vitest is pinned to ^3.1.0 in 4 package.json files (root, understand-anything-plugin, packages/core, packages/dashboard), which is affected by CVE-2026-47429 (Vitest UI-server arbitrary file read/execute — exploitable when vitest --ui is exposed to a network). It's a devDependency only, not shipped as part of the plugin's runtime behavior, so the practical risk to end users is low, but it did trip an automated security scan (SkillSpector) during evaluation for install. Bumping to the patched vitest release would resolve this and remove the false-alarm surface for anyone else running the same kind of pre-install scan.
vitestis pinned to^3.1.0in 4package.jsonfiles (root,understand-anything-plugin,packages/core,packages/dashboard), which is affected by CVE-2026-47429 (Vitest UI-server arbitrary file read/execute — exploitable whenvitest --uiis exposed to a network). It's a devDependency only, not shipped as part of the plugin's runtime behavior, so the practical risk to end users is low, but it did trip an automated security scan (SkillSpector) during evaluation for install. Bumping to the patched vitest release would resolve this and remove the false-alarm surface for anyone else running the same kind of pre-install scan.