, so they are now pinned to exact versions instead of semver ranges. This closes a supply-chain gap where an unpinned external dependency could resolve to a compromised upstream release on a fresh install. A new pnpm check:pinned-deps lint enforces this for all published packages (and for the shared pnpm catalog) going forward.

• #14061 da8e306 Thanks @​Vardiak! - Preserve Durable Object WebSocket handler invocation order

  Durable Object WebSocket events could begin executing out of order in the Workers Vitest integration when several events arrived while the test wrapper was resolving user code.

  Handler invocation now preserves arrival order while still allowing asynchronous handler completion to run concurrently.

• Updated dependencies [b210c5e, aec1bb8, e06cbb7, 9a26191, 5565823, 4ef790b, 890fca7, 6fc9777, 337e912, 8e7b74f, e86489a, 42288d4, 65b5f9e, 3a746ac, 64ef9fd, 94b29f7]:

  • wrangler@4.97.0
  • miniflare@4.20260601.0

@​cloudflare/vitest-pool-workers@​0.16.11

Patch Changes

• #14070 96ae856 Thanks @​dmmulroy! - Fix Durable Object RPC dispatch for constructors that return proxies

  Durable Object RPC methods mediated by a returned Proxy are now resolved through that proxy after validating prototype exposure. This allows wrappers that bind methods to the underlying instance to use private fields and methods in Vitest, while matching workerd's rejection of constructor-assigned RPC overrides.

• Updated dependencies [a2ef1a3, cbb39bd, cbb39bd, 408432a, 1103c07, 7bb5c7a, 5b5cbd3, a2ef1a3, 2c1d8b2, ce4eb20, 5fa3de6, 37176e5, 0ce88ea, 66d86ba, 9dee4cc, 97d7d81, c647ccc, f623ae4, c8c7ec0, 39d8717, ee56ec0, b64b7e4, e4c8fd9, 2dffeeb, 972d13d, 4c0da7b, 13cbadb, 59e43e4]:

  • miniflare@4.20260529.0
  • wrangler@4.96.0

@​cloudflare/vitest-pool-workers@​0.16.10

Patch Changes

• Updated dependencies [ca5b604, c1fd2fd, 49c1a59, fee1ce4, b3962ff, d042705, 420e457, 8b1467e]:
  • wrangler@4.95.0
  • miniflare@4.20260526.0

... (truncated)

Changelog

Sourced from @​cloudflare/vitest-pool-workers's changelog.

0.16.13

Patch Changes

• Updated dependencies [c6c61b5, c6c61b5, a3eea27, 7a6b1a4, 7539a9b, 1fdd8de, 3b8b80a, 0bb2d55, 8400fb9, b502d54, 7949f81, d462013, c2280cd, 3b8b80a, ea12b58, acf7817]:
  • wrangler@4.98.0
  • miniflare@4.20260603.0

0.16.12

Patch Changes

• #14152 3d7992e Thanks @​petebacondarwin! - Fix module resolution failing when project path contains spaces

  When a project lived under a directory with spaces (e.g. /Users/me/Documents/Master CMS/project), the vitest pool would fail with No such module "threads.js" before any test executed. The module fallback service now uses the rawSpecifier from workerd's fallback request to correctly decode file:// URLs, avoiding the double-encoding of spaces (%20 → %2520) that occurred when workerd resolved these URLs as relative paths.

• #14105 337e912 Thanks @​dario-piotrowicz! - Remove trailing periods from URLs in terminal output

  URLs printed to the terminal with a sentence-ending period (e.g. https://example.com/path.) would include the period when clicked in some terminal emulators, causing 404 errors. This removes trailing periods from all URLs displayed in CLI output across wrangler, miniflare, vitest-pool-workers, and workers-utils.

• #14112 3a746ac Thanks @​penalosa! - Pin non-bundled runtime dependencies to exact versions

  Dependencies that are not bundled into a package's published output are installed directly into consumers' dependency trees, so they are now pinned to exact versions instead of semver ranges. This closes a supply-chain gap where an unpinned external dependency could resolve to a compromised upstream release on a fresh install. A new pnpm check:pinned-deps lint enforces this for all published packages (and for the shared pnpm catalog) going forward.

• #14061 da8e306 Thanks @​Vardiak! - Preserve Durable Object WebSocket handler invocation order

  Durable Object WebSocket events could begin executing out of order in the Workers Vitest integration when several events arrived while the test wrapper was resolving user code.

