Revert "Fix vulnerabilities"

[gigara]

Reverts #2383

Summary by CodeRabbit

• Chores
  • Updated package dependency version pinning configuration to enhance stability and consistency
  • Removed upper version constraints on build tools to support broader compatibility with future releases

[coderabbitai]

📝 Walkthrough

Walkthrough

Two dependency version constraints are updated in the Rush/PNPM configuration. The @ai-sdk/provider-utils override pin is lowered from 3.0.27 to 3.0.25 in .pnpmfile.cjs, and the @babel/core global override in pnpm-config.json has its upper version bound (<8) removed.

Dependency Version Pin Adjustments

Layer / File(s)	Summary
@ai-sdk/provider-utils and @babel/core version constraint updates common/config/rush/.pnpmfile.cjs, common/config/rush/pnpm-config.json	@ai-sdk/provider-utils override pin lowered from 3.0.27 to 3.0.25 in applyOverrides; @babel/core globalOverrides entry broadened by dropping the <8 upper bound.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• wso2/vscode-extensions#2383: Modifies the same applyOverrides pin for @ai-sdk/provider-utils in .pnpmfile.cjs, adjusting the same 3.x version logic in the opposite direction.

Suggested reviewers

• hevayo

Poem

🐇 A version bump, then a bump back down,
3.0.25 now wears the crown.
And Babel's ceiling? Lifted away,
No <8 to block a newer day.
Two tiny lines, the configs say —
The bunny hops and calls it a day! 🌟

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is minimal and only references the reverted PR number without addressing any template sections like Purpose, Goals, Approach, or other required documentation.	Expand the description to include Purpose (why this revert is necessary), Goals (what issues it resolves), and other relevant sections from the template to provide adequate context for reviewers.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly indicates this PR reverts PR #2383 and aligns with the actual changes (reverting package override modifications).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch revert-2383-release/ballerina-5.12.1

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Biome (2.5.0)

common/config/rush/pnpm-config.json

File contains syntax errors that prevent linting: Line 1: JSON standard does not allow comments.; Line 5: End of file expected; Line 8: JSON standard does not allow comments.; Line 20: End of file expected; Line 20: End of file expected; Line 20: End of file expected; Line 20: End of file expected; Line 22: JSON standard does not allow comments.; Line 36: JSON standard does not allow comments.; Line 46: JSON standard does not allow comments.; Line 61: JSON standard does not allow comments.; Line 79: JSON standard does not allow comments.; Line 91: End of file expected; Line 91: End of file expected; Line 91: End of file expected; Line 107: End of file expected; Line 109: JSON standard does not allow comments.; Line 121: End of file expected; Line 121: End of file expected; Line 122: Expected a property but instead found '// "ignoreMissing": ["@eslint/*"],'.; Line 121: End of file expected; Line 122: End of file expected; Line 127: JSON standard does not allow comments.; Line 140: End o

... [truncated 346 characters] ...

an object, or a literal but instead found '// "fsevents"'.; Line 167: End of file expected; Line 168: End of file expected; Line 171: JSON standard does not allow comments.; Line 183: End of file expected; Line 183: End of file expected; Line 184: Expected a property but instead found '// "request": "*"'.; Line 183: End of file expected; Line 184: End of file expected; Line 188: JSON standard does not allow comments.; Line 195: End of file expected; Line 195: End of file expected; Line 195: End of file expected; Line 195: End of file expected; Line 197: JSON standard does not allow comments.; Line 209: End of file expected; Line 209: End of file expected; Line 210: Expected a property but instead found '// "dependencies": {'.; Line 209: End of file expected; Line 210: End of file expected

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@common/config/rush/.pnpmfile.cjs`:
- Line 58: The version pinning for the `@ai-sdk/provider-utils` dependency at Line
58 is set to 3.0.25, which conflicts with the security policy stated at Line 56
that specifies "latest 3.x patch" and represents a regression from the
previously used 3.0.27. Update the version in the deps assignment for
`@ai-sdk/provider-utils` to 3.0.27 (or the appropriate latest 3.x patch version)
to align with the stated mitigation intent and maintain the security posture.

In `@common/config/rush/pnpm-config.json`:
- Line 97: The `@babel/core` version constraint in pnpm-config.json at line 97
currently allows any version >=7.29.6, which includes Babel 8, but the project
is pinned to Babel 7.x across 1588+ references. This inconsistency could cause
future lockfile refreshes to silently pull Babel 8, breaking compatibility with
Babel 7.x plugins and presets. Update the `@babel/core` constraint from ">=7.29.6"
to ">=7.29.6 <8" to add an upper bound that prevents Babel 8 adoption, matching
the pattern used elsewhere in globalOverrides for similar major-version
boundaries like protobufjs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b419ad58-ec48-4058-a8ca-8e30559d18f5

📥 Commits

Reviewing files that changed from the base of the PR and between bc10d2e and 58c03a2.

