From 7a287f53fad655f150ed0c59f992b752dee2697b Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Sun, 14 Sep 2025 23:34:53 -0600 Subject: [PATCH 01/50] Potential fix for code scanning alert no. 59: Inefficient regular expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- extensions/git/src/gitEditor.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/git/src/gitEditor.ts b/extensions/git/src/gitEditor.ts index 6291e5152a72..7d59cd6591df 100644 --- a/extensions/git/src/gitEditor.ts +++ b/extensions/git/src/gitEditor.ts @@ -67,7 +67,7 @@ export class GitEditor implements IIPCHandler, ITerminalEnvironmentProvider { } export class GitEditorDocumentLinkProvider implements DocumentLinkProvider { - private readonly _regex = /^#\s+(modified|new file|deleted|renamed|copied|type change):\s+(?.*?)(?:\s+->\s+(?.*))*$/gm; + private readonly _regex = /^#\s+(modified|new file|deleted|renamed|copied|type change):\s+(?[^\r\n]+?)(?:\s+->\s+(?[^\r\n]+?))*$/gm; constructor(private readonly _model: Model) { } From e0a3ead4fb1394d5e8c9346c6ac9b4986fed44ca Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Mon, 15 Sep 2025 19:12:39 -0600 Subject: [PATCH 02/50] Potential fix for code scanning alert no. 60: Inefficient regular expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- extensions/git/src/gitEditor.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/git/src/gitEditor.ts b/extensions/git/src/gitEditor.ts index 6291e5152a72..27a42af4b820 100644 --- a/extensions/git/src/gitEditor.ts +++ b/extensions/git/src/gitEditor.ts @@ -67,7 +67,7 @@ export class GitEditor implements IIPCHandler, ITerminalEnvironmentProvider { } export class GitEditorDocumentLinkProvider implements DocumentLinkProvider { - private readonly _regex = /^#\s+(modified|new file|deleted|renamed|copied|type change):\s+(?.*?)(?:\s+->\s+(?.*))*$/gm; + private readonly _regex = /^#\s+(modified|new file|deleted|renamed|copied|type change):\s+(?[^\n]*?)(?:\s+->\s+(?[^\n]*))*$/gm; constructor(private readonly _model: Model) { } From cfbc58176278a9ba6dc01a4261b5f25e2145b9e2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Sep 2025 01:38:58 +0000 Subject: [PATCH 03/50] Bump the npm_and_yarn group across 1 directory with 2 updates Bumps the npm_and_yarn group with 2 updates in the / directory: [postcss](https://github.com/postcss/postcss) and [xml2js](https://github.com/Leonidas-from-XIV/node-xml2js). Updates `postcss` from 8.4.40 to 8.4.41 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.4.40...8.4.41) Updates `xml2js` from 0.6.1 to 0.6.2 - [Commits](https://github.com/Leonidas-from-XIV/node-xml2js/compare/0.6.1...0.6.2) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.4.41 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: xml2js dependency-version: 0.6.2 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- package-lock.json | 16 ++++++++-------- package.json | 4 ++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/package-lock.json b/package-lock.json index 88661ae94230..b2db188dac76 100644 --- a/package-lock.json +++ b/package-lock.json @@ -140,7 +140,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.40", + "postcss": "^8.4.41", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", @@ -160,7 +160,7 @@ "webpack": "^5.94.0", "webpack-cli": "^5.1.4", "webpack-stream": "^7.0.0", - "xml2js": "^0.6.1", + "xml2js": "^0.6.2", "yaserver": "^0.4.0" }, "optionalDependencies": { @@ -12545,9 +12545,9 @@ } }, "node_modules/postcss": { - "version": "8.4.40", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.40.tgz", - "integrity": "sha512-YF2kKIUzAofPMpfH6hOi2cGnv/HrUlfucspc7pDyvv7kGdqXrfj8SCl/t8owkEgKEuu8ZcRjSOxFxVLqwChZ2Q==", + "version": "8.4.41", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.41.tgz", + "integrity": "sha512-TesUflQ0WKZqAvg52PWL6kHgLKP6xB6heTOdoYM0Wt2UHyxNa4K25EZZMgKns3BH1RLVbZCREPpLY0rhnNoHVQ==", "dev": true, "funding": [ { @@ -16659,9 +16659,9 @@ "dev": true }, "node_modules/xml2js": { - "version": "0.6.1", - "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.6.1.tgz", - "integrity": "sha512-wksiZCYEDvrdwNhv1OIp0IALJdxWF9/ykG85DRkTLjqLIkcadRZxY05dwOX+zTM9aK+7rmtbNRnf3nC7MEqcvQ==", + "version": "0.6.2", + "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.6.2.tgz", + "integrity": "sha512-T4rieHaC1EXcES0Kxxj4JWgaUQHDk+qwHcYOCFHfiwKz7tOVPLq7Hjq9dM1WCMhylqMEfP7hMcOIChvotiZegA==", "dev": true, "license": "MIT", "dependencies": { diff --git a/package.json b/package.json index 960c0f093be6..759cfc08d246 100644 --- a/package.json +++ b/package.json @@ -199,7 +199,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.40", + "postcss": "^8.4.41", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", @@ -219,7 +219,7 @@ "webpack": "^5.94.0", "webpack-cli": "^5.1.4", "webpack-stream": "^7.0.0", - "xml2js": "^0.6.1", + "xml2js": "^0.6.2", "yaserver": "^0.4.0" }, "overrides": { From 764761de094e0087c008a9bb82e72a741bdf2af8 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Wed, 17 Sep 2025 19:41:36 -0600 Subject: [PATCH 04/50] Potential fix for code scanning alert no. 49: Client-side cross-site scripting Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- extensions/markdown-language-features/preview-src/index.