build(deps-dev): bump ava from 7.0.0 to 8.0.1

[dependabot]

Bumps ava from 7.0.0 to 8.0.1.

Release notes

Sourced from ava's releases.

v8.0.1

What's Changed

This release officially adds Node.js 26 support, with thanks to @​novemberborn in avajs/ava#3450.

Per our policy, support for Node.js 25 has been removed.

Full Changelog: avajs/ava@v8.0.0...v8.0.1

v8.0.0

Breaking Changes

AVA now expects Node.js 22.20, 24.12 or newer.

Internally AVA is now fully ESM. This is possible now that Node.js supports loading ES modules using require() calls and simplifies AVA's types and internals.

If you use AVA from a CommonJS project you'll have to update your imports:

-const test = require('ava');
+const {default: test} = require('ava');

We expect an increasing number of projects to be ESM only. As per the above, CommonJS is still supported, but we don't expect cjs extensions to be used. The default file extensions are now js and mjs. Specify extensions: ['cjs', 'js', 'mjs'] for AVA to run test files with the cjs extension.

All test files (and those loaded through AVA's require config) are now loaded via import(). Use customization hooks for transpilation. The object form of the extensions configuration is no longer supported.

If you use AVA with @​ava/typescript you must upgrade that package to v7.

New Features

There's two new test modifiers courtesy of @​sindresorhus: test.skipIf() to skip a test based on a runtime condition. test.runIf() is the inverse: the test only runs when the condition is true.

test.skipIf(process.platform === 'win32')('not on Windows', t => {
	t.pass();
});
test.runIf(process.platform === 'linux')('Linux only', t => {
t.pass();
});

These work with other modifiers like .serial and .failing:

test.serial.skipIf(process.platform === 'win32')('serial, not on Windows', t => {
	t.pass();
});
</tr></table>

... (truncated)

Commits

• bbfd946 v8.0.1
• 332fcd7 Pre-release updates (#3451)
• fcaaf43 Add Node.js 26 support; drop 25 (#3450)
• a913804 Test using AVA 8 (#3440)
• fe31286 v8.0.0
• 7bdbabb Improve error when throwsAsync/notThrowsAsync is not awaited (#3436)
• a304990 Full ESM internals; bias away from CJS; require @​ava/typescript@​7
• d012c64 Update release process documentation (#3435)
• 2cea71e CI tweaks (#3438)
• 27e9c84 Remove Node.js 20 support; update dependencies prior to release (#3432)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	ava@​7.0.0 ⏵ 8.0.1				+4

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Embedded URLs or IPs: npm ava URLs: https://avajs.dev, https://github.com/nodejs/node/pull/43875, snap.md, https://github.com/nodejs/node/issues/48716., https://github.com/avajs/ava#assertion-planning Location: Package overview From: package-lock.json → npm/ava@8.0.1 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ava@8.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm cbor2 is 100.0% likely to have a medium risk anomaly Notes: Overall, the codebase appears to be a robust, feature-rich CBOR serialization library with extensive tag support and defensive input handling. There is no concrete evidence of malicious behavior or data exfiltration within the provided fragment. The main operational risk is inherent to any data-serialization component: untrusted inputs can trigger potentially expensive or error-prone constructions (URL/RegExp/Date) if downstream usage is insecure. The code mitigates this with strict validations and explicit error handling. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/ava@8.0.1 → npm/cbor2@2.3.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cbor2@2.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm cbor2 URLs: github.com/hildjj/cbor2/break, github.com/hildjj/cbor2/cbor-encoded, github.com/hildjj/cbor2/length, cto.af/wtf8, f.ONE?t+= Location: Package overview From: package-lock.json → npm/ava@8.0.1 → npm/cbor2@2.3.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cbor2@2.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm emittery URLs: https://github.com/sindresorhus/safe-stringify Location: Package overview From: package-lock.json → npm/ava@8.0.1 → npm/emittery@2.0.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/emittery@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[guibranco]

Automatically approved by gstraccini[bot]

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud