fix(patch): cherry-pick 3ff68a9 to release/v0.33.0-preview.14-pr-21884 [CONFLICTS]

[gemini-cli-robot]

This PR automatically cherry-picks commit 3ff68a9 to patch version v0.33.0-preview.14 in the preview release to create version 0.33.0-preview.15.

⚠️ Merge Conflicts Detected

This cherry-pick resulted in merge conflicts that need manual resolution.

🔧 Next Steps:

1. Review the conflicts: Check out this branch and review the conflict markers
2. Resolve conflicts: Edit the affected files to resolve the conflicts
3. Test the changes: Ensure the patch works correctly after resolution
4. Update this PR: Push your conflict resolution

📋 Files with conflicts:

The commit has been created with conflict markers for easier manual resolution.

🚨 Important:

• Do not merge this PR until conflicts are resolved
• The automated patch release will trigger once this PR is merged

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request is an automated cherry-pick aimed at patching a specific release version, primarily addressing a critical gaxios v7 stream corruption bug. It involves significant dependency version adjustments across several packages and introduces a new lockfile validation to enforce the use of compatible gaxios versions. The automated process encountered merge conflicts, necessitating manual intervention to complete the integration of these fixes.

Highlights

• Automated Cherry-Pick with Conflicts: This pull request is an automated cherry-pick of commit 3ff68a9e55fbf45285f206464e9cbb09a73b2a98 to the release/v0.33.0-preview.14-pr-21884 branch, which resulted in merge conflicts requiring manual resolution.
• Gaxios v7 Stream Corruption Bug Mitigation: A new lockfile check was introduced to prevent the use of gaxios versions 7 or higher in node_modules due to a known stream corruption bug, and related dependency adjustments were made.
• Dependency Version Adjustments: The @google/genai dependency was pinned or downgraded to 1.30.0 across multiple packages (a2a-server, cli, core), google-auth-library was updated, and @grpc/grpc-js was added in the core package.
• Removed Image-Related Finish Reasons: Specific IMAGE_RECITATION and IMAGE_OTHER finish reason messages were removed from the useGeminiStream hook in the cli package.
• NOTICES.txt Updates: The NOTICES.txt file in vscode-ide-companion was updated to reflect changes in ajv and hono versions, and removed license texts for safe-buffer and path-to-regexp.

Changelog

• packages/a2a-server/package.json
  • Pinned the @google/genai dependency to version 1.30.0.
• packages/cli/package.json
  • Downgraded the @google/genai dependency from 1.41.0 to 1.30.0.
• packages/cli/src/ui/hooks/useGeminiStream.ts
  • Removed IMAGE_RECITATION and IMAGE_OTHER from the FinishReason message map.
• packages/core/package.json
  • Downgraded the @google/genai dependency from 1.41.0 to 1.30.0.
  • Added the @grpc/grpc-js dependency.
  • Updated the google-auth-library dependency from ^10.5.0 to ^9.11.0.
• packages/vscode-ide-companion/NOTICES.txt
  • Updated the ajv version from 6.14.0 to 6.12.6.
  • Removed the license text for safe-buffer@5.2.1.
  • Removed the license text for path-to-regexp@6.3.0.
  • Updated the hono version from 4.12.2 to 4.11.9.
• scripts/check-lockfile.js
  • Added a new check to detect and flag gaxios versions 7 or higher in node_modules due to a known stream corruption bug.

Activity

• An automated cherry-pick was initiated by gemini-cli-robot to create a patch version.
• The cherry-pick process detected merge conflicts in several files.
• Instructions were provided for manual conflict resolution, testing, and updating the pull request.
• A warning was issued that the PR should not be merged until all conflicts are resolved, as merging will trigger an automated patch release.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request aims to fix a dependency issue by cherry-picking a commit that downgrades @google/genai and related packages. While the intent is correct, there's a critical merge conflict in packages/core/package.json that needs to be resolved. I've also identified a potential logic issue in the new check-lockfile.js script that could undermine its purpose of preventing this dependency problem in the future.

I am having trouble creating individual review comments. Click here to see my feedback.

packages/core/package.json (28-33)

This file contains unresolved merge conflict markers (<<<<<<<, =======, >>>>>>>). These markers must be removed, and the conflict resolved before merging. Based on the PR's intent to fix a dependency issue, you should select the version that downgrades @google/genai and adds @grpc/grpc-js.

    "@google/genai": "1.30.0",
    "@grpc/grpc-js": "^1.14.3",

scripts/check-lockfile.js (83)

This condition !location.includes('@google/genai/node_modules') creates a loophole in the check. The goal is to prevent gaxios@>=7 from being introduced, which is often a transitive dependency of @google/genai. If @google/genai is upgraded and brings in a problematic version of gaxios, this condition will cause the check to ignore it, defeating its purpose. This line should be removed to ensure all instances of gaxios are validated.

[github-actions]

Size Change: -255 kB (-0.98%)

Total Size: 25.6 MB

Filename	Size	Change
./bundle/gemini.js	25.2 MB	-255 kB (-1%)

ℹ️ View Unchanged

Filename	Size
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB
./bundle/sandbox-macos-strict-open.sb	4.82 kB
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB

_{compressed-size-action}