  Handler invocation now preserves arrival order while still allowing asynchronous handler completion to run concurrently.

• Updated dependencies [b210c5e, aec1bb8, e06cbb7, 9a26191, 5565823, 4ef790b, 890fca7, 6fc9777, 337e912, 8e7b74f, e86489a, 42288d4, 65b5f9e, 3a746ac, 64ef9fd, 94b29f7]:

  • wrangler@4.97.0
  • miniflare@4.20260601.0

0.16.11

Patch Changes

• #14087 e3c862a Thanks @​edmundhung! - Fix Durable Object RPC dispatch for constructors that return proxies

  Durable Object RPC methods mediated by a returned Proxy are now resolved through that proxy after validating prototype exposure. This allows wrappers that bind methods to the underlying instance to use private fields and methods in Vitest, while matching workerd's rejection of constructor-assigned RPC overrides.

• Updated dependencies [e3c862a, cbb39bd, cbb39bd, 408432a, 1103c07, 7bb5c7a, 5b5cbd3, e3c862a, e3c862a, 97d7d81, c647ccc, e3c862a, e3c862a, e3c862a, e3c862a, e3c862a, b64b7e4, e3c862a, e3c862a, e4c8fd9, 2dffeeb, e3c862a, e3c862a, 4c0da7b, 972d13d, 13cbadb, 59e43e4]:

  • miniflare@4.20260529.0
  • wrangler@4.96.0

0.16.10

Patch Changes

... (truncated)

Commits

• c8c366e Version Packages (#14159)
• 0b60424 Version Packages (#14142)
• 3d7992e [vitest-pool-workers] Fix module resolution for paths with spaces (#14152)
• da8e306 [vitest-pool-workers] Preserve Durable Object handler order (for hibernated D...
• 0998725 Set disallowTypeAnnotations to false in `@typescript-eslint/consistent-ty...
• 3a746ac [tools] Lint that all non-bundled deps of published packages are pinned (#14112)
• 337e912 Remove trailing periods from URLs in terminal output (#14105)
• 50ef724 Version Packages (#14082)
• e3c862a Revert "Version Packages" (#14087)
• 689f381 Version Packages (#14048)
• Additional commits viewable in compare view

Updates vitest from 3.2.4 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in vitest-dev/vitest#10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in vitest-dev/vitest#10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in vitest-dev/vitest#10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in vitest-dev/vitest#10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in vitest-dev/vitest#10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in vitest-dev/vitest#8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in vitest-dev/vitest#8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in vitest-dev/vitest#10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in vitest-dev/vitest#10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in vitest-dev/vitest#10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in vitest-dev/vitest#9927 and vitest-dev/vitest#10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in vitest-dev/vitest#10154 (6abd5)

    View changes on GitHub

... (truncated)

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• a09d472 chore: release v4.1.7
• a8fd24c chore: release v4.1.6
• 18af98c fix(browser): simplify orchestrator otel carrier (#10285)
• 3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
• e399846 chore: release v4.1.5
• 7dc6d54 Revert "fix: respect diff config options in soft assertions (#8696)"
• 9787ded fix: respect diff config options in soft assertions (#8696)
• 325463a fix(ast-collect): recognize _vi_import prefix in static test discovery (#10...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[sentry]

Bug: The update to vitest ^4.0.18 violates the peer dependency of @cloudflare/vitest-pool-workers, which only supports vitest up to version 3.2.x, causing test failures.
_{Severity: CRITICAL}

Suggested Fix

Downgrade vitest to a version compatible with @cloudflare/vitest-pool-workers (e.g., ~3.2.4). Alternatively, find and upgrade to a newer version of @cloudflare/vitest-pool-workers that officially supports vitest 4.x, if one is available.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L38-L39

Potential issue: The pull request upgrades `vitest` to `^4.0.18`, but the
`@cloudflare/vitest-pool-workers` package at version `0.12.9` explicitly declares a peer
dependency on `vitest` versions `2.0.x - 3.2.x`. This version mismatch constitutes a
peer dependency violation that will lead to runtime failures. When tests are run, the
pool worker initialization will fail because its code is incompatible with the breaking
API changes in `vitest` 4.x. This will break the test suite and block the CI/CD
pipeline.

[flakey5]

tests failing