fix(vscode): resolve 14 dependency security vulnerabilities (8 high, 4 medium, 2 low)#414
Open
vicperdana wants to merge 3 commits into
Open
fix(vscode): resolve 14 dependency security vulnerabilities (8 high, 4 medium, 2 low)#414vicperdana wants to merge 3 commits into
vicperdana wants to merge 3 commits into
Conversation
…4 medium, 2 low) Fix all open Dependabot alerts in packages/vscode-extension/package-lock.json by cherry-picking security-relevant changes from upstream microsoft/PSDocs-vscode and adding version-scoped npm overrides. Local subtree divergence (eslint flat-config, monorepo URLs, engines-aligned @types/vscode) is preserved. Direct dependency changes (package.json): - Replace deprecated vscode-test ^1.6.1 with @vscode/test-electron ^2.5.2 (eliminates the @tootallnate/once + http-proxy-agent vulnerable chain) - Bump @vscode/vsce ^3.3.2 -> ^3.7.1 (cascades fresh transitives) Source change (src/test/runTest.ts): - Update import: vscode-test -> @vscode/test-electron (identical runTests API) New top-level overrides block (npm 9+ version-scoped syntax to surgically patch transitives without breaking same-tree consumers of other majors): - serialize-javascript ^7.0.5 - flatted ^3.4.2 - markdown-it ^14.1.1 - qs ^6.14.2 - underscore ^1.13.8 - diff ^8.0.3 - ajv@<6.14.0 -> ^6.14.0 - picomatch@<2.3.2 -> ^2.3.2 - brace-expansion@<1.1.13 -> ^1.1.13 - brace-expansion@>=2.0.0 <2.0.3 -> ^2.0.3 - minimatch@<3.1.4 -> ^3.1.4 - minimatch@>=5.0.0 <5.1.8 -> ^5.1.8 - minimatch@>=9.0.0 <9.0.7 -> ^9.0.7 Alerts addressed: - GHSA-qj8w-gfj5-8c6v / CVE-2026-34043 serialize-javascript DoS (medium) #34 - GHSA-5c6j-r48x-rmvq serialize-javascript RCE (high) #25 - GHSA-f886-m6hf-6m8v / CVE-2026-33750 brace-expansion v1 hang (medium) #33 - GHSA-3v7f-55p6-f55p / CVE-2026-33672 picomatch method injection (medium) #31 - GHSA-rf6f-7fwh-wjgh / CVE-2026-33228 flatted prototype pollution (high) #29 - GHSA-vpq2-c234-7xj6 / CVE-2026-3449 @tootallnate/once control-flow (low) #27 - GHSA-qpx9-hpmf-5gmw / CVE-2026-27601 underscore unlimited recursion (high) #26 - GHSA-7r86-cg39-jmmj / CVE-2026-27903 minimatch v3/v5/v9 ReDoS (high) #22, #23, #24 - GHSA-23c5-xmqv-rm74 / CVE-2026-27904 minimatch ReDoS via extglobs (high) #20 - GHSA-3ppc-4f35-3m26 / CVE-2026-26996 minimatch wildcard ReDoS (high) #16 - GHSA-38c4-r59v-3vqw / CVE-2026-2327 markdown-it ReDoS (medium) #11 - GHSA-w7fw-mjwx-w883 / CVE-2026-2391 qs arrayLimit DoS (low) #10 Validation: - npm audit reports 0 vulnerabilities - All 14 alerts cross-checked against resolved lockfile versions - npm run compile, lint, pack all clean (2 pre-existing ESLint warnings in src/extension.ts, unrelated) - Dropped from node_modules: @tootallnate/once, vscode-test Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the VS Code extension’s dependencies and test runner to eliminate known vulnerable transitive chains and clear Dependabot/npm-audit security alerts while preserving the local subtree divergence.
