Use Yarn-only restore for VS Code extension

[davidfowl]

Description

Internal AzDO Windows builds were failing during the VS Code extension restore because extension/yarn.lock contained committed registry.npmjs.org tarball URLs. The internal agents block direct public npm access, which surfaced as connect EACCES 192.0.2.14:443 instead of a clear lockfile problem.

This makes Yarn the single authoritative package manager for the extension restore and test paths. Extension.proj now runs yarn install --frozen-lockfile --non-interactive, uses Yarn for version overrides, and fails before restore if yarn.lock contains public npm or Yarn registry URLs. The GitHub extension test workflow now uses the same Yarn-based install/test/version/package commands instead of npm, and the local extension build scripts use frozen non-interactive Yarn installs.

The change also removes the extension package-lock.json and npm overrides, updates extension scripts/docs to use Yarn, and fixes the leaked postcss, uuid, and web-tree-sitter lockfile URLs to use the internal dotnet-public-npm feed.

Validation:

• dotnet msbuild extension/Extension.proj /t:ValidateYarnLockRegistries /v:minimal /nologo
• Synthetic negative lockfile guard test failed with the expected public registry error
• Clean-cache yarn install --frozen-lockfile --non-interactive --ignore-scripts --force with no public registry access observed
• yarn run compile-tests
• yarn run compile
• yarn run lint
• yarn run vsce package --pre-release -o out/aspire-extension.vsix

Fixes # (issue)

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17474

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17474"

[Copilot]

Pull request overview

This PR makes Yarn the single authoritative package manager for restoring, building, testing, and packaging the VS Code extension, primarily to avoid failures on internal agents that cannot reach public npm registries.

Changes:

• Switches extension build/test/package paths to use yarn install --frozen-lockfile --non-interactive and Yarn-based script invocations.
• Adds MSBuild-time validation to fail fast if extension/yarn.lock contains public npm/Yarn registry URLs.
• Updates the GitHub Actions extension test job to use Yarn and updates docs/scripts accordingly.

Show a summary per file

File	Description
extension/yarn.lock	Rewrites a few resolved tarball URLs to use the internal dotnet-public-npm feed instead of registry.npmjs.org.
extension/package.json	Updates scripts to call through Yarn and removes npm overrides (leaving Yarn resolutions as the pin mechanism).
extension/Extension.proj	Uses Yarn for version override + frozen/non-interactive installs; adds a target to reject public-registry URLs in yarn.lock.
extension/CONTRIBUTING.MD	Updates contributor guidance to reflect Yarn-only restore/pinning and the lockfile registry guard.
extension/build.sh	Removes npm prerequisite checks; switches to frozen/non-interactive Yarn install.
extension/build.ps1	Removes npm prerequisite checks; switches to frozen/non-interactive Yarn install.
.github/workflows/tests.yml	Updates the Windows extension test job to validate the lockfile and run install/test/package via Yarn.

Copilot's findings

• Files reviewed: 6/8 changed files
• Comments generated: 1

[davidfowl]

Regarding the top-level Copilot review summary: thanks, no code action was needed for the summary itself. I handled the actionable inline thread separately.

[github-actions]

❓ CLI E2E Tests unknown — 96 passed, 0 failed, 5 unknown (commit ecba8e7)

