NPM upgrade, bump dependencies to reduce vulnerabilities and add lockfile maintenance guide#17741
NPM upgrade, bump dependencies to reduce vulnerabilities and add lockfile maintenance guide#17741ndoschek wants to merge 5 commits into
Conversation
- ran npm upgrade after 1.73.x - align dependency ranges with resolved versions in package-lock - align MCPFrontendContributionManager and MCPTestContribution - pin yauzl override to ~3.3.2 (was ^3.3.1) to block the 3.4.0 bump that re-introduces the extract-zip race on Node 24 (GH-17570) - keep mermaid at 11.15.0 temporarily as the IP check for mermaid-js-parser will not be completed in time probably Contributed on behalf of STMicroelectronics
- compression-webpack-plugin 9 to 12, copy-webpack-plugin 8 to 14 (serialize-javascript RCE/XSS/DoS) - esbuild 0.24 to 0.28 (dev server CORS) - add esbuild to root devDependencies so it hoists to the repo root - scanoss 0.15 to 0.40 (nested tar advisories) - electron-mocha 12 to 13, mocha 10 to 11 (minimatch ReDoS, js-yaml DoS) - nyc 17 to 18, dockerode 4 to 5 (uuid bounds check) Contributed on behalf of STMicroelectronics
|
As it does not look like we get https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/work_items/29406 approved soon. I just kept the previous mermaid version and will make sure to update mermaid once the IP check has been approved. |
jfaltermeier
left a comment
There was a problem hiding this comment.
I've added two comments about VSCode types/engines, besides that it looks good.
| }, | ||
| "engines": { | ||
| "vscode": "^1.51.0" | ||
| "vscode": "^1.120.0" |
There was a problem hiding this comment.
I know this was broken before, but the sample plugins do not build. I think we need to align the engine with the types below.
There was a problem hiding this comment.
Ah definitely, thanks for catching that Johannes!
I had that vsce update prepared but overlooked alignes the engines, I updated them now to match the types and they should build again 👍
| "devDependencies": { | ||
| "@theia/api-provider-sample": "1.73.0" | ||
| "@theia/api-provider-sample": "1.73.0", | ||
| "@types/vscode": "^1.120.0" |
There was a problem hiding this comment.
Should we use 125 here as well?
- bumps @vscode/vsce from ^2.32.0 to ^3.9.2 - resolves the high-severity linkify-it ReDoS vulnerability that was pulled in transitively via markdown-it - add generic readme for Theia sample plugins - update vscode engines for all sample plugins to align with the @types/vscode version Contributed on behalf of STMicroelectronics
- place temp dir under $HOME so the XDG trash dir is on the same filesystem - avoids EACCES when /tmp is on a mount whose root is not user-writable Contributed on behalf of STMicroelectronics
- add scripts/npm-install-with-platforms.js: runs npm install --include=optional and restores platform-specific optional-dep entries and libc fields that npm strips based on host platform - add scripts/verify-lockfile-platforms.js: asserts known libc-bearing entries and platform-specific optional-dep families are present in the lockfile - wire the verifier into the ci-cd lint job, gated on package-lock.json changes for PRs, always run on push and manual dispatch as a canary - extend scripts/check_git_status.sh with a lockfile-specific hint pointing at the regen script when the lockfile drifts after install - add doc/lockfile-maintenance.md describing the problem, the snapshot-and-restore workflow, and the CI guard, linked from Developing.md and the CLAUDE.md read-on-demand list Contributed on behalf of STMicroelectronics
|
I also updated the last commit to already add a helper for the lockfile maintenance instead of only documenting. Could you have another look there as well? TIA |
What it does
via markdown-it
regenerate-on-22-then-restore workflow. Link it from Developing.md and the
CLAUDE.md read-on-demand list.
How to test
npm ciruns cleanly@modelcontextprotocol/inspectoragainst the Theia MCP server: the sampletest-toolstill executes successfullyFollow-ups
Breaking changes
Attribution
Contributed on behalf of STMicroelectronics
Review checklist
nlsservice (for details, please see the Internationalization/Localization section in the Coding Guidelines)Reminder for reviewers