fix(deps): resolve 6 open Dependabot security alerts#8865
Conversation
Patch all 6 open Dependabot vulnerability alerts across the three npm manifests, with no breaking changes (verified via build/lint/tests). - cli/azd/test/eval: override js-yaml ^3.15.0 (GHSA-h67p-54hq-rp68, #393) and @babel/core ^7.29.6 (GHSA-4x5r-pxfx-6jf8, #383). - ext/vscode: override serialize-javascript ^7.0.5, resolving both GHSA-5c6j-r48x-rmvq (#262, high) and GHSA-qj8w-gfj5-8c6v (#368). - ext/azuredevops/setupAzd: bump serialize-javascript override to 7.0.5 (GHSA-qj8w-gfj5-8c6v, #366) and upgrade azure-pipelines-task-lib to ^5.276.0, which drops its transitive uuid@3 dependency (uses crypto.randomUUID), removing GHSA-w5hq-g745-h8pq (#365). A direct uuid major bump was avoided because task-lib uses require('uuid/v4'), a subpath removed in uuid v7+. Verification: - eval: ts-jest/babel toolchain compiles and runs (75 TS tests transpiled). - setupAzd: tsc build + mocha suite (3 passing). - vscode: esbuild + tsc build clean, eslint 0 warnings, mocha parallel mode (the serialize-javascript consumer) passes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR updates npm dependency resolutions across the VS Code extension, Azure DevOps setup task, and the azd eval test harness to clear 6 open Dependabot security alerts.
Changes:
- Added/updated
overridesto moveserialize-javascriptto v7 inext/vscodeandext/azuredevops/setupAzd. - Upgraded
azure-pipelines-task-libinext/azuredevops/setupAzdto remove the vulnerableuuid@3transitive dependency. - Added
overridesincli/azd/test/evalto bumpjs-yamland@babel/corewithin compatible ranges.
Reviewed changes
Copilot reviewed 3 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| ext/vscode/package.json | Adds an override to resolve serialize-javascript to a patched v7 release. |
| ext/vscode/package-lock.json | Locks serialize-javascript to 7.0.6 (and updates transitive deps accordingly). |
| ext/azuredevops/setupAzd/package.json | Upgrades task-lib and updates/pins serialize-javascript override. |
| ext/azuredevops/setupAzd/package-lock.json | Locks task-lib to 5.276.0 and removes transitive uuid@3. |
| cli/azd/test/eval/package.json | Adds overrides for js-yaml and @babel/core to address advisories. |
| cli/azd/test/eval/package-lock.json | Locks updated transitive dependencies for the eval toolchain. |
Files not reviewed (3)
- cli/azd/test/eval/package-lock.json: Generated file
- ext/azuredevops/setupAzd/package-lock.json: Generated file
- ext/vscode/package-lock.json: Generated file
jongio
left a comment
There was a problem hiding this comment.
The unscoped override pattern the bot flagged on setupAzd also applies to the new overrides block in ext/vscode/package.json. Scoping to "serialize-javascript@<7.0.5": "^7.0.5" would limit the override to only vulnerable resolutions and avoid conflicts if a future transitive dep ships serialize-javascript 8.x.
Minor inconsistency: setupAzd pins to exact 7.0.5 while vscode uses caret ^7.0.5. Caret is better for security overrides since you automatically pick up future patches. Consider aligning setupAzd to use caret as well.
|
Tracking issue: #8870 |
📋 Prioritization NoteThanks for the contribution! The linked issue isn't in the current milestone yet. |
- Scope serialize-javascript overrides to the vulnerable range
("serialize-javascript@<7.0.5": "^7.0.5") in both ext/vscode and
ext/azuredevops/setupAzd so future majors (e.g. v8) aren't pinned back.
- Use caret in both manifests for consistency and automatic patch pickup.
- Update ext/vscode/CONTRIBUTING.md to recommend Node 20 (LTS) or higher,
matching the effective minimum after serialize-javascript v7.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jongio
left a comment
There was a problem hiding this comment.
The scoping fix looks correct. Both serialize-javascript overrides now use @<7.0.5 version constraints with caret notation, so they'll only apply to vulnerable resolutions and won't interfere with future clean installs. The CONTRIBUTING.md Node 20 update is a good call given serialize-javascript 7.x requires it.
No new issues with the incremental changes.
jongio
left a comment
There was a problem hiding this comment.
The scoping fix looks correct. Both serialize-javascript overrides now use @<7.0.5 version constraints with caret notation, so they'll only apply to vulnerable resolutions and won't interfere with future clean installs. The CONTRIBUTING.md Node 20 update is a good call given serialize-javascript 7.x requires it.
No new issues with the incremental changes.
VSCode Extension Installation Instructions
|
|
/check-enforcer override |
Azure Dev CLI Install InstructionsInstall scriptsMacOS/Linux
bash: pwsh: WindowsPowerShell install MSI install Standalone Binary
MSI
Documentationlearn.microsoft.com documentationtitle: Azure Developer CLI reference
|
Summary
Patches all 6 open Dependabot vulnerability alerts across the three npm manifests in the repo. Each fix was verified to introduce no breaking changes (build/lint/test for every affected package).
Alerts fixed
ext/vscodeext/vscodeext/azuredevops/setupAzdext/azuredevops/setupAzdcli/azd/test/evalcli/azd/test/evalApproach
cli/azd/test/eval— addedoverridesforjs-yaml ^3.15.0and@babel/core ^7.29.6(both within existing transitive semver ranges, so minor/patch-level bumps only).ext/vscode— addedoverridesforserialize-javascript ^7.0.5(resolves to 7.0.6), clearing both the high and moderate advisories. Sole consumer ismocha(dev).ext/azuredevops/setupAzd—serialize-javascriptoverride from7.0.4→7.0.5.azure-pipelines-task-lib^5.2.1→^5.276.0(latest). The new task-lib drops its transitiveuuid@3dependency entirely (it now usescrypto.randomUUID()), removing the alert at the source.Why not just override
uuidto 11.1.1?uuidhas no patched release in the v3 line — the fix only exists in v11.1.1, a major bump.azure-pipelines-task-lib@5.2.ximportsrequire('uuid/v4'), a subpath export that was removed in uuid v7+, so forcing v11 would crash at runtime. Upgrading task-lib (same major, semver-compatible) cleanly removes uuid instead.Verification (no breaking changes)
azdbinary).npm run build(tsc) ✅ andnpm test(mocha) ✅ 3 passing.npm run build(esbuild + tsc) ✅,npm run lint(eslint, 0 warnings) ✅, andmocha --parallelsmoke test ✅ (directly exercises the upgraded serialize-javascript).Out of scope
npm auditstill reports unrelated advisories (brace-expansion,jsdiff) that are not among the 6 Dependabot alerts and are not currently flagged on the default branch; left untouched to keep this PR focused.fix #8870