chore: bump up @vitest/browser version to v3.0.4 [SECURITY] (#9937)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [@vitest/browser](https://redirect.github.com/vitest-dev/vitest/tree/main/packages/browser#readme) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/browser)) | [`3.0.2` -> `3.0.4`](https://renovatebot.com/diffs/npm/@vitest%2fbrowser/3.0.2/3.0.4) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@vitest%2fbrowser/3.0.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@vitest%2fbrowser/3.0.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@vitest%2fbrowser/3.0.2/3.0.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@vitest%2fbrowser/3.0.2/3.0.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

### GitHub Vulnerability Alerts

#### [CVE-2025-24963](https://redirect.github.com/vitest-dev/vitest/security/advisories/GHSA-8gvc-j273-4wm5)

### Summary
`__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by [`browser.api.host: true`](https://vitest.dev/guide/browser/config.html#browser-api), an attacker can send a request to that handler from remote to get the content of arbitrary files.

### Details
This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system.
f17918a799/packages/browser/src/node/plugin.ts (L88-L130)

This code was added by 2d62051f13.

### PoC
1. Create a directory and change the current directory to that directory
1. Run `npx vitest init browser`
1. Run `npm run test:browser`
2. Run `curl http://localhost:63315/__screenshot-error?file=/path/to/any/file`

### Impact
Users explicitly exposing the browser mode server to the network by [`browser.api.host: true`](https://vitest.dev/guide/browser/config.html#browser-api) may get any files exposed.

---

### Release Notes

<details>
<summary>vitest-dev/vitest (@&#8203;vitest/browser)</summary>

### [`v3.0.4`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v3.0.4)

[Compare Source](https://redirect.github.com/vitest-dev/vitest/compare/v3.0.3...v3.0.4)

#####    🐞 Bug Fixes

-   Filter projects eagerly during config resolution  -  by [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) and [@&#8203;AriPerkkio](https://redirect.github.com/AriPerkkio) in [https://github.com/vitest-dev/vitest/issues/7313](https://redirect.github.com/vitest-dev/vitest/issues/7313) [<samp>(dff44)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/dff4406d)
-   Apply `development|production` condition on Vites 6 by [@&#8203;hi-ogawa](https://redirect.github.com/hi-ogawa) and [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) ([#&#8203;7301](https://redirect.github.com/vitest-dev/vitest/issues/7301)) [<samp>(ef146)</samp>](ef1464fc7b)
-   **browser**: Restrict served files from `/__screenshot-error`  -  by [@&#8203;hi-ogawa](https://redirect.github.com/hi-ogawa) in [https://github.com/vitest-dev/vitest/issues/7340](https://redirect.github.com/vitest-dev/vitest/issues/7340) [<samp>(ed9ae)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/ed9aeba2)
-   **deps**: Update all non-major dependencies  -  by [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/7297](https://redirect.github.com/vitest-dev/vitest/issues/7297) [<samp>(38ea8)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/38ea8eae)
-   **runner**: Timeout long sync hook  -  by [@&#8203;hi-ogawa](https://redirect.github.com/hi-ogawa) in [https://github.com/vitest-dev/vitest/issues/7289](https://redirect.github.com/vitest-dev/vitest/issues/7289) [<samp>(c60ee)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/c60ee27c)
-   **typechecking**: Support typechecking parsing with Vite 6  -  by [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/7335](https://redirect.github.com/vitest-dev/vitest/issues/7335) [<samp>(bff70)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/bff70be9)
-   **types**: Fix public types  -  by [@&#8203;mrginglymus](https://redirect.github.com/mrginglymus) and [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/7328](https://redirect.github.com/vitest-dev/vitest/issues/7328) [<samp>(ce6af)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/ce6af70c)

#####     [View changes on GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v3.0.3...v3.0.4)

### [`v3.0.3`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v3.0.3)

[Compare Source](https://redirect.github.com/vitest-dev/vitest/compare/v3.0.2...v3.0.3)

