-
Notifications
You must be signed in to change notification settings - Fork 83
Automatic Sync: Merge changes from stable/mi to main #2398
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
71eb7f4
1e0f0a7
61894b2
e8cf688
1df27f2
bc54f45
3997934
09bc3d5
4dcef13
40326fb
70e5fc7
4eddcda
712482c
b5c127e
0e2ac2d
f74f254
13af5ab
ef6c2d6
5d27278
07795c0
15774ff
4d8fc19
df12936
481a4ee
8ef28d2
b48bc91
42de7b6
1a9f1e0
c164ce5
a15c9bd
281e47a
8b62600
e512ed7
c31e025
704e460
c9ce87c
a52ab91
dbe50f6
cc180c8
189e299
1b7f168
65ed5c1
859d8db
9aca2cc
1272213
c761330
5f3e4dd
3515826
4c59180
8cfa84d
700dcda
673a088
e879734
d2c7586
300b333
8e9efb1
9013bb2
9f013d9
4b8673f
0abae08
e69d081
25ec307
e08451d
04a8cb5
c25d64a
8d5966e
f85d211
1f62469
d182f45
2787e39
54c4bfc
82f4d14
a457d92
4a8d2f8
0e54028
725fc2d
c428fe3
a0881ac
246cdc8
23c49d4
bf647a8
2e5e648
2a85d39
eee5178
13e7d3e
4723dfa
b5b63bb
c84e5fd
dc64e8a
84d875c
4014818
0332b9a
e7c1214
15de20a
2b47a48
20415e6
97b5367
465a9b3
694cc1c
1e4290d
dff92ac
3d2dded
be6445a
3bce92c
3259fe1
a773ad8
abd44b4
0863ea5
37a7a01
c93f476
6a340da
177cc00
8b41747
8011f17
2cdf0d6
d5f071b
c3b9553
4a873d2
c74ee87
bd9a45f
cc7c1ad
a048043
25ba353
968e561
eadf15f
4c4ad92
5d7c144
3ee44ab
99a3484
c6788c1
a0a5eeb
6b43802
30e6755
4b268b3
89a7f1a
fb1e3e4
0ea19a4
a60a7e9
ebfd54f
30cb7f3
4c74b7a
f1a0eb4
f1d7641
c5593d1
82f7882
13ee247
912e47f
6e3edf0
f33932e
69426c6
d223431
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -22,46 +22,48 @@ module.exports = { | |||||
| if (deps['xmldom']) deps['xmldom'] = 'npm:@xmldom/xmldom@0.8.10'; | ||||||
| if (deps['braces']) deps['braces'] = '3.0.3'; | ||||||
| if (deps['micromatch']) deps['micromatch'] = '4.0.8'; | ||||||
| if (deps['js-yaml']) deps['js-yaml'] = '4.1.1'; | ||||||
| if (deps['js-yaml']) deps['js-yaml'] = '4.2.0'; | ||||||
| if (deps['diff']) deps['diff'] = '8.0.3'; | ||||||
| if (deps['eslint']) deps['eslint'] = '^9.27.0'; | ||||||
| if (deps['fast-xml-parser']) deps['fast-xml-parser'] = '5.7.0'; | ||||||
| if (deps['esbuild']) deps['esbuild'] = '0.25.12'; | ||||||
| if (deps['lodash']) deps['lodash'] = '4.18.0'; | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Pin lodash 🛡️ Proposed fix- if (deps['lodash']) deps['lodash'] = '4.18.0';
+ if (deps['lodash']) deps['lodash'] = '4.18.1'; // security fix: prototype pollution in _.unset/_.omit (GHSA-f23m-r3pf-42rh)📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||
| if (deps['qs']) deps['qs'] = '6.15.2'; | ||||||
| if (deps['hono']) deps['hono'] = '4.12.18'; // CVE-2026-44455 (JSX injection), CVE-2026-44456 (bodyLimit bypass) | ||||||
| if (deps['qs']) deps['qs'] = '6.15.2'; // security fix: CVE-2026-8723 | ||||||
| if (deps['hono']) deps['hono'] = '4.12.25'; | ||||||
| if (deps['@hono/node-server']) deps['@hono/node-server'] = '1.19.13'; | ||||||
| if (deps['@tootallnate/once']) deps['@tootallnate/once'] = '3.0.1'; | ||||||
| if (deps['dompurify']) deps['dompurify'] = '3.4.0'; // security fix: XSS vulnerability | ||||||
| if (deps['axios']) deps['axios'] = '1.15.2'; // security fix: SSRF vulnerability | ||||||
| if (deps['dompurify']) deps['dompurify'] = '3.4.11'; | ||||||
| if (deps['axios']) deps['axios'] = '1.16.0'; // security fix | ||||||
| if (deps['http-proxy-middleware']) deps['http-proxy-middleware'] = '3.0.7'; | ||||||
| if (deps['ip-address']) { // security fix: force patch within 10.x range only to avoid breaking consumers on earlier majors | ||||||
| if (/^[\s\^~><=]*10[.\s]/.test(deps['ip-address'])) { | ||||||
| deps['ip-address'] = '10.1.1'; | ||||||
| } | ||||||
| } | ||||||
| if (deps['follow-redirects']) deps['follow-redirects'] = '1.16.0'; // security fix: redirect bypass vulnerability | ||||||
| if (deps['form-data']) { | ||||||