⛔ Files ignored due to path filters (1)

• common/config/rush/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• common/config/rush/.pnpmfile.cjs
• common/config/rush/pnpm-config.json

[coderabbitai]

🩺 Stability & Availability | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read-only verification: find Babel packages/ranges that may be incompatible with an unbounded `@babel/core` major.
# Expected result: if many packages are pinned to 7.x, keep "<8" until coordinated migration.

set -euo pipefail

echo "== Babel-related deps in workspace manifests =="
fd -i 'package.json' . -E node_modules -E common/temp \
  | xargs -I{} sh -c 'jq -r --arg f "{}" "
      [(.dependencies // {}), (.devDependencies // {}), (.peerDependencies // {})]
      | add
      | to_entries[]
      | select(.key | test(\"^`@babel/`|babel\"; \"i\"))
      | \"\($f)\t\(.key)\t\(.value)\"
    " "{}"' | sort -u

echo
echo "== Current `@babel/core` overrides in Rush config/lock =="
rg -n --iglob '*pnpm-config.json' --iglob '*pnpm-lock.yaml' '`@babel/core`|globalOverrides' common/config/rush

Repository: wso2/vscode-extensions

Length of output: 10304

---

🏁 Script executed:

#!/bin/bash
# Corrected verification script for Babel packages and `@babel/core` configuration

set -euo pipefail

echo "=== Current pnpm-config.json around line 97 ==="
sed -n '90,105p' common/config/rush/pnpm-config.json

echo
echo "=== Search for `@babel/core` in pnpm-config.json ==="
rg -n '`@babel/core`' common/config/rush/pnpm-config.json

echo
echo "=== Find all package.json files (excluding node_modules) ==="
find . -name 'package.json' -not -path '*/node_modules/*' -not -path '*/common/temp/*' -type f | head -20

echo
echo "=== Babel-related dependencies across workspace ==="
find . -name 'package.json' -not -path '*/node_modules/*' -not -path '*/common/temp/*' -type f -exec sh -c '
  result=$(jq -r ".dependencies // {} | .devDependencies // {} | keys[] | select(startswith(\"`@babel`\") or startswith(\"babel\"))" "$1" 2>/dev/null | head -1)
  if [ -n "$result" ]; then
    echo "File: $1"
    jq -r "(.dependencies // {}) + (.devDependencies // {}) | to_entries[] | select(.key | startswith(\"`@babel`\") or startswith(\"babel\")) | \"\(.key): \(.value)\"" "$1" 2>/dev/null
  fi
' _ {} \;

Repository: wso2/vscode-extensions

Length of output: 1997

---

🏁 Script executed:

#!/bin/bash
# More comprehensive search for Babel packages in lock file and configuration

echo "=== Search in pnpm-lock.yaml for `@babel` packages ==="
rg -c '`@babel`' common/config/rush/pnpm-lock.yaml | head -5

echo
echo "=== Sample of `@babel` entries in pnpm-lock.yaml ==="
rg '`@babel/`[a-z-]+' common/config/rush/pnpm-lock.yaml | head -20

echo
echo "=== Check what Babel 8 requires ==="
echo "Looking for any explicit Babel 8 references or configuration..."
rg -i 'babel.*8|8.*babel' . --iglob '*.json' --iglob '*.yaml' --iglob '*.md' -E 'node_modules|.git' | head -10

echo
echo "=== List globalOverrides entries with version constraints ==="
grep -A 100 'globalOverrides' common/config/rush/pnpm-config.json | grep -E '^\s*"[^"]+": "[^"]+"' | head -20

Repository: wso2/vscode-extensions

Length of output: 3931

---

Add upper bound constraint to prevent unintended Babel 8 adoption.

Line 97 currently allows @babel/core to auto-update to any version >=7.29.6, including Babel 8. The pnpm-lock.yaml shows 1588 references to Babel packages all pinned to 7.x. Without <8, future lockfile refreshes risk silently pulling Babel 8, breaking compatibility with all Babel 7.x plugins and presets currently in use (babel-jest, prettier plugins, etc.). This is inconsistent with the repo's handling of similar major-version boundaries elsewhere in globalOverrides (e.g., protobufjs: ">=7.6.3 <8").

Suggested fix

-      "`@babel/core`": ">=7.29.6",
+      "`@babel/core`": ">=7.29.6 <8",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"@babel/core": ">=7.29.6",
	"`@babel/core`": ">=7.29.6 <8",

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@common/config/rush/pnpm-config.json` at line 97, The `@babel/core` version
constraint in pnpm-config.json at line 97 currently allows any version >=7.29.6,
which includes Babel 8, but the project is pinned to Babel 7.x across 1588+
references. This inconsistency could cause future lockfile refreshes to silently
pull Babel 8, breaking compatibility with Babel 7.x plugins and presets. Update
the `@babel/core` constraint from ">=7.29.6" to ">=7.29.6 <8" to add an upper
bound that prevents Babel 8 adoption, matching the pattern used elsewhere in
globalOverrides for similar major-version boundaries like protobufjs.