Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
151 commits
Select commit Hold shift + click to select a range
71eb7f4
Switch agent file tools to a binary deny-list
IsuruMaduranga May 26, 2026
1e0f0a7
Fix PR review comments on binary deny-list changes
IsuruMaduranga May 27, 2026
61894b2
Improve the build and run flow
ChinthakaJ98 May 27, 2026
e8cf688
Update dependencies
ChinthakaJ98 May 27, 2026
1df27f2
Fix issues in the MI Extension
ChinthakaJ98 May 28, 2026
bc54f45
Add AGENTS.md support for project-level agent instructions
IsuruMaduranga May 28, 2026
3997934
Address AGENTS.md review feedback
IsuruMaduranga May 28, 2026
09bc3d5
Support the startOnLoad attribute for tasks in MI 4.1.0
ChinthakaJ98 May 29, 2026
4dcef13
Fix trivy detected vulnerabilities
ChinthakaJ98 May 29, 2026
40326fb
Merge pull request #2305 from ChinthakaJ98/trivy-fix-06
ChinthakaJ98 May 29, 2026
70e5fc7
Merge remote-tracking branch 'upstream/release/mi-4.1.0' into task-st…
ChinthakaJ98 May 29, 2026
4eddcda
Merge remote-tracking branch 'upstream/release/mi-4.1.0' into mi-fixe…
ChinthakaJ98 May 29, 2026
712482c
Merge pull request #2304 from ChinthakaJ98/task-startOnLoad
ChinthakaJ98 May 29, 2026
b5c127e
Fix copilot-created class mediators not packed in CApp
IsuruMaduranga May 29, 2026
0e2ac2d
Inject pom.xml reminder when agent writes/edits a class mediator
IsuruMaduranga May 29, 2026
f74f254
Only nag about pom.xml packaging when it is not already jar
IsuruMaduranga May 29, 2026
13af5ab
Fix trivy detected vulnerabilities
ChinthakaJ98 May 29, 2026
ef6c2d6
Update CHANGELOG
ChinthakaJ98 May 29, 2026
5d27278
Merge pull request #2311 from ChinthakaJ98/release/mi-4.0.2
ChinthakaJ98 May 29, 2026
07795c0
Merge pull request #2309 from IsuruMaduranga/fix/class-mediator-packa…
IsuruMaduranga May 29, 2026
15774ff
Address AGENTS.md review feedback
IsuruMaduranga May 29, 2026
4d8fc19
Enforce binary deny-list on PowerShell mutation paths
IsuruMaduranga May 29, 2026
df12936
Update CHANGELOG
ChinthakaJ98 May 29, 2026
481a4ee
Merge pull request #2307 from IsuruMaduranga/agents-md
ChinthakaJ98 May 29, 2026
8ef28d2
Merge pull request #2308 from IsuruMaduranga/issue#1474
ChinthakaJ98 May 29, 2026
b48bc91
Update version to micro-integrator-4.0.2
choreo-cicd May 29, 2026
42de7b6
Fix trivy detected vulnerabilities
ChinthakaJ98 Jun 1, 2026
1a9f1e0
Merge pull request #2313 from ChinthakaJ98/trivy-fix-07
ChinthakaJ98 Jun 1, 2026
c164ce5
Merge pull request #2314 from wso2/release/mi-4.0.2
ChinthakaJ98 Jun 1, 2026
a15c9bd
Merge pull request #2312 from wso2/micro-integrator-4.0.2
ChinthakaJ98 Jun 1, 2026
281e47a
Upgrade axios and related dependencies
ChinthakaJ98 Jun 1, 2026
8b62600
Merge pull request #2316 from wso2/stable/mi
ChinthakaJ98 Jun 2, 2026
e512ed7
Fix file attachment failures in MI Copilot
IsuruMaduranga Jun 4, 2026
c31e025
Address PR review feedback on file attachments
IsuruMaduranga Jun 4, 2026
704e460
Append read-error to upload status instead of overwriting
IsuruMaduranga Jun 4, 2026
c9ce87c
Implementing mcp feature for micro integrator