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/extensions/markdown-language-features/preview-src/index.ts b/extensions/markdown-language-features/preview-src/index.ts index 7e5aee5e277e..8153953b606b 100644 --- a/extensions/markdown-language-features/preview-src/index.ts +++ b/extensions/markdown-language-features/preview-src/index.ts @@ -10,6 +10,7 @@ import { getEditorLineNumberForPageOffset, scrollToRevealSourceLine, getLineElem import { SettingsManager, getData, getRawData } from './settings'; import throttle = require('lodash.throttle'); import morphdom from 'morphdom'; +import DOMPurify from 'dompurify'; import type { ToWebviewMessage } from '../types/previewMessaging'; import { isOfScheme, Schemes } from '../src/util/schemes'; @@ -206,7 +207,8 @@ window.addEventListener('message', async event => { const root = document.querySelector('.markdown-body')!; const parser = new DOMParser(); - const newContent = parser.parseFromString(data.content, 'text/html'); // CodeQL [SM03712] This renderers content from the workspace into the Markdown preview. Webviews (and the markdown preview) have many other security measures in place to make this safe + const sanitizedContent = DOMPurify.sanitize(data.content); + const newContent = parser.parseFromString(sanitizedContent, 'text/html'); // CodeQL [SM03712] This renderers content from the workspace into the Markdown preview. Webviews (and the markdown preview) have many other security measures in place to make this safe // Strip out meta http-equiv tags for (const metaElement of Array.from(newContent.querySelectorAll('meta'))) { From aee9e03db34281d35db462f2f5636c7559c362e6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 21 Sep 2025 01:38:05 +0000 Subject: [PATCH 05/50] Bump postcss in the npm_and_yarn group across 1 directory Bumps the npm_and_yarn group with 1 update in the / directory: [postcss](https://github.com/postcss/postcss). Updates `postcss` from 8.4.41 to 8.4.42 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.4.41...8.4.42) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.4.42 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index b2db188dac76..d9daf596c1df 100644 --- a/package-lock.json +++ b/package-lock.json @@ -140,7 +140,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.41", + "postcss": "^8.4.42", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", @@ -12545,9 +12545,9 @@ } }, "node_modules/postcss": { - "version": "8.4.41", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.41.tgz", - "integrity": "sha512-TesUflQ0WKZqAvg52PWL6kHgLKP6xB6heTOdoYM0Wt2UHyxNa4K25EZZMgKns3BH1RLVbZCREPpLY0rhnNoHVQ==", + "version": "8.4.42", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.42.tgz", + "integrity": "sha512-hywKUQB9Ra4dR1mGhldy5Aj1X3MWDSIA1cEi+Uy0CjheLvP6Ual5RlwMCh8i/X121yEDLDIKBsrCQ8ba3FDMfQ==", "dev": true, "funding": [ { diff --git a/package.json b/package.json index 759cfc08d246..44bc3ef89547 100644 --- a/package.json +++ b/package.json @@ -199,7 +199,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.41", + "postcss": "^8.4.42", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", From 932cd98c4a8985cdb6e69c622a2964f04c2de1ae Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 21 Sep 2025 01:46:11 +0000 Subject: [PATCH 06/50] Bump postcss in the npm_and_yarn group across 1 directory Bumps the npm_and_yarn group with 1 update in the / directory: [postcss](https://github.com/postcss/postcss). Updates `postcss` from 8.4.42 to 8.4.43 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.4.42...8.4.43) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.4.43 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index d9daf596c1df..fe30a8caa21f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -140,7 +140,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.42", + "postcss": "^8.4.43", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", @@ -12545,9 +12545,9 @@ } }, "node_modules/postcss": { - "version": "8.4.42", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.42.tgz", - "integrity": "sha512-hywKUQB9Ra4dR1mGhldy5Aj1X3MWDSIA1cEi+Uy0CjheLvP6Ual5RlwMCh8i/X121yEDLDIKBsrCQ8ba3FDMfQ==", + "version": "8.4.43", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.43.tgz", + "integrity": "sha512-gJAQVYbh5R3gYm33FijzCZj7CHyQ3hWMgJMprLUlIYqCwTeZhBQ19wp0e9mA25BUbEvY5+EXuuaAjqQsrBxQBQ==", "dev": true, "funding": [ { diff --git a/package.json b/package.json index 44bc3ef89547..c17294cb9d88 100644 --- a/package.json +++ b/package.json @@ -199,7 +199,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.42", + "postcss": "^8.4.43", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", From 381e7bea766866d6a43493688b29f9a27780c064 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Sat, 20 Sep 2025 20:55:06 -0600 Subject: [PATCH 07/50] Potential fix for code scanning alert no. 19: Use of a broken or weak cryptographic algorithm Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- src/vs/platform/languagePacks/node/languagePacks.