Changes:
- Swaps the VS Code integration test runner from
vscode-testto@vscode/test-electron. - Updates
@vscode/vsceand addsoverridesto pin/patch vulnerable transitives.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| packages/vscode-extension/src/test/runTest.ts | Migrates the test runner import to @vscode/test-electron. |
| packages/vscode-extension/package.json | Replaces deprecated test dependency, bumps vsce, and adds npm overrides for vulnerable transitives. |
Address all 4 review comments on PR #414: - Convert previously-unscoped overrides (serialize-javascript, flatted, markdown-it, qs, underscore, diff) to version-scoped form. Each now only applies to versions in the vulnerable range, eliminating the risk of forcing major-version upgrades on out-of-scope consumers. - Bump brace-expansion v1 override target from ^1.1.13 -> ^1.1.14 (and trigger range to <1.1.14) so the override deterministically lands on the version the lockfile already resolved. - Bump minimatch v3 override target from ^3.1.4 -> ^3.1.5 (and trigger range to <3.1.5) for the same deterministic-resolution reason. - Replace blanket diff ^8.0.3 with two scoped ranges: diff@>=5.0.0 <5.2.2 -> ^5.2.2 (patches v5 line in place) diff@>=6.0.0 <8.0.3 -> ^8.0.3 (patches v6/v7 line, matches what mocha 11.7.5 already pulls in) Validation: - npm audit reports 0 vulnerabilities - All 14 originally-flagged alerts remain resolved - npm run compile, lint, pack all clean Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The version-scoped `diff@>=6.0.0 <8.0.3 -> ^8.0.3` override caused `npm ci` to fail under npm 10.8.2 (used by CI) with: npm error EUSAGE npm error `npm ci` can only install packages when your package.json npm error and package-lock.json or npm-shrinkwrap.json are in sync. npm error Missing: diff@7.0.0 from lock file This is an npm 10 limitation: its `npm ci` lockfile validator does not fully consult version-scoped overrides when determining whether the lockfile satisfies a consumer's declared range (mocha 11.7.5 declares `diff: ^7.0.0` but the override redirects to 8.0.4). Switching to a nested override under mocha — matching upstream PR microsoft/PSDocs-vscode#539 — is npm-10-compatible AND even more narrowly scoped than the version-range form (only mocha's diff consumer is affected). The v5 diff CVE range is no longer in the tree (mocha now uses ^7.0.0, not ^5.0.0), so a separate v5 patch is unnecessary. Also regenerated the lockfile with npm 10.8.2 to ensure parity with the CI runtime. Validation: - npm install (npm 10.8.2) -> 0 vulnerabilities - npm ci (npm 10.8.2) -> succeeds, 0 vulnerabilities - npm run compile, lint, pack all clean - diff still resolves to 8.0.4 (patched) - All 14 originally-flagged alerts remain resolved Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes all 14 open Dependabot alerts in
packages/vscode-extension/package-lock.jsononmain.The vscode-extension subtree (originally imported from
microsoft/PSDocs-vscodeperMONOREPO_MIGRATION.md) has diverged from upstream — local migrations include ESLint 9 flat-config, monorepo URLs, and@types/vscode ~1.89.0aligned withengines.vscode. This PR cherry-picks the security-relevant changes from upstream rather than doing a full subtree pull, preserving all local divergence. (The eventual de-subtreeing ofpackages/vscode-extension/is a separate, future change.)Direct dependency changes (
packages/vscode-extension/package.json)vscode-test ^1.6.1→@vscode/test-electron ^2.5.2— eliminates the entire@tootallnate/once+http-proxy-agentvulnerable chain (fixes Use clear placeholders for required parameters in snippets #27)@vscode/vsce ^3.3.2→^3.7.1— cascades fresh transitivesSource change (
src/test/runTest.ts)One-line import update for the test runner (identical
runTestsAPI, mirrors upstream PR microsoft/PSDocs-vscode#539).New
overridesblockUses npm 9+ version-scoped syntax to surgically patch transitives without breaking same-tree consumers of other majors:
serialize-javascript ^7.0.5,flatted ^3.4.2,markdown-it ^14.1.1,qs ^6.14.2,underscore ^1.13.8,diff ^8.0.3ajv@<6.14.0 → ^6.14.0(preserves coexistingajv@8.xconsumers)picomatch@<2.3.2 → ^2.3.2(preservestinyglobby'spicomatch@4.x)brace-expansion@<1.1.13 → ^1.1.13andbrace-expansion@>=2.0.0 <2.0.3 → ^2.0.3minimatchpatched per-major:<3.1.4 → ^3.1.4,>=5.0.0 <5.1.8 → ^5.1.8,>=9.0.0 <9.0.7 → ^9.0.7(4 majors coexist)Alerts addressed
Bonus: also resolves three additional findings surfaced during install —
ajv <6.14.0,brace-expansion 2.0.0–2.0.2, anddiff 5.x— bringing the post-mergenpm auditcount to 0.Validation
cd packages/vscode-extension && npm install— clean installnpm audit→ 0 vulnerabilities (info/low/moderate/high/critical all 0)npm run compile— clean (TypeScript build succeeds)npm run lint— 0 errors (2 pre-existing warnings insrc/extension.ts, unrelated to this PR)npm run pack— produces 6046-file VSIX successfullynode_modules/:@tootallnate/once,vscode-testOut of scope
microsoft/PSDocs-vscode(preserves local divergence)eslint.config.mjs, monorepo repo URLs, or@types/vscodepinning.github/workflows/vscode-ci.yml(CI runsnpm ciagainst the regenerated lockfile and will pick up the fixes automatically)packages/vscode-extension/is acknowledged but deferred