Dulavinya May 4, 2026
a52ab91
Updated fill with AI implementation for mcp server creation
Dulavinya May 4, 2026
dbe50f6
Display MCP server label in hierarchical navigation path
Dulavinya May 4, 2026
cc180c8
Simplify MCP server display in project explorer
Dulavinya May 4, 2026
189e299
Exclude MCP config files from source navigation
Dulavinya May 4, 2026
1b7f168
Fix MCP tool navigation to open the correct resource.
Dulavinya May 4, 2026
65ed5c1
Implemented delete functionality for mcp servers
Dulavinya May 5, 2026
859d8db
Hide MCP server commands from Command Palette
Dulavinya May 6, 2026
9aca2cc
Fix MCP server deletion
Dulavinya May 6, 2026
1272213
Fixed the MCP server generation to skip any servers without a valid p…
Dulavinya May 6, 2026
c761330
Replace forward-slash path check with a cross-platform-aware alternat…
Dulavinya May 6, 2026
5f3e4dd
Disable create until port scan completes to prevent conflicts when cr…
Dulavinya May 6, 2026
3515826
Fixed the API lookup to use stable identifiers
Dulavinya May 6, 2026
4c59180
Updated the schema validation path for inline sequence edits.
Dulavinya May 6, 2026
8cfa84d
Fixed schema re-derivation when editing mcp servers
Dulavinya May 7, 2026
700dcda
Normalize MCP server paths before opening the tools form.
Dulavinya May 7, 2026
673a088
Fix MCP server command ID mismatch
Dulavinya May 7, 2026
e879734
Fixed issue in mcp server creation commands
Dulavinya May 7, 2026
d2c7586
Fix Windows path handling for MCP endpoint derivation.
Dulavinya May 7, 2026
300b333
Fixed issue in consecutive saves of tools in MCPServerToolsForm.
Dulavinya May 7, 2026
8e9efb1
Fixed parseToolsFromXML function
Dulavinya May 7, 2026
9013bb2
Pre-validate the derived tool name when creating a new mcp tool.
Dulavinya May 7, 2026
9f013d9
Fix cross-platform path handling for MCP server paths
Dulavinya May 9, 2026
4b8673f
Remove unused MACHINE_VIEW enum values
Dulavinya May 9, 2026
0abae08
Updated copyright year
Dulavinya May 9, 2026
e69d081
Validate both localEntryPath and inboundEndpointPath before deletion
Dulavinya May 9, 2026
25ec307
Added review suggestions
Dulavinya May 9, 2026
e08451d
Added a confirmation dialog when deleting a mcp server
Dulavinya May 9, 2026
04a8cb5
Removed unnecessary console logs
Dulavinya May 9, 2026
c25d64a
Added review suggestions
Dulavinya May 9, 2026
8d5966e
Added review suggestions
Dulavinya May 9, 2026
f85d211
Added review suggestions
Dulavinya May 9, 2026
1f62469
Added review suggestions
Dulavinya May 9, 2026
d182f45
Added review suggestions for MCP Server Tools forms
Dulavinya May 10, 2026
2787e39
Added review suggestions
Dulavinya May 10, 2026
54c4bfc
Refactored MCPServerToolsForm
Dulavinya May 10, 2026
82f4d14
Fixed issue when editing a mcp tool
Dulavinya May 10, 2026
a457d92
Moved MCP utilities from the visualizer to the extension
Dulavinya May 10, 2026
4a8d2f8
Added review suggestions
Dulavinya May 10, 2026
0e54028
Added review suggestions
Dulavinya May 10, 2026
725fc2d
Updated class name in inbound endpoint xml when creating mcp servers
Dulavinya May 10, 2026
c428fe3
Added review suggestions
Dulavinya May 10, 2026
a0881ac
Review suggestions added
Dulavinya May 10, 2026
246cdc8
Added review suggestions
Dulavinya May 11, 2026
23c49d4
Remove unnecessary stylings and reuse common components
arunans23 May 15, 2026
bf647a8
Refactor MCPServer form stylings
arunans23 May 15, 2026
2e5e648
Simplify MCP request types
arunans23 Jun 2, 2026
2a85d39
Improve MCP Server edit experience
arunans23 Jun 2, 2026
eee5178
Cleanup outdated components
arunans23 Jun 2, 2026
13e7d3e
Improve API/Sequence add tool forms
arunans23 Jun 3, 2026
4723dfa
Import mcp schema derivation with references
arunans23 Jun 3, 2026
b5b63bb
Improve MCP server naming for inbound and localentry
arunans23 Jun 4, 2026
c84e5fd
Update mcp server form style
arunans23 Jun 5, 2026
dc64e8a
Improve MCP inbound download logic and refactor
arunans23 Jun 5, 2026
84d875c
Merge pull request #2329 from IsuruMaduranga/release/mi-4.1.0
IsuruMaduranga Jun 5, 2026
4014818
Add labels for mcp form fields
arunans23 Jun 5, 2026
0332b9a
Add code review suggestions
arunans23 Jun 5, 2026
e7c1214
Fix trivy detected vulnerabilities
ChinthakaJ98 Jun 5, 2026
15de20a
Fix issues in the MI Extension
ChinthakaJ98 Jun 5, 2026
2b47a48
Merge pull request #2333 from ChinthakaJ98/mi-fixes-25
ChinthakaJ98 Jun 8, 2026
20415e6
Merge branch 'release/mi-4.1.0' into mi-fixes-24
ChinthakaJ98 Jun 8, 2026
97b5367
Address code review comments
arunans23 Jun 8, 2026
465a9b3
Refactor code
arunans23 Jun 8, 2026
694cc1c
Merge remote-tracking branch 'origin/release/mi-4.1.0' into feature/m…
arunans23 Jun 8, 2026
1e4290d
Merge pull request #2295 from ChinthakaJ98/mi-fixes-24
ChinthakaJ98 Jun 8, 2026
dff92ac
Merge pull request #2293 from ChinthakaJ98/fix-build-issue
ChinthakaJ98 Jun 8, 2026
3d2dded
Refactor code
arunans23 Jun 8, 2026
be6445a
Fix issues in the MI Extension
ChinthakaJ98 Jun 8, 2026
3bce92c
Use platform specific logic instead regex
arunans23 Jun 9, 2026
3259fe1
Merge remote-tracking branch 'origin/release/mi-4.1.0' into feature/m…
arunans23 Jun 9, 2026
a773ad8
Merge pull request #2325 from arunans23/feature/mi-mcp-server
arunans23 Jun 9, 2026
abd44b4
Show lengthy connection types on hover
ChinthakaJ98 Jun 9, 2026
0863ea5
Merge pull request #2338 from ChinthakaJ98/mi-fixes-26
ChinthakaJ98 Jun 9, 2026
37a7a01
Merge pull request #2322 from ChinthakaJ98/connection-hover
ChinthakaJ98 Jun 9, 2026
c93f476
Improve MCP Fill With AI to prompt for login
arunans23 Jun 10, 2026
6a340da
Hide mcp inbound from event integration list
arunans23 Jun 10, 2026
177cc00
Fix trivy detected vulnerabilities
ChinthakaJ98 Jun 10, 2026
8b41747
Fix E2E tests
ChinthakaJ98 Jun 10, 2026
8011f17
Update workspaces/mi/mi-extension/src/rpc-managers/ai-features/rpc-ma…
arunans23 Jun 10, 2026
2cdf0d6
Update CHANGELOG
ChinthakaJ98 Jun 10, 2026
d5f071b
Merge pull request #2346 from ChinthakaJ98/prepare-4.1.0
ChinthakaJ98 Jun 10, 2026
c3b9553
Merge remote-tracking branch 'origin/release/mi-4.1.0' into feature/m…
arunans23 Jun 10, 2026
4a873d2
Merge branch 'feature/mi-mcp-server' of arunans23/vscode-extensions-m…
arunans23 Jun 10, 2026
c74ee87
Merge pull request #2345 from arunans23/feature/mi-mcp-server
arunans23 Jun 10, 2026
bd9a45f
Fix E2E tests
ChinthakaJ98 Jun 11, 2026
cc7c1ad
Merge pull request #2347 from ChinthakaJ98/e2e-fix
ChinthakaJ98 Jun 11, 2026
a048043
Update version to micro-integrator-4.1.0
choreo-cicd Jun 11, 2026
25ba353
Merge pull request #2348 from wso2/micro-integrator-4.1.0
ChinthakaJ98 Jun 11, 2026
968e561
Allow MCP server creation from MI 4.6.0
arunans23 Jun 18, 2026
eadf15f
Merge pull request #2369 from arunans23/fix-mcp-runtime
arunans23 Jun 18, 2026
4c4ad92
Fix trivy detected vulnerabilities
ChinthakaJ98 Jun 18, 2026
5d7c144
Fix E2E tests
ChinthakaJ98 Jun 18, 2026
3ee44ab
Merge pull request #2372 from ChinthakaJ98/trivy-fix-08
ChinthakaJ98 Jun 19, 2026
99a3484
Fix issues in the MI Extension
ChinthakaJ98 Jun 19, 2026
c6788c1
Fix trivy detected vulnerabilities
ChinthakaJ98 Jun 19, 2026
a0a5eeb
Merge remote-tracking branch 'origin/release/mi-4.1.1' into mi-fixes-27
ChinthakaJ98 Jun 19, 2026
6b43802
Fix trivy detected vulnerabilities
ChinthakaJ98 Jun 19, 2026
30e6755
Fix review comments
ChinthakaJ98 Jun 19, 2026
4b268b3
Fix trivy detected vulnerabilities
ChinthakaJ98 Jun 19, 2026
89a7f1a
Fix E2E tests
ChinthakaJ98 Jun 20, 2026
fb1e3e4
Fix trivy detected vulnerabilities
ChinthakaJ98 Jun 20, 2026
0ea19a4
Merge pull request #2376 from ChinthakaJ98/mi-fixes-27
ChinthakaJ98 Jun 22, 2026
a60a7e9
Fix agent-mode codegen guardrails (operator precedence, scope, connec…
IsuruMaduranga Jun 24, 2026
ebfd54f
Add support to the binds-to attribute in APIs
ChinthakaJ98 Jun 25, 2026
30cb7f3
Fix page history stack clearing issue
ChinthakaJ98 Jun 26, 2026
4c74b7a
Merge pull request #2388 from IsuruMaduranga/fix/agent-codegen-guardr…
IsuruMaduranga Jun 28, 2026
f1a0eb4
Lock model switching on WSO2 plan and surface proxy error messages
IsuruMaduranga Jun 28, 2026
f1d7641
Merge pull request #2391 from ChinthakaJ98/binding-inbound
ChinthakaJ98 Jun 29, 2026
c5593d1
Merge pull request #2394 from ChinthakaJ98/mi-fix-28
ChinthakaJ98 Jun 29, 2026
82f7882
Address PR review comments on model-lock/proxy-error fix
IsuruMaduranga Jun 29, 2026
13ee247
Harden BYOK re-gate and reset lock against pending/failed resolution
IsuruMaduranga Jun 29, 2026
912e47f
Update CHANGELOG
ChinthakaJ98 Jun 29, 2026
6e3edf0
Merge pull request #2396 from IsuruMaduranga/fix/wso2-model-lock-prox…
IsuruMaduranga Jun 29, 2026
f33932e
Update extension version
ChinthakaJ98 Jun 29, 2026
69426c6
Update version to micro-integrator-4.1.1
choreo-cicd Jun 29, 2026
d223431
Merge pull request #2397 from wso2/micro-integrator-4.1.1
ChinthakaJ98 Jun 30, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion common/autoinstallers/rush-plugins/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
"fast-xml-parser": "5.7.0",
"minimatch": "3.1.5",
"brace-expansion": "1.1.13",
"undici": "6.24.0"
"undici": "7.28.0"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

undici 7 minimum supported Node.js version

💡 Result:

The minimum supported Node.js version for the Undici 7.x release line is Node.js 20.18.1 [1][2][3]. The Undici project maintains an LTS-aligned support schedule for its major versions, and the 7.x branch explicitly requires Node.js ≥20.18.1 [1][2][3]. This requirement is documented in the project's official README and is enforced via the engines field in the package's configuration, which may cause installation warnings or errors in environments using older Node.js versions [2][4]. As of June 30, 2026, the 7.x series remains a supported maintenance line [5]. It is tested against Node.js versions 20, 22, and 24 [1][2][3].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '== package.json ==\n'
sed -n '1,120p' common/autoinstallers/rush-plugins/package.json

printf '\n== node/runtime constraints ==\n'
rg -n --hidden --glob '!**/node_modules/**' '"engines"|nodeVersion|Node\.js|node ' \
  package.json common rush.json rush-*.json .npmrc .nvmrc .node-version .tool-versions 2>/dev/null || true

printf '\n== files mentioning undici ==\n'
rg -n --hidden --glob '!**/node_modules/**' '"undici"|undici@|undici ' common package.json rush.json 2>/dev/null || true

Repository: wso2/vscode-extensions

Length of output: 3253


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '== root package.json (engines/volta/packageManager) ==\n'
python3 - <<'PY'
from pathlib import Path
import json
p = Path('package.json')
data = json.loads(p.read_text())
for k in ['engines', 'volta', 'packageManager', 'os', 'cpu']:
    if k in data:
        print(f'{k}: {data[k]}')
PY

printf '\n== rush.json node settings ==\n'
python3 - <<'PY'
from pathlib import Path
import json
p = Path('rush.json')
data = json.loads(p.read_text())
for k in ['nodeSupportedVersionRange', 'nodeSupportedVersionInstructions', 'pnpmVersion', 'rushVersion']:
    if k in data:
        print(f'{k}: {data[k]}')
PY

printf '\n== rush.json excerpt around node-related settings ==\n'
sed -n '1,120p' rush.json

Repository: wso2/vscode-extensions

Length of output: 846


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '== rush.json lines 1-120 ==\n'
cat -n rush.json | sed -n '1,120p'

printf '\n== root package.json ==\n'
cat -n package.json | sed -n '1,140p'

printf '\n== CI / workflow node version references ==\n'
rg -n --hidden --glob '!**/node_modules/**' 'node-version|Node\.js|setup-node|actions/setup-node|20\.18|20\.19|22\.|24\.' .github common package.json rush.json 2>/dev/null || true

Repository: wso2/vscode-extensions

Length of output: 13786


Keep undici 6.x or raise the Node floor
undici 7.x requires Node >=20.18.1, but this repo still supports >=20.6.0 <23.0.0, so the autoinstaller can break on supported 20.6–20.18 installs. Either bump the repo’s Node range or stay on 6.x.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@common/autoinstallers/rush-plugins/package.json` at line 11, The rush-plugins
autoinstaller is pinned to undici 7.x even though the repo still supports Node
>=20.6.0, which can break supported installs below 20.18.1. Update the
dependency in package.json for the rush-plugins autoinstaller by either
downgrading undici back to a 6.x release or raising the repository’s Node engine
floor to match undici 7.x, and make sure the chosen option is reflected
consistently where the Node support range is defined.

}
},
"dependencies": {
Expand Down
95 changes: 51 additions & 44 deletions common/autoinstallers/rush-plugins/pnpm-lock.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

32 changes: 17 additions & 15 deletions common/config/rush/.pnpmfile.cjs
Original file line number Diff line number Diff line change
Expand Up @@ -22,46 +22,48 @@ module.exports = {
if (deps['xmldom']) deps['xmldom'] = 'npm:@xmldom/xmldom@0.8.10';
if (deps['braces']) deps['braces'] = '3.0.3';
if (deps['micromatch']) deps['micromatch'] = '4.0.8';
if (deps['js-yaml']) deps['js-yaml'] = '4.1.1';
if (deps['js-yaml']) deps['js-yaml'] = '4.2.0';
if (deps['diff']) deps['diff'] = '8.0.3';
if (deps['eslint']) deps['eslint'] = '^9.27.0';
if (deps['fast-xml-parser']) deps['fast-xml-parser'] = '5.7.0';
if (deps['esbuild']) deps['esbuild'] = '0.25.12';
if (deps['lodash']) deps['lodash'] = '4.18.0';

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin lodash to 4.18.1, not 4.18.0.

lodash 4.18.1 ships a prototype-pollution fix for _.unset/_.omit (constructor/prototype path traversal, GHSA-f23m-r3pf-42rh). Pinning the override to exactly 4.18.0 leaves that hole unpatched, which defeats the security intent of this override block. The same 4.18.0 pin is present in the root package.json pnpm.overrides (line 21); update both.

🛡️ Proposed fix
-        if (deps['lodash']) deps['lodash'] = '4.18.0';
+        if (deps['lodash']) deps['lodash'] = '4.18.1'; // security fix: prototype pollution in _.unset/_.omit (GHSA-f23m-r3pf-42rh)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if (deps['lodash']) deps['lodash'] = '4.18.0';
if (deps['lodash']) deps['lodash'] = '4.18.1'; // security fix: prototype pollution in _.unset/_.omit (GHSA-f23m-r3pf-42rh)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@common/config/rush/.pnpmfile.cjs` at line 30, The lodash override is pinned
to the wrong version, leaving the security fix unapplied. Update the lodash
version override in the .pnpmfile.cjs dependency rewrite and the matching
pnpm.overrides entry in package.json so both use 4.18.1 instead of 4.18.0.