| if (/^[\s\^~><=]*4[.\s]/.test(deps['form-data'])) { | ||||||
| deps['form-data'] = '4.0.6'; | ||||||
| } | ||||||
| } | ||||||
| if (deps['express-rate-limit']) deps['express-rate-limit'] = '8.2.2'; // security fix | ||||||
| if (deps['file-type']) deps['file-type'] = '21.3.2'; // security fix | ||||||
| if (deps['immutable']) deps['immutable'] = '3.8.3'; // security fix | ||||||
| if (deps['serialize-javascript']) deps['serialize-javascript'] = '7.0.5'; // security fix: XSS/code injection | ||||||
| if (deps['shell-quote']) deps['shell-quote'] = '1.8.4'; | ||||||
| if (deps['flatted']) deps['flatted'] = '3.4.2'; // security fix | ||||||
| if (deps['handlebars']) deps['handlebars'] = '4.7.9'; // security fix: prototype pollution | ||||||
| if (deps['tmp']) deps['tmp'] = '0.2.4'; // security fix | ||||||
| if (deps['undici']) deps['undici'] = '7.24.0'; // security fix: header injection | ||||||
| if (deps['tmp']) deps['tmp'] = '0.2.7'; // security fix | ||||||
| if (deps['undici']) deps['undici'] = '7.28.0'; // security fix: header injection | ||||||
| if (deps['uuid']) deps['uuid'] = '14.0.0'; // security fix | ||||||
| if (deps['@nevware21/ts-utils']) deps['@nevware21/ts-utils'] = '0.14.0'; // security fix: CVE-2026-46681 (prototype pollution) | ||||||
| if (deps['webpack-dev-server']) deps['webpack-dev-server'] = '5.2.4'; // security fix: CVE-2026-6402 (info disclosure) | ||||||
| if (deps['ws']) { | ||||||
| if (/^[\s\^~><=]*8[.\s]/.test(deps['ws'])) { | ||||||
| deps['ws'] = '8.20.1'; // security fix: CVE-2026-45736 | ||||||
| } | ||||||
| } | ||||||
| if (deps['@opentelemetry/core']) deps['@opentelemetry/core'] = '2.8.0'; | ||||||
| if (deps['protobufjs']) { | ||||||
| const currentVersion = deps['protobufjs']; | ||||||
| if (currentVersion.startsWith('^8') || currentVersion.startsWith('8')) { | ||||||
| deps['protobufjs'] = '8.2.0'; // security fix: CVE-2026-45740 (DoS via recursive JSON descriptor expansion) | ||||||
| deps['protobufjs'] = '8.6.0'; | ||||||
| } else { | ||||||
| deps['protobufjs'] = '7.5.8'; // security fix: CVE-2026-45740 (DoS via recursive JSON descriptor expansion) | ||||||
| deps['protobufjs'] = '7.6.3'; // security fix: CVE-2026-45740 (DoS via recursive JSON descriptor expansion) | ||||||
| } | ||||||
| } | ||||||
| if (deps['vite']) deps['vite'] = '6.0.14'; | ||||||
|
|
||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -90,7 +90,7 @@ | |
| */ | ||
| "globalOverrides": { | ||
| "lodash": ">=4.18.0", | ||
| "hono": "4.12.18" | ||
| "hono": "4.12.25" | ||
| }, | ||
|
|
||
| /** | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
undici 7 minimum supported Node.js version💡 Result:
The minimum supported Node.js version for the Undici 7.x release line is Node.js 20.18.1 [1][2][3]. The Undici project maintains an LTS-aligned support schedule for its major versions, and the 7.x branch explicitly requires Node.js ≥20.18.1 [1][2][3]. This requirement is documented in the project's official README and is enforced via the engines field in the package's configuration, which may cause installation warnings or errors in environments using older Node.js versions [2][4]. As of June 30, 2026, the 7.x series remains a supported maintenance line [5]. It is tested against Node.js versions 20, 22, and 24 [1][2][3].
Citations:
🏁 Script executed:
Repository: wso2/vscode-extensions
Length of output: 3253
🏁 Script executed:
Repository: wso2/vscode-extensions
Length of output: 846
🏁 Script executed:
Repository: wso2/vscode-extensions
Length of output: 13786
Keep
undici6.x or raise the Node floorundici7.x requires Node>=20.18.1, but this repo still supports>=20.6.0 <23.0.0, so the autoinstaller can break on supported 20.6–20.18 installs. Either bump the repo’s Node range or stay on 6.x.🤖 Prompt for AI Agents