Deps: Bump @vitest/coverage-v8 from 2.1.8 to 3.0.5

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Bumps @vitest/coverage-v8 from 2.1.8 to 3.0.5.

Release notes

Sourced from @​vitest/coverage-v8's releases.

v3.0.5

This release includes security patches for:

• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

🚀 Features

• ui: Insert message "no tests found" in ui - by @​DevJoaoLopes in vitest-dev/vitest#7366 (92da4)

🐞 Bug Fixes

• Validate websocket request - by @​hi-ogawa and @​AriPerkkio in vitest-dev/vitest#7317 (191ef)
• Don't toggle cli cursor on non-TTY - by @​AriPerkkio in vitest-dev/vitest#7336 (3c805)
• vite-node: Differentiate file url with hash and query - by @​hi-ogawa in vitest-dev/vitest#7365 (926ca)

View changes on GitHub

v3.0.4

This release includes security patches for:

• Browser mode serves arbitrary files | CVE-2025-24963

   🐞 Bug Fixes

• Filter projects eagerly during config resolution  -  by @​sheremet-va and @​AriPerkkio in vitest-dev/vitest#7313 (dff44)
• Apply development|production condition on Vites 6 by @​hi-ogawa and @​sheremet-va (#7301) (ef146)
• browser: Restrict served files from /__screenshot-error  -  by @​hi-ogawa in vitest-dev/vitest#7340 (ed9ae)
• deps: Update all non-major dependencies  -  by @​sheremet-va in vitest-dev/vitest#7297 (38ea8)
• runner: Timeout long sync hook  -  by @​hi-ogawa in vitest-dev/vitest#7289 (c60ee)
• typechecking: Support typechecking parsing with Vite 6  -  by @​sheremet-va in vitest-dev/vitest#7335 (bff70)
• types: Fix public types  -  by @​mrginglymus and @​sheremet-va in vitest-dev/vitest#7328 (ce6af)

    View changes on GitHub

v3.0.3

   🐞 Bug Fixes

• browser:
  • Don't throw a validation error if v8 coverage is used with filtered instances  -  by @​sheremet-va in vitest-dev/vitest#7306 (fa463)
  • Don't fail when running --browser.headless if the browser projest is part of the workspace  -  by @​sheremet-va in vitest-dev/vitest#7311 (e43a8)

   🏎 Performance

• reporters: Update summary only when needed  -  by @​AriPerkkio in vitest-dev/vitest#7291 (7f36b)

    View changes on GitHub

v3.0.2

   🐞 Bug Fixes

... (truncated)

Commits

• 1154662 chore: release v3.0.5
• 9e40437 chore: release v3.0.4
• 38ea8ea fix(deps): update all non-major dependencies (#7297)
• 33ab8a2 chore: release v3.0.3
• f17918a chore: release v3.0.2
• 56c5018 chore: release v3.0.1
• 537fa5e fix(deps): update all non-major dependencies (#7147)
• 01600e0 chore: release v3.0.0
• 8cab960 fix: colors on forks pool (#7090)
• 57b671d chore: release v3.0.0-beta.4
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA cfe5621.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@bcoe/v8-coverage	1.0.2	Unknown	Unknown
npm/@vitest/coverage-v8	3.0.5	Unknown	Unknown
npm/debug	4.4.0	🟢 4.3	Details Check Score Reason Dangerous-Workflow ⚠️ -1 no workflows found Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 7 2 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 7 Pinned-Dependencies ⚠️ -1 no dependencies found Code-Review 🟢 3 Found 10/28 approved changesets -- score normalized to 3 Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/magic-string	0.30.17	🟢 4.5	Details Check Score Reason Maintained 🟢 10 14 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 3 Found 11/30 approved changesets -- score normalized to 3 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 8 2 existing vulnerabilities detected
npm/tinyrainbow	2.0.0	Unknown	Unknown
npm/@vitest/coverage-v8	^3.0.5	Unknown	Unknown

Scanned Files

• package-lock.json
• package.json

[github-actions]

Conventional Commits Report

Type	Number
Dependencies	1

🚀 Conventional commits found.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.