chore(dev-deps): Bump vite to ^8.0.8 and vitest to ^4.1.4

[Mrtenz]

This bumps vite and vitest to the latest versions to resolve an error in CI, where the latest versions in the previously allowed version range would introduce changes in the LavaMoat allowScripts config.

---

Note

Medium Risk
Upgrades core build/test tooling (vite major bump and vitest major bump), which can change bundling and test execution behavior and may surface new CI/runtime issues.

Overview
Updates dev tooling by upgrading vite to ^8.0.8 and vitest/@vitest/coverage-istanbul to ^4.1.4, with the corresponding yarn.lock refresh (new/updated transitive deps such as rolldown, lightningcss, updated chai, etc.).

Adjusts the LavaMoat allowScripts configuration by removing the vite>esbuild override, leaving only the eslint-plugin-import-x>unrs-resolver entry.

^{Reviewed by Cursor Bugbot for commit 7233b34. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	vitest@​3.0.7 ⏵ 4.1.4	-1		+1	+1
	@​vitest/​coverage-istanbul@​3.0.7 ⏵ 4.1.4	+1		+15	+1
	vite@​6.4.1 ⏵ 8.0.8	+8	+18		+1

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly Notes: The examined code is a standard, benign helper for constructing and wrapping configuration items from descriptors within Babel’s tooling. There is no evidence of data leakage, exfiltration, backdoors, or other malicious activity in this fragment. The combination of immutability, brand-based identity, and non-enumerable descriptor storage indicates a well-scoped internal utility rather than anything suspicious. Confidence: 1.00 Severity: 0.60 From: ? → npm/@vitest/coverage-istanbul@4.1.4 → npm/@babel/core@7.29.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.29.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @babel/helpers is 100.0% likely to have a medium risk anomaly Notes: The code fragment is a standard Babel decorator runtime helper (applyDecs2203). Its security posture hinges on the trustworthiness of the supplied decorators. If decorators are from untrusted sources, they can execute arbitrary code during decoration or initialization. The library itself does not exhibit malicious behavior, but this pattern introduces a high-risk surface via external inputs. Recommended mitigations include validating decorator outputs, enforcing sandboxing or runner boundaries for decorators, and auditing decorator sources in the application. Confidence: 1.00 Severity: 0.60 From: ? → npm/@vitest/coverage-istanbul@4.1.4 → npm/@babel/helpers@7.29.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helpers@7.29.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @rolldown/binding-wasm32-wasi is 100.0% likely to have a medium risk anomaly Notes: This loader establishes a Node.js WASI/worker environment that: 1) passes the entire host process.env into the WASI instance (exposing all environment variables, including secrets, to loaded modules); 2) preopens the filesystem root (granting broad file read/write access under the host’s root directory); and 3) implements importScripts via synchronous fs.readFileSync + eval (allowing any local JS file to be executed in the loader context). If an untrusted or compromised WASM module or script is provided, it can read sensitive environment variables, access or modify arbitrary files, and execute arbitrary JavaScript—posing a moderate security risk. Recommended mitigations: restrict WASI preopens to a minimal directory, limit or sanitize environment variables passed into WASI, and replace or sandbox the eval-based importScripts mechanism. Confidence: 1.00 Severity: 0.60 From: ? → npm/vite@8.0.8 → npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.15 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.15. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @rolldown/binding-wasm32-wasi is 100.0% likely to have a medium risk anomaly Notes: The JS loader is not itself executing obvious malicious JavaScript (no eval, no external network calls, no hard-coded credentials). However it intentionally grants a WebAssembly module broad privileges: it passes the full process.env into WASI and the worker, and preopens the host filesystem root so the wasm can access the filesystem. It also forwards worker messages into a filesystem proxy function. These design choices make running an untrusted or tampered-with wasm binary dangerous: a malicious wasm could read environment variables, enumerate and modify host files, and exfiltrate data via any network capability inside the wasm or worker. Therefore the module should be treated as high-risk if the wasm artifact (local file or npm package) is not from a trusted source. Recommended mitigations: avoid preopening the root (limit to specific directories), avoid passing full process.env, validate integrity of the wasm binary (signing/checksums), and avoid installing untrusted package replacements. Confidence: 1.00 Severity: 0.60 From: ? → npm/vite@8.0.8 → npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.15 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.15. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @vitest/snapshot is 100.0% likely to have a medium risk anomaly Notes: No direct evidence of stealthy malware behavior (no network/exfiltration/credential theft/system command execution) is present in this module. The dominant supply-chain risk is that snapshot files are treated as executable JavaScript and are evaluated via new Function('exports', snapshotContents). If an attacker can modify snapshot files (e.g., repo compromise, CI artifact tampering), this becomes a high-impact test-run code execution vector. Inline snapshot rewriting also enables repository/source mutation driven by stack-derived offsets. Overall: security risk is moderate-to-high, primarily due to eval-like snapshot evaluation and artifact write-backs; malware intent beyond test-framework functionality is not indicated by the fragment itself. Confidence: 1.00 Severity: 0.60 From: ? → npm/vitest@4.1.4 → npm/@vitest/snapshot@4.1.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vitest/snapshot@4.1.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

• rolldown@1.0.0-rc.15
• detect-libc@2.1.2

View full report

[Mrtenz]

@SocketSecurity ignore npm/detect-libc@2.1.2

Shell access expected.

@SocketSecurity ignore npm/rolldown@1.0.0-rc.15

Network access is ok.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 7233b34. Configure here.}

[cursor]

Stale @types/node version incompatible with new tools

Low Severity

Bumping vite to ^8.0.8 and vitest to ^4.1.4 introduces a peer dependency mismatch with @types/node at ^18.18. Previously, vite 6 accepted @types/node ^18.0.0 || ^20.0.0 || >=22.0.0, but vite 8 now requires ^20.19.0 || >=22.12.0 and vitest 4 requires ^20.0.0 || ^22.0.0 || >=24.0.0. While both are optional peer deps, the project's own engines field already targets ^20 || ^22 || >=24, so @types/node at ^18.18 is inconsistent with both the runtime target and the new tooling.

Additional Locations (1)

• package.json#L57-L58

 

^{Reviewed by Cursor Bugbot for commit 7233b34. Configure here.}

[mcmire]

Yes, we should probably change the version of @types/node to match node.engines at least. But we can worry about this later.

[mcmire]

LGTM!