#####    🐞 Bug Fixes

-   **browser**:
    -   Don't throw a validation error if v8 coverage is used with filtered instances  -  by [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/7306](https://redirect.github.com/vitest-dev/vitest/issues/7306) [<samp>(fa463)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/fa4634b2)
    -   Don't fail when running --browser.headless if the browser projest is part of the workspace  -  by [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/7311](https://redirect.github.com/vitest-dev/vitest/issues/7311) [<samp>(e43a8)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/e43a8f56)

#####    🏎 Performance

-   **reporters**: Update summary only when needed  -  by [@&#8203;AriPerkkio](https://redirect.github.com/AriPerkkio) in [https://github.com/vitest-dev/vitest/issues/7291](https://redirect.github.com/vitest-dev/vitest/issues/7291) [<samp>(7f36b)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/7f36b6f9)

#####     [View changes on GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v3.0.2...v3.0.3)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xNDUuMCIsInVwZGF0ZWRJblZlciI6IjM5LjE0NS4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

package.json

@@ -64,7 +64,7 @@
     "@types/node": "^22.0.0",
     "@typescript-eslint/parser": "^8.18.0",
     "@vanilla-extract/vite-plugin": "^5.0.0",
-    "@vitest/browser": "3.0.2",
+    "@vitest/browser": "3.0.4",
     "@vitest/coverage-istanbul": "3.0.2",
     "@vitest/ui": "3.0.2",
     "cross-env": "^7.0.3",

yarn.lock

@@ -671,7 +671,7 @@ __metadata:
     "@types/node": "npm:^22.0.0"
     "@typescript-eslint/parser": "npm:^8.18.0"
     "@vanilla-extract/vite-plugin": "npm:^5.0.0"
-    "@vitest/browser": "npm:3.0.2"
+    "@vitest/browser": "npm:3.0.4"
     "@vitest/coverage-istanbul": "npm:3.0.2"
     "@vitest/ui": "npm:3.0.2"
     cross-env: "npm:^7.0.3"
@@ -14675,12 +14675,12 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@testing-library/user-event@npm:^14.6.0":
-  version: 14.6.0
-  resolution: "@testing-library/user-event@npm:14.6.0"
+"@testing-library/user-event@npm:^14.6.1":
+  version: 14.6.1
+  resolution: "@testing-library/user-event@npm:14.6.1"
   peerDependencies:
     "@testing-library/dom": ">=7.21.4"
-  checksum: 10/01a7481642ceda10324ff5356e3cfd9c6131b0cecbcbdd5938096d4d3f8ce9e548e9b460ef35bad8f3649dc392c808044a5abd78de8218a4bc21c91125be85df
+  checksum: 10/34b74fff56a0447731a94b40d4cf246deb8dbc1c1e3aec93acd1c3377a760bb062e979f1572bb34ec164ad28ee2a391744b42d0d6d6cc16c4ce527e5e09610e1
   languageName: node
   linkType: hard
 
@@ -16279,14 +16279,14 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@vitest/browser@npm:3.0.2":
-  version: 3.0.2
-  resolution: "@vitest/browser@npm:3.0.2"
+"@vitest/browser@npm:3.0.4":
+  version: 3.0.4
+  resolution: "@vitest/browser@npm:3.0.4"
   dependencies:
     "@testing-library/dom": "npm:^10.4.0"
-    "@testing-library/user-event": "npm:^14.6.0"
-    "@vitest/mocker": "npm:3.0.2"
-    "@vitest/utils": "npm:3.0.2"
+    "@testing-library/user-event": "npm:^14.6.1"
+    "@vitest/mocker": "npm:3.0.4"
+    "@vitest/utils": "npm:3.0.4"
     magic-string: "npm:^0.30.17"
     msw: "npm:^2.7.0"
     sirv: "npm:^3.0.0"
@@ -16294,7 +16294,7 @@ __metadata:
     ws: "npm:^8.18.0"
   peerDependencies:
     playwright: "*"
-    vitest: 3.0.2
+    vitest: 3.0.4
     webdriverio: "*"
   peerDependenciesMeta:
     playwright:
@@ -16303,7 +16303,7 @@ __metadata:
       optional: true
     webdriverio:
       optional: true
-  checksum: 10/b76a2db98332500c89c03b6ad6f829753b1fc8b39cf4927f314d56d38acd8259a9d8dc02590648011ab33b14b051238279c8adfcfa86a5189949af1b19a10c48
+  checksum: 10/23f7a60b7ea073ad06cf3145a3416e1dd53489f26db2a497ea55d2313943797e99af807c4c077b54baa670d4c87cf028daa334af78d4298d8da9f087505e9138
   languageName: node
   linkType: hard
 
