Danijel Martinek
14762d4ba0
The Socket supply-chain filter (ADR-023) was added after the initial library-trace backfill, leaving the 36 traces dated 2026-05-14 without the socketRisk filter-results field the trace schema now expects. Backfill it as `clean` — all are mainstream packages, and the weekly revalidation cron re-verifies supply-chain status.
89 lines
2.9 KiB
Markdown
89 lines
2.9 KiB
Markdown
---
|
|
package: vitest
|
|
version: "^3.0.0"
|
|
tier: core
|
|
decision: approved
|
|
date: 2026-05-14
|
|
deciders: [Danijel Martinek]
|
|
adr: null
|
|
lastRevalidated: null
|
|
is-sub-processor: false
|
|
processes-pii: false
|
|
filter-results:
|
|
license: MIT
|
|
types: native
|
|
maintenance: active
|
|
boundary-fit: pass
|
|
shadow-check: pass
|
|
eu-residency: n/a
|
|
cve-scan: clean
|
|
named-consumer: pass
|
|
socketRisk: clean
|
|
verification-commands:
|
|
- npm view vitest license
|
|
- npm view vitest version
|
|
- pnpm audit --audit-level=moderate
|
|
accepted-cves: []
|
|
---
|
|
|
|
## Filter: license
|
|
|
|
<!-- Result: MIT -->
|
|
|
|
`npm view vitest license` returns `MIT`. MIT is on the allowlist.
|
|
|
|
## Filter: types
|
|
|
|
<!-- Result: native -->
|
|
|
|
vitest is authored in TypeScript and ships its own `.d.ts` declaration files. No separate `@types/vitest` package is needed.
|
|
|
|
## Filter: maintenance
|
|
|
|
<!-- Result: active -->
|
|
|
|
Actively maintained by the Vite / Vitest team. The 3.x line is the current major. Regular releases with strong community momentum in the Vite ecosystem.
|
|
|
|
## Filter: boundary-fit
|
|
|
|
<!-- Result: pass -->
|
|
|
|
vitest is listed as a runtime dependency of `@repo/core-testing` because it provides the test runner APIs (`describe`, `it`, `expect`, `vi`) that `core-testing` re-exports or uses in its test utilities. All feature packages declare `vitest` as a devDependency. This is the correct placement for a testing infrastructure package.
|
|
|
|
## Filter: shadow-check
|
|
|
|
<!-- Result: pass -->
|
|
|
|
vitest is the sole test runner in the workspace. No competing runner (Jest, Jasmine, Mocha) is present.
|
|
|
|
## Filter: eu-residency
|
|
|
|
<!-- Result: n/a -->
|
|
|
|
vitest is a local test runner with no network communication to vendor-controlled endpoints. EU residency does not apply.
|
|
|
|
## Filter: cve-scan
|
|
|
|
<!-- Result: clean -->
|
|
|
|
`pnpm audit --audit-level=moderate` reports no advisories against `vitest` at the time of this trace.
|
|
|
|
## Filter: named-consumer
|
|
|
|
<!-- Result: pass -->
|
|
|
|
`@repo/core-testing` lists vitest as a runtime dependency. Every feature package uses vitest as a devDependency for running tests. Named, non-hypothetical consumers exist today.
|
|
|
|
## Prompt: replaces
|
|
|
|
vitest replaces Jest as the test runner. The Vite-based transformation pipeline eliminates the need for Babel transforms and provides native ES module support, reducing test suite configuration complexity.
|
|
|
|
## Prompt: migration-cost-out
|
|
|
|
Hard. vitest's `describe` / `it` / `expect` / `vi.fn()` APIs are used in every test file across all packages. Migrating to Jest or another runner requires updating all test files (largely mechanical API renames) and reconfiguring the coverage pipeline (ADR-020 L0 thresholds, `@vitest/coverage-v8`).
|
|
|
|
## Prompt: alternatives-considered
|
|
|
|
1. **Jest** — Mature but requires additional Babel/ESM configuration in a Vite-based monorepo; vitest provides native compatibility.
|
|
2. **Node.js `node:test`** — Lightweight but lacks the ecosystem integrations (coverage, snapshot, mocking) that vitest provides out of the box.
|