[CI Failure Doctor] Dependabot PR #11024 broke CI: npm peer dependency conflict between vitest@4.0.17 and @vitest/coverage-v8@4.0.10

[github-actions]

Summary

The CI failed on the main branch after merging Dependabot PR #11024. The lint-js job failed during npm ci due to a peer dependency conflict between vitest@4.0.17 and @vitest/coverage-v8@4.0.10.

Failure Details

• Run: 21215242496
• Commit: 5b3163cbe2cfba87d7d57d936aac7dc8c5f8c70c
• Branch: main
• Trigger: push (after merging PR chore(deps-dev): bump vitest from 4.0.10 to 4.0.17 in /actions/setup/js #11024)
• Failed Job: lint-js
• Failed Step: Install npm dependencies

Root Cause Analysis

Dependabot updated only vitest from 4.0.10 to 4.0.17 but did not update the related packages that have peer dependencies on vitest:

{
  "devDependencies": {
    "@vitest/coverage-v8": "^4.0.10",   // ❌ Still pinned to 4.0.10
    "@vitest/ui": "^4.0.10",            // ❌ Still pinned to 4.0.10  
    "vitest": "^4.0.17"                 // ✅ Updated to 4.0.17
  }
}

Error Message

npm error ERESOLVE could not resolve
npm error
npm error While resolving: @vitest/coverage-v8@4.0.10
npm error Found: vitest@4.0.17
npm error
npm error Could not resolve dependency:
npm error peer vitest@"4.0.10" from @vitest/coverage-v8@4.0.10
npm error
npm error Conflicting peer dependency: vitest@4.0.10

The @vitest/coverage-v8@4.0.10 package has a strict peer dependency on vitest@4.0.10, which conflicts with the updated vitest@4.0.17.

Reproduction

cd actions/setup/js
npm ci
# Error: ERESOLVE could not resolve peer dependency

Recommended Actions

Option 1: Update All Vitest Packages Together (Recommended)

Update all vitest-related packages to 4.0.17:

cd actions/setup/js
npm install --save-dev vitest@4.0.17 @vitest/coverage-v8@4.0.17 @vitest/ui@4.0.17

Option 2: Use Caret (^) Version Ranges in package.json

Change from exact versions to caret ranges to allow compatible minor/patch updates:

{
  "devDependencies": {
    "@vitest/coverage-v8": "^4.0.17",
    "@vitest/ui": "^4.0.17",
    "vitest": "^4.0.17"
  }
}

Note: The package.json already uses ^4.0.10 for coverage and ui packages, but the lock file has them pinned. The solution is to update the lock file by running npm install with the updated versions.

Option 3: Configure Dependabot to Update Vitest Packages Together

Add a grouped update configuration in .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/actions/setup/js"
    groups:
      vitest:
        patterns:
          - "vitest"
          - "@vitest/*"

This ensures Dependabot updates all vitest packages in a single PR.

Prevention Strategies

1. Group Vitest Dependencies: Configure Dependabot to update vitest and all @vitest/* packages together
2. Add Pre-merge CI Check: Ensure the lint-js job runs before merging Dependabot PRs
3. Use Renovate Instead: Consider using Renovate which has better peer dependency handling
4. Lock File Validation: Add a CI step to validate that npm ci succeeds before merge

AI Team Self-Improvement

Add this to AGENTS.md for AI coding agents:

### Dependabot PR Review Guidelines

When reviewing Dependabot PRs that update npm packages:

1. **Check for peer dependencies**: If updating packages like `vitest`, ensure all related packages (`@vitest/coverage-v8`, `@vitest/ui`, etc.) are updated in the same PR
2. **Run `npm ci` locally**: Before approving, verify that `npm ci` succeeds in the affected directory
3. **Review package.json and package-lock.json together**: Ensure version ranges (^, ~) are consistent and lock file versions are compatible
4. **Group related updates**: For packages with peer dependencies, configure Dependabot groups or manually update all related packages together