View all recordings

Status	Test	Recording
✅	AddPackageInteractiveWhileAppHostRunningDetached	✅ ▶️ View recording
✅	AddPackageWhileAppHostRunningDetached	✅ ▶️ View recording
✅	AgentCommands_AllHelpOutputs_AreCorrect	✅ ▶️ View recording
✅	AgentInitCommand_DefaultSelection_InstallsDefaultSkills	✅ ▶️ View recording
✅	AgentInitCommand_MigratesDeprecatedConfig	✅ ▶️ View recording
❔	AgentMcpListStructuredLogsFromStarterAppCore	❔ ▶️ View recording
✅	AllPublishMethodsBuildDockerImages	✅ ▶️ View recording
✅	AspireAddPackageVersionToDirectoryPackagesProps	✅ ▶️ View recording
✅	AspireInitSingleFileAppHostRunsViaDotnetRunAppHost	✅ ▶️ View recording
✅	AspireInitWithExistingAppHostDirRecreatesMissingNuGetConfigAndPreservesFiles	✅ ▶️ View recording
❔	AspireInitWithSolutionFileGeneratesAppHostThatBuildsAgainstChannelHive	❔ ▶️ View recording
✅	AspireStartUpdatesStaleTypeScriptAppHostPath	✅ ▶️ View recording
✅	AspireUpdateRemovesAppHostPackageVersionFromDirectoryPackagesProps	✅ ▶️ View recording
✅	AspireUpdateRemovesOrphanAppHostPackageVersionWhenSdkAlreadyCurrent	✅ ▶️ View recording
✅	Banner_DisplayedOnFirstRun	✅ ▶️ View recording
✅	Banner_DisplayedWithExplicitFlag	✅ ▶️ View recording
✅	Banner_NotDisplayedWithNoLogoFlag	✅ ▶️ View recording
✅	CertificatesClean_RemovesCertificates	✅ ▶️ View recording
✅	CertificatesTrust_WithNoCert_CreatesAndTrustsCertificate	✅ ▶️ View recording
✅	CertificatesTrust_WithUntrustedCert_TrustsCertificate	✅ ▶️ View recording
✅	ConfigSetGet_CreatesNestedJsonFormat	✅ ▶️ View recording
✅	CreateAndRunAspireStarterProject	✅ ▶️ View recording
✅	CreateAndRunAspireStarterProjectWithBundle	✅ ▶️ View recording
✅	CreateAndRunEmptyAppHostProject	✅ ▶️ View recording
✅	CreateAndRunJavaEmptyAppHostProject	✅ ▶️ View recording
✅	CreateAndRunJsReactProject	✅ ▶️ View recording
✅	CreateAndRunPythonReactProject	✅ ▶️ View recording
✅	CreateAndRunTypeScriptEmptyAppHostProject	✅ ▶️ View recording
✅	CreateAndRunTypeScriptStarterProject	✅ ▶️ View recording
✅	CreateJavaAppHostWithViteApp	✅ ▶️ View recording
✅	CreateTypeScriptAppHostWithViteApp_UsesConfiguredToolchain	✅ ▶️ View recording
❔	DashboardRunWithAgentMcpCore	❔ ▶️ View recording
❔	DashboardRunWithOtelTracesReturnsNoTracesCore	❔ ▶️ View recording
✅	DeployK8sBasicApiService	✅ ▶️ View recording
✅	DeployK8sWithExternalHelmChart	✅ ▶️ View recording
✅	DeployK8sWithGarnet	✅ ▶️ View recording
✅	DeployK8sWithMongoDB	✅ ▶️ View recording
✅	DeployK8sWithMySql	✅ ▶️ View recording
✅	DeployK8sWithPostgres	✅ ▶️ View recording
✅	DeployK8sWithRabbitMQ	✅ ▶️ View recording
✅	DeployK8sWithRedis	✅ ▶️ View recording
✅	DeployK8sWithSqlServer	✅ ▶️ View recording
✅	DeployK8sWithValkey	✅ ▶️ View recording
✅	DeployTypeScriptAppToKubernetes	✅ ▶️ View recording
✅	DescribeCommandResolvesReplicaNames	✅ ▶️ View recording
✅	DescribeCommandShowsRunningResources	✅ ▶️ View recording
✅	DetachFormatJsonProducesValidJson	✅ ▶️ View recording
✅	DetachFormatJsonProducesValidJsonWhenRestartingExistingInstance	✅ ▶️ View recording
✅	DoListStepsShowsPipelineSteps	✅ ▶️ View recording
✅	DocsCommand_RendersInteractiveMarkdownFromLocalSource	✅ ▶️ View recording
✅	DoctorCommand_DetectsDeprecatedAgentConfig	✅ ▶️ View recording
✅	DoctorCommand_TypeScriptAppHostReportsMissingConfiguredToolchain	✅ ▶️ View recording
✅	DoctorCommand_WithSslCertDir_ShowsTrusted	✅ ▶️ View recording
✅	DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted	✅ ▶️ View recording
✅	GeneratedAspireDevScript_StartsWatchMode_WithConfiguredToolchain	✅ ▶️ View recording
✅	GlobalMigration_HandlesCommentsAndTrailingCommas	✅ ▶️ View recording
✅	GlobalMigration_HandlesMalformedLegacyJson	✅ ▶️ View recording
✅	GlobalMigration_PreservesAllValueTypes	✅ ▶️ View recording
✅	GlobalMigration_SkipsWhenNewConfigExists	✅ ▶️ View recording
✅	GlobalSettings_MigratedFromLegacyFormat	✅ ▶️ View recording
✅	InitTypeScriptAppHost_AugmentsExistingViteRepoAtRoot	✅ ▶️ View recording
✅	InteractiveCSharpInitCreatesExpectedFiles	✅ ▶️ View recording