@@ -16351,11 +16351,11 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@vitest/mocker@npm:3.0.2":
-  version: 3.0.2
-  resolution: "@vitest/mocker@npm:3.0.2"
+"@vitest/mocker@npm:3.0.4":
+  version: 3.0.4
+  resolution: "@vitest/mocker@npm:3.0.4"
   dependencies:
-    "@vitest/spy": "npm:3.0.2"
+    "@vitest/spy": "npm:3.0.4"
     estree-walker: "npm:^3.0.3"
     magic-string: "npm:^0.30.17"
   peerDependencies:
@@ -16366,7 +16366,7 @@ __metadata:
       optional: true
     vite:
       optional: true
-  checksum: 10/91f4315d1fec10e670e3cf4165a8b108c651af0f4f2089dc6de8e3f7739f3f3d08335cbec31865ea866a47434e5c879fb6348465efa90e24673197525f6459ce
+  checksum: 10/f6e7a57575271b1f9f4fd8671e0760a035c31620086b694f303815aba353864b2eb3c51f5c4506e5f618ab7584b9260035e0183a4f8d7a9947a30dc7ef91c5b6
   languageName: node
   linkType: hard
 
@@ -16416,6 +16416,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@vitest/pretty-format@npm:3.0.4":
+  version: 3.0.4
+  resolution: "@vitest/pretty-format@npm:3.0.4"
+  dependencies:
+    tinyrainbow: "npm:^2.0.0"
+  checksum: 10/8c54fc5df1e73339b5b81ad66d779c98af750a4f1609f47aecabc9af2e11620775d521ab183e9db8acf2cd018d7aa29d5fd9737bf2935369dd6f1306a6487b9f
+  languageName: node
+  linkType: hard
+
 "@vitest/pretty-format@npm:3.0.5, @vitest/pretty-format@npm:^3.0.5":
   version: 3.0.5
   resolution: "@vitest/pretty-format@npm:3.0.5"
@@ -16455,12 +16464,12 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@vitest/spy@npm:3.0.2":
-  version: 3.0.2
-  resolution: "@vitest/spy@npm:3.0.2"
+"@vitest/spy@npm:3.0.4":
+  version: 3.0.4
+  resolution: "@vitest/spy@npm:3.0.4"
   dependencies:
     tinyspy: "npm:^3.0.2"
-  checksum: 10/19fe5b04f58d31074fd19086f239a84db437f3b816c0180bd7584a3ce47a77d2593546d8f2a62b33ba93c5a61045681d60cb2f840f08f0fee192a108e7c33620
+  checksum: 10/a2e03516e7f678120b03b1f1e95b587781e6c6c78781a2b37bd5b7706fb57a99f127d46d337db14477673aa811027730fe5fb5af68f03fde7e65050293810e67
   languageName: node
   linkType: hard
 
@@ -16513,6 +16522,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@vitest/utils@npm:3.0.4":
+  version: 3.0.4
+  resolution: "@vitest/utils@npm:3.0.4"
+  dependencies:
+    "@vitest/pretty-format": "npm:3.0.4"
+    loupe: "npm:^3.1.2"
+    tinyrainbow: "npm:^2.0.0"
+  checksum: 10/68132cc059ac0db29e325b3e8a1ac6e0a99ea8a2d6d214bb4dc6399c3de0ffe78c42b13c733cc775a78d7ee1e7e3dcd67f75b7c35e5c28e3825cabf4ec7c50dc
+  languageName: node
+  linkType: hard
+
 "@vitest/utils@npm:3.0.5":
   version: 3.0.5
   resolution: "@vitest/utils@npm:3.0.5"