Skip to content

Sync eng/tools/js-sdk-release-tools: bump @azure-tools/js-sdk-release-tools 2.16.10 → 2.16.11#39142

Open
Copilot wants to merge 3 commits into
mainfrom
copilot/sync-js-sdk-release-tools
Open

Sync eng/tools/js-sdk-release-tools: bump @azure-tools/js-sdk-release-tools 2.16.10 → 2.16.11#39142
Copilot wants to merge 3 commits into
mainfrom
copilot/sync-js-sdk-release-tools

Conversation

Copilot AI commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Syncs eng/tools/js-sdk-release-tools with azure-sdk-tools PR #16224, which released @azure-tools/js-sdk-release-tools@2.16.11.

What's in 2.16.11

  • Security: Upgraded js-yaml 4.1.1 → 4.2.0 to patch CVE-2026-53550 (quadratic-complexity DoS in merge-key handling) (#16148)
  • Feature: Added --report-file CLI option to changelogToolCli for report-only mode — generates a JSON report of SDK changes without modifying CHANGELOG.md or bumping the package version (#16165)

Changes

  • package.json: @azure-tools/js-sdk-release-tools 2.16.102.16.11
  • package-lock.json: regenerated

Packages impacted by this PR

eng/tools/js-sdk-release-tools

Issues associated with this PR

Closes #39141

Describe the problem that is addressed by this PR

eng/tools/js-sdk-release-tools/package.json was pinned to @azure-tools/js-sdk-release-tools@2.16.10; needs to track the latest release (2.16.11).

What are the possible designs available to address the problem? If there are more than one possible design, why was the one in this PR chosen?

N/A — version pin update only.

Are there test cases added in this PR? (If not, why?)

No — dependency version bump; test coverage lives in upstream azure-sdk-tools.

Provide a list of related PRs (if any)

Checklists

  • Added impacted package name to the issue description.
  • Does this PR need any fixes in the SDK Generator?** (If so, create an Issue in the Autorest/typescript repository and link it here.)
  • Added a changelog (if necessary).

…-tools 2.16.10 → 2.16.11

Co-authored-by: skywing918 <41712999+skywing918@users.noreply.github.com>
Copilot AI changed the title [WIP] Sync eng/tools/js-sdk-release-tools with azure-sdk-tools Sync eng/tools/js-sdk-release-tools: bump @azure-tools/js-sdk-release-tools 2.16.10 → 2.16.11 Jun 30, 2026
Copilot AI requested a review from skywing918 June 30, 2026 08:03
@skywing918 skywing918 marked this pull request as ready for review June 30, 2026 10:09
Copilot AI review requested due to automatic review settings June 30, 2026 10:09

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR syncs eng/tools/js-sdk-release-tools with upstream azure-sdk-tools by bumping the pinned @azure-tools/js-sdk-release-tools dependency from 2.16.10 to 2.16.11. Per the PR description, 2.16.11's primary value is a security fix that pulls in js-yaml 4.2.0 (patching CVE-2026-53550) plus a new --report-file CLI option. This is an internal engineering tool used in the SDK release/changelog pipeline.

Changes:

  • Bumped @azure-tools/js-sdk-release-tools 2.16.102.16.11 in package.json.
  • Updated the top-level package entry (version/resolved/integrity) in package-lock.json.

Concern: The lockfile was not fully regenerated — the transitive js-yaml remains pinned at the vulnerable 4.1.1 rather than the 4.2.0 the PR claims to deliver, so the stated security fix is not actually applied.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
eng/tools/js-sdk-release-tools/package.json Bumps the pinned dependency to 2.16.11; correct and complete.
eng/tools/js-sdk-release-tools/package-lock.json Updates only the top-level entry's version/integrity; transitive js-yaml still resolves to vulnerable 4.1.1, so the regeneration appears incomplete.
Files not reviewed (1)
  • eng/tools/js-sdk-release-tools/package-lock.json: Generated file

Comment on lines +12 to +14
"version": "2.16.11",
"resolved": "https://registry.npmjs.org/@azure-tools/js-sdk-release-tools/-/js-sdk-release-tools-2.16.11.tgz",
"integrity": "sha512-F08+KQuw8/7+I83Vp4+bTCQXdOtNUXAiCx8kreKZC5ShbgU8vdbYN72LQYrGjTML+nUPkFU0vpZ8aZMDLlS5DA==",
@skywing918 skywing918 requested a review from lirenhe as a code owner July 1, 2026 03:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Sync eng\tools\js-sdk-release-tools directory with azure-sdk-tools for PR 16224

3 participants