Skip to content

Use updated dependency name, vsce -> @vscode/vsce#122

Closed
muzimuzhi wants to merge 1 commit intogithub:mainfrom
muzimuzhi:rename-vsce
Closed

Use updated dependency name, vsce -> @vscode/vsce#122
muzimuzhi wants to merge 1 commit intogithub:mainfrom
muzimuzhi:rename-vsce

Conversation

@muzimuzhi
Copy link
Copy Markdown
Contributor

@muzimuzhi muzimuzhi commented Apr 15, 2023
edited
Loading

Currently npm install reports two high severity vulnerabilities (which is also reported in recent build workflow run, step "Run npm ci"):

# npm audit report

xml2js  <0.5.0
Severity: high
xml2js is vulnerable to prototype pollution  - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install vsce@1.97.0, which is a breaking change
node_modules/xml2js
  vsce  >=1.98.0-alpha.0
  Depends on vulnerable versions of xml2js
  node_modules/vsce

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

The root cause is that the dependency vsce has been renamed to @vscode/vsce since v2.16.0, (see compare/v2.15.0...v2.16.0 or the specific commit microsoft/vscode-vsce@0383324), which seems to make the version range requirement for vsce disabled

vscode-github-actions/package.json

Line 537 in 2d63835

"vsce": "^2.11.0",

With this PR, npm audit reports

found 0 vulnerabilities

@muzimuzhi muzimuzhi requested a review from a team as a code owner April 15, 2023 17:22
@KetchupOnMyKetchup KetchupOnMyKetchup mentioned this pull request Apr 25, 2023
Merged
@KetchupOnMyKetchup
Copy link
Copy Markdown
Contributor

KetchupOnMyKetchup commented Apr 25, 2023

Hi, thank you a ton for bringing this up and for the contribution!

I hope you don't mind, I'd like to go ahead and upgrade it to the latest version 2.19.0. Also I don't see 2.11.0 as an option in the versions list for the new package (though it may be able to pull from the old vsce package, I'm not sure if it is setup to do this if set to 2.11.0).
image

I started a new PR and referenced this original PR and really appreciate the help!
#140

If it's okay with you, could I go ahead and close this PR and move forward with the new PR using 2.19.0?

@KetchupOnMyKetchup
Copy link
Copy Markdown
Contributor

KetchupOnMyKetchup commented Apr 25, 2023

Closing this PR and merged code from #140 and thank you again we really appreciate the help and for bringing up the package rename from vsce -> @vscode/vsce!

@KetchupOnMyKetchup
Copy link
Copy Markdown
Contributor

KetchupOnMyKetchup commented Apr 25, 2023
edited
Loading

Just as a note, I added your GitHub handle to my PR title so that we recognize you for the contribution and so that your name will show up in our Changelog on our next release (we have been copying the PR titles to our Changelog)!

@muzimuzhi
Copy link
Copy Markdown
Contributor Author

muzimuzhi commented Apr 25, 2023

I hope you don't mind, I'd like to go ahead and upgrade it to the latest version 2.19.0. Also I don't see 2.11.0 as an option in the versions list for the new package (though it may be able to pull from the old vsce package, I'm not sure if it is setup to do this if set to 2.11.0).

Sure! After all I am still a novice in node ecosystem.

Just as a note, I added your GitHub handle to my PR title so that we recognize you for the contribution and so that your name will show up in our Changelog on our next release (we have been copying the PR titles to our Changelog)!

Great and many thanks!

@muzimuzhi muzimuzhi deleted the rename-vsce branch August 9, 2024 13:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@muzimuzhi @KetchupOnMyKetchup