✅	InvalidAppHostPathWithComments_IsHealedOnRun	✅ ▶️ View recording
✅	JavaScriptHostingApisRunFromTypeScriptAppHost	✅ ▶️ View recording
✅	LatestCliCanStartStableChannelAppHost	✅ ▶️ View recording
✅	LatestCliCanStartStableChannelTypeScriptAppHost	✅ ▶️ View recording
✅	LegacySettingsMigration_AdjustsRelativeAppHostPath	✅ ▶️ View recording
✅	LogLevelTrace_ProducesTraceEntriesInCliLogFile	✅ ▶️ View recording
✅	LogsCommandShowsResourceLogs	✅ ▶️ View recording
✅	OtelLogsReturnsStructuredLogsFromStarterApp	✅ ▶️ View recording
✅	OtelLogsReturnsStructuredLogsFromStarterAppIsolated	✅ ▶️ View recording
✅	PsCommandListsRunningAppHost	✅ ▶️ View recording
✅	PsFormatJsonOutputsOnlyJsonToStdout	✅ ▶️ View recording
✅	PublishJavaScriptPatternsGeneratesExpectedDockerComposeArtifacts	✅ ▶️ View recording
✅	PublishWithConfigureEnvFileUpdatesEnvOutput	✅ ▶️ View recording
✅	PublishWithDockerComposeServiceCallbackSucceeds	✅ ▶️ View recording
✅	PublishWithoutOutputPathUsesAppHostDirectoryDefault	✅ ▶️ View recording
✅	ResourceCommand_FailedExecution_DisplaysAppHostLogPathAndLogContainsEntries	✅ ▶️ View recording
✅	ResourceCommand_FailsWhenInteractionServiceIsRequired	✅ ▶️ View recording
✅	ResourceCommand_SetAndDeleteParameterUpdatesDescribeOutput	✅ ▶️ View recording
✅	RestoreGeneratesSdkFiles	✅ ▶️ View recording
✅	RestoreGeneratesSdkFiles_WithConfiguredToolchain	✅ ▶️ View recording
✅	RestoreRefreshesGeneratedSdkAfterAddingIntegration	✅ ▶️ View recording
✅	RestoreSupportsConfigOnlyHelperPackageAndCrossPackageTypes	✅ ▶️ View recording
✅	RunFromParentDirectory_UsesExistingConfigNearAppHost	✅ ▶️ View recording
❔	RunPublishFailureScenarioAsync	❔ ▶️ View recording
✅	RunReportsSyntaxErrorsForDotNetAppHost	✅ ▶️ View recording
✅	RunReportsSyntaxErrorsForTypeScriptAppHost	✅ ▶️ View recording
✅	SecretCrudOnDotNetAppHost	✅ ▶️ View recording
✅	SecretCrudOnTypeScriptAppHost	✅ ▶️ View recording
✅	StagingChannel_ConfigureAndVerifySettings_ThenSwitchChannels	✅ ▶️ View recording
✅	StartAndWaitForTypeScriptSqlServerAppHostWithNativeAssets	✅ ▶️ View recording
✅	StartReportsSyntaxErrorsForDotNetAppHost	✅ ▶️ View recording
✅	StartReportsSyntaxErrorsForTypeScriptAppHost	✅ ▶️ View recording
✅	StopAllAppHostsFromAppHostDirectory	✅ ▶️ View recording
✅	StopJavaPolyglotAppHostUsingApphostDirectory	✅ ▶️ View recording
✅	StopNonInteractiveSingleAppHost	✅ ▶️ View recording
✅	StopTypeScriptPolyglotAppHostUsingApphostDirectory	✅ ▶️ View recording
✅	StopWithNoRunningAppHostExitsSuccessfully	✅ ▶️ View recording
✅	UnAwaitedChainsCompileWithAutoResolvePromises	✅ ▶️ View recording
✅	UpdateProjectChannelToStable_TypeScript_PicksUpStablePackages	✅ ▶️ View recording

---

_{📹 Recordings uploaded automatically from CI run #26418513695}

[aspire-repo-bot]

✅ No documentation update needed.

docs_optional → build_or_ci_only / internal_refactor

Triggered signals (1): pr_body_has_cli_flag_mention

Why this is a false positive: The --frozen-lockfile --non-interactive flags that triggered the signal appear in the PR body as part of internal MSBuild/yarn invocations (e.g., yarn install --frozen-lockfile --non-interactive) used to validate and restore the VS Code extension's dependencies. These are yarn package manager options, not new Aspire CLI flags exposed to users.

All 8 changed files fall into build/CI/internal-contributor categories:

• .github/workflows/tests.yml → CI workflow (build_or_ci_only)
• extension/CONTRIBUTING.MD → contributor guide in source repo (not aspire.dev content)
• extension/Extension.proj, extension/build.ps1, extension/build.sh → internal build scripts
• extension/package-lock.json → removed npm lockfile
• extension/package.json, extension/yarn.lock → Node.js package management files

No user-facing Aspire functionality, public API, CLI command, configuration key, or published documentation was changed. The aspire.dev docs site has no coverage of yarn vs npm for VS Code extension contributor workflows, and none is needed.