Skip to content

Commit dc3052e

Browse files
vicperdanaCopilot
vicperdana
and
Copilot
committed
fix(vscode): resolve 14 dependency security vulnerabilities (8 high, 4 medium, 2 low)
Fix all open Dependabot alerts in packages/vscode-extension/package-lock.json by cherry-picking security-relevant changes from upstream microsoft/PSDocs-vscode and adding version-scoped npm overrides. Local subtree divergence (eslint flat-config, monorepo URLs, engines-aligned @types/vscode) is preserved. Direct dependency changes (package.json): - Replace deprecated vscode-test ^1.6.1 with @vscode/test-electron ^2.5.2 (eliminates the @tootallnate/once + http-proxy-agent vulnerable chain) - Bump @vscode/vsce ^3.3.2 -> ^3.7.1 (cascades fresh transitives) Source change (src/test/runTest.ts): - Update import: vscode-test -> @vscode/test-electron (identical runTests API) New top-level overrides block (npm 9+ version-scoped syntax to surgically patch transitives without breaking same-tree consumers of other majors): - serialize-javascript ^7.0.5 - flatted ^3.4.2 - markdown-it ^14.1.1 - qs ^6.14.2 - underscore ^1.13.8 - diff ^8.0.3 - ajv@<6.14.0 -> ^6.14.0 - picomatch@<2.3.2 -> ^2.3.2 - brace-expansion@<1.1.13 -> ^1.1.13 - brace-expansion@>=2.0.0 <2.0.3 -> ^2.0.3 - minimatch@<3.1.4 -> ^3.1.4 - minimatch@>=5.0.0 <5.1.8 -> ^5.1.8 - minimatch@>=9.0.0 <9.0.7 -> ^9.0.7 Alerts addressed: - GHSA-qj8w-gfj5-8c6v / CVE-2026-34043 serialize-javascript DoS (medium) #34 - GHSA-5c6j-r48x-rmvq serialize-javascript RCE (high) #25 - GHSA-f886-m6hf-6m8v / CVE-2026-33750 brace-expansion v1 hang (medium) #33 - GHSA-3v7f-55p6-f55p / CVE-2026-33672 picomatch method injection (medium) #31 - GHSA-rf6f-7fwh-wjgh / CVE-2026-33228 flatted prototype pollution (high) #29 - GHSA-vpq2-c234-7xj6 / CVE-2026-3449 @tootallnate/once control-flow (low) #27 - GHSA-qpx9-hpmf-5gmw / CVE-2026-27601 underscore unlimited recursion (high) #26 - GHSA-7r86-cg39-jmmj / CVE-2026-27903 minimatch v3/v5/v9 ReDoS (high) #22, #23, #24 - GHSA-23c5-xmqv-rm74 / CVE-2026-27904 minimatch ReDoS via extglobs (high) #20 - GHSA-3ppc-4f35-3m26 / CVE-2026-26996 minimatch wildcard ReDoS (high) #16 - GHSA-38c4-r59v-3vqw / CVE-2026-2327 markdown-it ReDoS (medium) #11 - GHSA-w7fw-mjwx-w883 / CVE-2026-2391 qs arrayLimit DoS (low) #10 Validation: - npm audit reports 0 vulnerabilities - All 14 alerts cross-checked against resolved lockfile versions - npm run compile, lint, pack all clean (2 pre-existing ESLint warnings in src/extension.ts, unrelated) - Dropped from node_modules: @tootallnate/once, vscode-test Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 53fc6a2 commit dc3052e

3 files changed

Lines changed: 2731 additions & 1709 deletions

File tree

0 commit comments

Comments
 (0)