if (deps['qs']) deps['qs'] = '6.15.2';
if (deps['hono']) deps['hono'] = '4.12.18'; // CVE-2026-44455 (JSX injection), CVE-2026-44456 (bodyLimit bypass)
if (deps['qs']) deps['qs'] = '6.15.2'; // security fix: CVE-2026-8723
if (deps['hono']) deps['hono'] = '4.12.25';
if (deps['@hono/node-server']) deps['@hono/node-server'] = '1.19.13';
if (deps['@tootallnate/once']) deps['@tootallnate/once'] = '3.0.1';
if (deps['dompurify']) deps['dompurify'] = '3.4.0'; // security fix: XSS vulnerability
if (deps['axios']) deps['axios'] = '1.15.2'; // security fix: SSRF vulnerability
if (deps['dompurify']) deps['dompurify'] = '3.4.11';
if (deps['axios']) deps['axios'] = '1.16.0'; // security fix
if (deps['http-proxy-middleware']) deps['http-proxy-middleware'] = '3.0.7';
if (deps['ip-address']) { // security fix: force patch within 10.x range only to avoid breaking consumers on earlier majors
if (/^[\s\^~><=]*10[.\s]/.test(deps['ip-address'])) {
deps['ip-address'] = '10.1.1';
}
}
if (deps['follow-redirects']) deps['follow-redirects'] = '1.16.0'; // security fix: redirect bypass vulnerability
if (deps['form-data']) {
if (/^[\s\^~><=]*4[.\s]/.test(deps['form-data'])) {
deps['form-data'] = '4.0.6';
}
}
if (deps['express-rate-limit']) deps['express-rate-limit'] = '8.2.2'; // security fix
if (deps['file-type']) deps['file-type'] = '21.3.2'; // security fix
if (deps['immutable']) deps['immutable'] = '3.8.3'; // security fix
if (deps['serialize-javascript']) deps['serialize-javascript'] = '7.0.5'; // security fix: XSS/code injection
if (deps['shell-quote']) deps['shell-quote'] = '1.8.4';
if (deps['flatted']) deps['flatted'] = '3.4.2'; // security fix
if (deps['handlebars']) deps['handlebars'] = '4.7.9'; // security fix: prototype pollution
if (deps['tmp']) deps['tmp'] = '0.2.4'; // security fix
if (deps['undici']) deps['undici'] = '7.24.0'; // security fix: header injection
if (deps['tmp']) deps['tmp'] = '0.2.7'; // security fix
if (deps['undici']) deps['undici'] = '7.28.0'; // security fix: header injection
if (deps['uuid']) deps['uuid'] = '14.0.0'; // security fix
if (deps['@nevware21/ts-utils']) deps['@nevware21/ts-utils'] = '0.14.0'; // security fix: CVE-2026-46681 (prototype pollution)
if (deps['webpack-dev-server']) deps['webpack-dev-server'] = '5.2.4'; // security fix: CVE-2026-6402 (info disclosure)
if (deps['ws']) {
if (/^[\s\^~><=]*8[.\s]/.test(deps['ws'])) {
deps['ws'] = '8.20.1'; // security fix: CVE-2026-45736
}
}
if (deps['@opentelemetry/core']) deps['@opentelemetry/core'] = '2.8.0';
if (deps['protobufjs']) {
const currentVersion = deps['protobufjs'];
if (currentVersion.startsWith('^8') || currentVersion.startsWith('8')) {
deps['protobufjs'] = '8.2.0'; // security fix: CVE-2026-45740 (DoS via recursive JSON descriptor expansion)
deps['protobufjs'] = '8.6.0';
} else {
deps['protobufjs'] = '7.5.8'; // security fix: CVE-2026-45740 (DoS via recursive JSON descriptor expansion)
deps['protobufjs'] = '7.6.3'; // security fix: CVE-2026-45740 (DoS via recursive JSON descriptor expansion)
}
}
if (deps['vite']) deps['vite'] = '6.0.14';
Expand Down
2 changes: 1 addition & 1 deletion common/config/rush/pnpm-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@
*/
"globalOverrides": {
"lodash": ">=4.18.0",
"hono": "4.12.18"
"hono": "4.12.25"
},

/**
Expand Down
Loading