Skip to content

v1.0.205

Choose a tag to compare

View all tags
@github-actions github-actions released this 09 May 09:43
· 83 commits to main since this release
v1.0.205
94a957c

🐛 Fix: fresh installs failed to start

@vscode/ripgrep 1.18 split its platform binaries into per-arch packages (@vscode/ripgrep-darwin-arm64/bin/rg etc.) and stopped shipping bin/rg from the main package. Cockpit had hand-built a path off process.cwd() + node_modules/@vscode/ripgrep/bin/rg, which ENOENT'd on any fresh npm i -g that resolved 1.18+:

Error: spawn .../node_modules/@vscode/ripgrep/bin/rg ENOENT

Symptoms in 1.0.204 were "search returns nothing" and "file index never builds" right after install — without obvious crashes. We now resolve via the package's own rgPath export, which handles both 1.17 (binary in main) and 1.18+ (binary in platform sub-package) layouts. @vscode/ripgrep is also added to serverExternalPackages so its internal createRequire(import.meta.url) resolution stays correct under webpack.

If you hit this in 1.0.204, upgrading fixes it — no manual reinstall needed.

✨ New: smarter compact-diff gaps

The ··· lines hidden ··· bar in compact diff mode got a UX rework after user feedback on v1.0.204's bidirectional +N controls.

··· more +20 ···                                   ← click to reveal
47 lines hidden · loginHandler(req, res, next)      ← gap label
··· more +20 ···                                   ← click to reveal
  • Function context — gap label now shows the enclosing function signature, mirroring the chip-view header. Driven by useFileFunctions; read-only, doesn't change expansion behaviour.
  • Three explicit rows — top/bottom expand rows are real <button>s, position implies direction. No more chevron icons that didn't read as clickable.
  • Honest reveal counts··· more +20 ··· clamps to actual remaining lines per side, so the label never overshoots what you'll see.
  • Drift fixed — virtualized rows now self-measure on entry (measureElement + data-index), so cumulative scroll error toward file bottom no longer compounds as you click.
  • No more animation collisionstransition-all was sweeping up the virtualizer's transform: translateY(...) on every state change, briefly overlapping diff rows during reveal. Replaced with transition-colors; transform changes are instant.
  • Focus rings stay inside the button — was painting 2-3 px outside the box, visibly spilling onto the line above.

📦 Misc: security dep refresh

Lockfile refreshed to pull patched transitive deps under @modelcontextprotocol/sdk@1.29.0, closing 8 dependabot alerts:

  • hono 4.12.15 → 4.12.18 — CSS injection in JSX SSR, cache cross-user leak via missing Vary handling, JSX tag HTML injection, bodyLimit bypass on chunked requests, JWT NumericDate validation
  • fast-uri 3.1.0 → 3.1.2 — host confusion, path traversal via percent-encoded segments
  • ip-address 10.1.0 → 10.2.0 — XSS in Address6 HTML-emitting methods (pulled in via express-rate-limit 8.4.1 → 8.5.1)

All bumps stay within caret ranges already declared by MCP SDK; package.json itself unchanged.

Assets 2
Loading