**Example: Vitest ecosystem**
- When updating `vitest`, also update `@vitest/coverage-v8`, `@vitest/ui`, `@vitest/browser`, etc.
- These packages have strict peer dependencies and must stay in sync

Historical Context

This is a new type of failure - the first npm peer dependency conflict from Dependabot in the investigation history. Previous Dependabot-related issues have been about:

• JavaScript test failures ([CI Failure Doctor] JS Test Failures - 46 Tests Failing in CI Environment (Run #29542) #9965, [CI Failure Doctor] JS tests failed after PR #10421 merged - MCP Gateway format change broke tests #10428)
• TypeScript type errors ([CI Failure Doctor] TypeScript type error in handle_agent_failure.cjs - boolean passed to renderTemplate #10427)
• Go lint failures ([CI Failure Doctor] lint-go failure after merge of PR #10756 (compiler test files) #10772)
• Test framework issues ([CI Failure Doctor] CI Failure Doctor: close_older_issues.test.cjs uses Jest instead of Vitest #10895)

Impact

• Severity: HIGH - Blocks all CI runs on main branch
• Affected Jobs: All jobs cancelled after lint-js failure
• Time to Fix: 5-10 minutes (update package.json + run npm install)

Files to Modify

• actions/setup/js/package.json - Update @vitest/* versions
• actions/setup/js/package-lock.json - Will be regenerated by npm install
• .github/dependabot.yml - Add vitest dependency group (optional but recommended)

AI generated by CI Failure Doctor

To add this workflow in your repository, run gh aw add githubnext/agentics/workflows/ci-doctor.md@ea350161ad5dcc9624cf510f134c6a9e39a6f94d. See usage guide.

[github-actions]

Duplicate Failure Detected

Run: 21215434462
Commit: ca21453
Trigger: Dependabot PR #11019 (bump golang.org/x/mod from 0.30.0 to 0.32.0)

This is another CI failure with the exact same root cause - the npm peer dependency conflict between vitest@4.0.17 and @vitest/coverage-v8@4.0.10.

Failed Jobs

• ✅ update - success
• ❌ lint-js - failure (npm ci failed due to peer dependency conflict)
• ❌ build - failure (dependency on lint-js)
• ❌ js - failure (dependency on lint-js)
• ⚪ All other jobs - cancelled

Analysis

This failure occurred on commit ca21453d which merged Dependabot PR #11019. While this PR only updated a Go dependency (golang.org/x/mod), the CI still failed at the lint-js step because the underlying npm peer dependency issue from PR #11024 was never fixed.

The npm package.json still shows:

{
  "devDependencies": {
    "@vitest/coverage-v8": "^4.0.10",  // ❌ Out of sync
    "@vitest/ui": "^4.0.10",           // ❌ Out of sync
    "vitest": "^4.0.17"                // ✅ Updated but incompatible with above
  }
}

Impact

This confirms that:

1. The main branch is currently broken - all new PRs and commits will fail CI at the lint-js step
2. The issue is blocking all development until fixed
3. Multiple Dependabot PRs are now stacking up and cannot be merged

Recommended Immediate Action

Apply the fix from the "Recommended Actions" section of this issue to unblock CI on the main branch.

AI generated by CI Failure Doctor

[github-actions]

Additional CI Failure - Run #21215486139

The same npm peer dependency issue occurred again after merging another Dependabot PR (#11015 - golang.org/x/term update).

Failure Details

• Run: 21215486139
• Commit: d74b4fb6675f9bb46606b4bf052c49316b5621a7
• Trigger: push (after merging PR chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0 #11015)
• Failed Jobs: lint-js, js
• Failed Step: Install npm dependencies

Root Cause

The npm peer dependency conflict from PR #11024 (vitest update) is still present on the main branch. While PR #11015 updated Go dependencies (golang.org/x/term), it inherited the broken npm dependency state from the previous merge.

