Sync eng/tools/js-sdk-release-tools: bump @azure-tools/js-sdk-release-tools 2.16.10 → 2.16.11#39142
Sync eng/tools/js-sdk-release-tools: bump @azure-tools/js-sdk-release-tools 2.16.10 → 2.16.11#39142Copilot wants to merge 3 commits into
Conversation
…-tools 2.16.10 → 2.16.11 Co-authored-by: skywing918 <41712999+skywing918@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR syncs eng/tools/js-sdk-release-tools with upstream azure-sdk-tools by bumping the pinned @azure-tools/js-sdk-release-tools dependency from 2.16.10 to 2.16.11. Per the PR description, 2.16.11's primary value is a security fix that pulls in js-yaml 4.2.0 (patching CVE-2026-53550) plus a new --report-file CLI option. This is an internal engineering tool used in the SDK release/changelog pipeline.
Changes:
- Bumped
@azure-tools/js-sdk-release-tools2.16.10→2.16.11inpackage.json. - Updated the top-level package entry (
version/resolved/integrity) inpackage-lock.json.
Concern: The lockfile was not fully regenerated — the transitive js-yaml remains pinned at the vulnerable 4.1.1 rather than the 4.2.0 the PR claims to deliver, so the stated security fix is not actually applied.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| eng/tools/js-sdk-release-tools/package.json | Bumps the pinned dependency to 2.16.11; correct and complete. |
| eng/tools/js-sdk-release-tools/package-lock.json | Updates only the top-level entry's version/integrity; transitive js-yaml still resolves to vulnerable 4.1.1, so the regeneration appears incomplete. |
Files not reviewed (1)
- eng/tools/js-sdk-release-tools/package-lock.json: Generated file
| "version": "2.16.11", | ||
| "resolved": "https://registry.npmjs.org/@azure-tools/js-sdk-release-tools/-/js-sdk-release-tools-2.16.11.tgz", | ||
| "integrity": "sha512-F08+KQuw8/7+I83Vp4+bTCQXdOtNUXAiCx8kreKZC5ShbgU8vdbYN72LQYrGjTML+nUPkFU0vpZ8aZMDLlS5DA==", |
Syncs
eng/tools/js-sdk-release-toolswith azure-sdk-tools PR #16224, which released@azure-tools/js-sdk-release-tools@2.16.11.What's in 2.16.11
js-yaml4.1.1 → 4.2.0 to patch CVE-2026-53550 (quadratic-complexity DoS in merge-key handling) (#16148)--report-fileCLI option tochangelogToolClifor report-only mode — generates a JSON report of SDK changes without modifyingCHANGELOG.mdor bumping the package version (#16165)Changes
package.json:@azure-tools/js-sdk-release-tools2.16.10→2.16.11package-lock.json: regeneratedPackages impacted by this PR
eng/tools/js-sdk-release-toolsIssues associated with this PR
Closes #39141
Describe the problem that is addressed by this PR
eng/tools/js-sdk-release-tools/package.jsonwas pinned to@azure-tools/js-sdk-release-tools@2.16.10; needs to track the latest release (2.16.11).What are the possible designs available to address the problem? If there are more than one possible design, why was the one in this PR chosen?
N/A — version pin update only.
Are there test cases added in this PR? (If not, why?)
No — dependency version bump; test coverage lives in upstream
azure-sdk-tools.Provide a list of related PRs (if any)
Checklists