chore(deps): bump vitest 3.2.4 → 4.1.8 (GHSA-5xrq-8626-4rwp, CVSS 9.8)

  The Vitest UI server's /__vitest_attachment__ handler bypasses
  isFileServingAllowed via a path-traversal payload, allowing arbitrary file
  read/execute on the host. Dev-scope only and not exploitable in
  Bambuddy's CI/CLI usage (we don't start the Vitest UI server and
  @vitest/ui is not installed), but bumping clears the Dependabot alert
  and brings us onto the supported 4.x line.

  Bumped:
    vitest                 3.2.4 → 4.1.8
    @vitest/coverage-v8    3.2.4 → 4.1.8

  Migration-required fix:
    StreamOverlayPage.test.tsx mocked `WebSocket` via
    vi.stubGlobal('WebSocket', vi.fn().mockImplementation(() => ({...})))
    and the page does `new WebSocket(url)`. Vitest 4 dropped support for
    arrow-function constructor mocks ("is not a constructor"). Rewrote
    with a plain `function` so `new` resolves correctly.

  All 2043 frontend tests pass; npm run build clean; npm audit shows 0
  vulnerabilities.

frontend/package.json

@@ -56,7 +56,7 @@
     "@types/react": "^19.2.5",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^5.1.1",
-    "@vitest/coverage-v8": "^3.2.4",
+    "@vitest/coverage-v8": "^4.1.8",
     "autoprefixer": "^10.4.22",
     "baseline-browser-mapping": "^2.9.19",
     "eslint": "^9.39.1",
@@ -70,6 +70,6 @@
     "typescript": "~5.9.3",
     "typescript-eslint": "^8.46.4",
     "vite": "^7.3.2",
-    "vitest": "^3.2.4"
+    "vitest": "^4.1.8"
   }
 }

frontend/src/__tests__/pages/StreamOverlayPage.test.tsx

@@ -76,12 +76,17 @@ describe('StreamOverlayPage', () => {
   const originalTitle = document.title;
 
   beforeEach(() => {
-    // Mock WebSocket
-    vi.stubGlobal('WebSocket', vi.fn().mockImplementation(() => ({
-      close: vi.fn(),
-      onmessage: null,
-      onerror: null,
-    })));
+    // Mock WebSocket. vitest 4 dropped support for arrow-function constructor
+    // mocks (`new (() => ...)` throws "is not a constructor"); use a plain
+    // function so `new WebSocket(...)` resolves correctly.
+    vi.stubGlobal(
+      'WebSocket',
+      vi.fn().mockImplementation(function (this: { close: () => void; onmessage: null; onerror: null }) {
+        this.close = vi.fn();
+        this.onmessage = null;
+        this.onerror = null;
+      }),
+    );
 
     server.use(
       http.get('/api/v1/printers/:id', () => {