Current State

vitest@4.0.17 ❌ Conflicts with
├── @vitest/coverage-v8@4.0.10 (requires vitest@4.0.10)
└── @vitest/ui@4.0.10 (requires vitest@4.0.10)

Impact Analysis

• Cascading Failures: The vitest peer dependency issue from run #21215242496 continues to block CI
• Multiple PRs Affected: This affects all subsequent merges until the dependency conflict is resolved
• CI Blocked: 2 jobs failed (lint-js, js), 28 other jobs cancelled

Recommended Action

Urgently needed: Apply the fix from the original investigation to resolve the dependency conflict:

cd actions/setup/js
npm install --save-dev vitest@4.0.17 @vitest/coverage-v8@4.0.17 @vitest/ui@4.0.17
git add package.json package-lock.json
git commit -m "fix(deps): align vitest peer dependencies to 4.0.17"
git push

This single fix will unblock all future CI runs on the main branch.

AI generated by CI Failure Doctor

[github-actions]

Additional CI Failure - Run #21215495384

The same npm peer dependency issue continues to block CI after merging yet another Dependabot PR.

Failure Details

• Run: 21215495384
• Commit: d5f1bf9b55406b14f6a859e60d9c0b021e972903
• Trigger: push (after merging PR chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.47.0 #11017 - golang.org/x/crypto bump from 0.45.0 to 0.47.0)
• Failed Jobs: js, build, lint-js
• Failed Steps:
  • js → Install npm dependencies (step Add workflow: githubnext/agentics/weekly-research #5)
  • build → npm ci (step Weekly Research Report: AI Workflow Automation Landscape and Market Opportunities - August 2025 #7)
  • lint-js → Install npm dependencies (step Add workflow: githubnext/agentics/weekly-research #5)

Analysis

This is the fourth consecutive CI failure with the same root cause. The vitest peer dependency conflict from PR #11024 remains unfixed on the main branch, causing every subsequent merge to fail.

Timeline of Failures:

1. ✅ PR chore(deps-dev): bump vitest from 4.0.10 to 4.0.17 in /actions/setup/js #11024 merged → ❌ Run 21215242496 (original failure)
2. ✅ PR chore(deps): bump golang.org/x/mod from 0.30.0 to 0.32.0 #11019 merged → ❌ Run 21215434462 (1st duplicate)
3. ✅ PR chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0 #11015 merged → ❌ Run 21215486139 (2nd duplicate)
4. ✅ PR chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.47.0 #11017 merged → ❌ Run 21215495384 (3rd duplicate - this run)

Current npm Dependency State

All npm installation steps fail with the same error:

npm error ERESOLVE could not resolve
npm error
npm error While resolving: @vitest/coverage-v8@4.0.10
npm error Found: vitest@4.0.17
npm error
npm error Could not resolve dependency:
npm error peer vitest@"4.0.10" from @vitest/coverage-v8@4.0.10
npm error
npm error Conflicting peer dependency: vitest@4.0.10

Impact

• CI completely blocked since PR chore(deps-dev): bump vitest from 4.0.10 to 4.0.17 in /actions/setup/js #11024 (4 consecutive failures)
• All 3 npm-related jobs failing: js, build, lint-js
• Development halted: No PRs can be merged until this is fixed
• Dependabot PRs stacking up: Multiple Go dependency updates are now blocked

Urgency Level: CRITICAL

This issue needs immediate attention. Every merge to main continues to fail, and the problem compounds with each Dependabot PR that gets merged without fixing the underlying npm dependency conflict.

Recommended Fix (Copy-Paste Ready)

cd actions/setup/js
npm install --save-dev vitest@4.0.17 @vitest/coverage-v8@4.0.17 @vitest/ui@4.0.17
git add package.json package-lock.json
git commit -m "fix(deps): align vitest peer dependencies to 4.0.17"
git push origin main

This single commit will unblock all CI runs.

AI generated by CI Failure Doctor

AI generated by CI Failure Doctor