Skip to content

NPM upgrade, bump dependencies to reduce vulnerabilities and add lockfile maintenance guide#17741

Open
ndoschek wants to merge 5 commits into
masterfrom
nd/npm-upgrade
Open

NPM upgrade, bump dependencies to reduce vulnerabilities and add lockfile maintenance guide#17741
ndoschek wants to merge 5 commits into
masterfrom
nd/npm-upgrade

Conversation

@ndoschek

@ndoschek ndoschek commented Jun 30, 2026

Copy link
Copy Markdown
Member

What it does

  • chore(deps): NPM upgrade
  • chore(deps): bump deps to address security advisories
    • compression-webpack-plugin 9 to 12, copy-webpack-plugin 8 to 14 (serialize-javascript RCE/XSS/DoS)
    • esbuild 0.24 to 0.28 (dev server CORS)
    • scanoss 0.15 to 0.40 (nested tar advisories)
    • electron-mocha 12 to 13, mocha 10 to 11 (minimatch ReDoS, js-yaml DoS)
    • nyc 17 to 18, dockerode 4 to 5 (uuid bounds check)
  • chore(deps): bump @vscode/vsce to v3
    • bumps @vscode/vsce from ^2.32.0 to ^3.9.1
    • resolves the high-severity linkify-it ReDoS vulnerability that was pulled in transitively
      via markdown-it
    • add generic readme for Theia sample plugins
  • test(filesystem): fix disk-file-system-provider trash test on Linux
    • place temp dir under $HOME so the XDG trash dir is on the same filesystem
    • avoids EACCES when /tmp is on a mount whose root is not user-writable
  • docs: add lockfile maintenance guide
    • Document the Node 22/24 (npm 10/11) optional-dependency divergence and the
      regenerate-on-22-then-restore workflow. Link it from Developing.md and the
      CLAUDE.md read-on-demand list.

How to test

  • npm ci runs cleanly
  • Example applications start up as expected
  • Look out for regressions
  • Run the unit tests also locally
  • MCP integration verified end-to-end with @modelcontextprotocol/inspector against the Theia MCP server: the sample test-tool still executes successfully

Follow-ups

Breaking changes

  • This PR introduces breaking changes and requires careful review. If yes, the breaking changes section in the changelog has been updated.

Attribution

Contributed on behalf of STMicroelectronics

Review checklist

Reminder for reviewers

@github-project-automation github-project-automation Bot moved this to Waiting on reviewers in PR Backlog Jun 30, 2026
@ndoschek ndoschek changed the title Nd/npm upgrade NPM upgrade and bump dependencies to reduce vulnerabilities Jun 30, 2026
@ndoschek

ndoschek commented Jun 30, 2026

Copy link
Copy Markdown
Member Author

IP review still open:

IP review approved:

ndoschek added 2 commits July 3, 2026 11:05
- ran npm upgrade after 1.73.x
- align dependency ranges with resolved versions in package-lock
- align MCPFrontendContributionManager and MCPTestContribution
- pin yauzl override to ~3.3.2 (was ^3.3.1) to block the 3.4.0 bump that re-introduces the extract-zip race on Node 24 (GH-17570)
- keep mermaid at 11.15.0 temporarily as the IP check for mermaid-js-parser will not be completed in time probably

Contributed on behalf of STMicroelectronics
- compression-webpack-plugin 9 to 12, copy-webpack-plugin 8 to 14 (serialize-javascript RCE/XSS/DoS)
- esbuild 0.24 to 0.28 (dev server CORS)
  -  add esbuild to root devDependencies so it hoists to the repo root
- scanoss 0.15 to 0.40 (nested tar advisories)
- electron-mocha 12 to 13, mocha 10 to 11 (minimatch ReDoS, js-yaml DoS)
- nyc 17 to 18, dockerode 4 to 5 (uuid bounds check)

Contributed on behalf of STMicroelectronics
@ndoschek

ndoschek commented Jul 3, 2026

Copy link
Copy Markdown
Member Author

As it does not look like we get https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/work_items/29406 approved soon. I just kept the previous mermaid version and will make sure to update mermaid once the IP check has been approved.
Mainly to get this merged a little earlier as it is quite prone to conflicts.

@ndoschek ndoschek marked this pull request as ready for review July 3, 2026 10:56
@ndoschek ndoschek requested a review from jfaltermeier July 3, 2026 11:07
@ndoschek ndoschek mentioned this pull request Jul 3, 2026
3 tasks

@jfaltermeier jfaltermeier left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added two comments about VSCode types/engines, besides that it looks good.

},
"engines": {
"vscode": "^1.51.0"
"vscode": "^1.120.0"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this was broken before, but the sample plugins do not build. I think we need to align the engine with the types below.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah definitely, thanks for catching that Johannes!
I had that vsce update prepared but overlooked alignes the engines, I updated them now to match the types and they should build again 👍

"devDependencies": {
"@theia/api-provider-sample": "1.73.0"
"@theia/api-provider-sample": "1.73.0",
"@types/vscode": "^1.120.0"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use 125 here as well?

ndoschek added 2 commits July 3, 2026 16:13
- bumps @vscode/vsce from ^2.32.0 to ^3.9.2
- resolves the high-severity linkify-it ReDoS vulnerability that was pulled in transitively
via markdown-it
- add generic readme for Theia sample plugins
- update vscode engines for all sample plugins to align with the @types/vscode version

Contributed on behalf of STMicroelectronics
- place temp dir under $HOME so the XDG trash dir is on the same filesystem
- avoids EACCES when /tmp is on a mount whose root is not user-writable

Contributed on behalf of STMicroelectronics
@ndoschek ndoschek requested a review from jfaltermeier July 3, 2026 14:15
@ndoschek ndoschek changed the title NPM upgrade and bump dependencies to reduce vulnerabilities NPM upgrade, bump dependencies to reduce vulnerabilities and add lockfile maintenance guide Jul 3, 2026
- add scripts/npm-install-with-platforms.js: runs npm install --include=optional and restores platform-specific optional-dep entries and libc fields that npm strips based on host platform
- add scripts/verify-lockfile-platforms.js: asserts known libc-bearing entries and platform-specific optional-dep families are present in the lockfile
- wire the verifier into the ci-cd lint job, gated on package-lock.json changes for PRs, always run on push and manual dispatch as a canary
- extend scripts/check_git_status.sh with a lockfile-specific hint pointing at the regen script when the lockfile drifts after install
- add doc/lockfile-maintenance.md describing the problem, the snapshot-and-restore workflow, and the CI guard, linked from Developing.md and the CLAUDE.md read-on-demand list

Contributed on behalf of STMicroelectronics
@ndoschek

ndoschek commented Jul 3, 2026

Copy link
Copy Markdown
Member Author

I also updated the last commit to already add a helper for the lockfile maintenance instead of only documenting. Could you have another look there as well? TIA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Waiting on reviewers

Development

Successfully merging this pull request may close these issues.

2 participants