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/vs/platform/languagePacks/node/languagePacks.ts b/src/vs/platform/languagePacks/node/languagePacks.ts index 9527de9f2c3d..f666ed0ddb19 100644 --- a/src/vs/platform/languagePacks/node/languagePacks.ts +++ b/src/vs/platform/languagePacks/node/languagePacks.ts @@ -170,11 +170,11 @@ class LanguagePacksCache extends Disposable { private updateHash(languagePack: ILanguagePack): void { if (languagePack) { - const md5 = createHash('md5'); // CodeQL [SM04514] Used to create an hash for language pack extension version, which is not a security issue + const sha256 = createHash('sha256'); // Secure hash algorithm for language pack extension version for (const extension of languagePack.extensions) { - md5.update(extension.extensionIdentifier.uuid || extension.extensionIdentifier.id).update(extension.version); // CodeQL [SM01510] The extension UUID is not sensitive info and is not manually created by a user + sha256.update(extension.extensionIdentifier.uuid || extension.extensionIdentifier.id).update(extension.version); // Using secure hash for identifier } - languagePack.hash = md5.digest('hex'); + languagePack.hash = sha256.digest('hex'); } } From a94fb6a2815a4c90ae0c4888459703a9f6f6f1c8 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Sat, 20 Sep 2025 21:30:42 -0600 Subject: [PATCH 08/50] Potential fix for code scanning alert no. 41: Useless regular-expression character escape Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- extensions/json/build/update-grammars.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/json/build/update-grammars.js b/extensions/json/build/update-grammars.js index 2b7f76f8f909..13356a2c4c4e 100644 --- a/extensions/json/build/update-grammars.js +++ b/extensions/json/build/update-grammars.js @@ -9,7 +9,7 @@ var updateGrammar = require('vscode-grammar-updater'); function adaptJSON(grammar, name, replacementScope, replaceeScope = 'json') { grammar.name = name; grammar.scopeName = `source${replacementScope}`; - const regex = new RegExp(`\.${replaceeScope}`, 'g'); + const regex = new RegExp(`\\.${replaceeScope}`, 'g'); var fixScopeNames = function (rule) { if (typeof rule.name === 'string') { rule.name = rule.name.replace(regex, replacementScope); From eb8f8e8149deffdd93fad7ad25fe8aaa1274deb5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 21 Sep 2025 03:31:09 +0000 Subject: [PATCH 09/50] Bump postcss in the npm_and_yarn group across 1 directory Bumps the npm_and_yarn group with 1 update in the / directory: [postcss](https://github.com/postcss/postcss). Updates `postcss` from 8.4.43 to 8.4.44 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.4.43...8.4.44) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.4.44 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index fe30a8caa21f..a6183a0abdbf 100644 --- a/package-lock.json +++ b/package-lock.json @@ -140,7 +140,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.43", + "postcss": "^8.4.44", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", @@ -12545,9 +12545,9 @@ } }, "node_modules/postcss": { - "version": "8.4.43", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.43.tgz", - "integrity": "sha512-gJAQVYbh5R3gYm33FijzCZj7CHyQ3hWMgJMprLUlIYqCwTeZhBQ19wp0e9mA25BUbEvY5+EXuuaAjqQsrBxQBQ==", + "version": "8.4.44", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.44.tgz", + "integrity": "sha512-Aweb9unOEpQ3ezu4Q00DPvvM2ZTUitJdNKeP/+uQgr1IBIqu574IaZoURId7BKtWMREwzKa9OgzPzezWGPWFQw==", "dev": true, "funding": [ { diff --git a/package.json b/package.json index c17294cb9d88..a89b49c93c2a 100644 --- a/package.json +++ b/package.json @@ -199,7 +199,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.43", + "postcss": "^8.4.44", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", From ca60cee51f6b751b19d0a24c35b306efa52a3067 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Sun, 21 Sep 2025 00:43:17 -0600 Subject: [PATCH 10/50] Potential fix for code scanning alert no. 1: Bad HTML filtering regexp Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- src/vs/base/common/marked/marked.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/vs/base/common/marked/marked.js b/src/vs/base/common/marked/marked.js index b7b6ecccd163..9b3c3630e8f0 100644 --- a/src/vs/base/common/marked/marked.js +++ b/src/vs/base/common/marked/marked.js @@ -1008,7 +1008,7 @@ const html = edit('^ {0,3}(?:' // optional indentation .replace('tag', _tag) .replace('attribute', / +[a-zA-Z:_][\w.:-]*(?: *= *"[^"\n]*"| *= *'[^'\n]*'| *= *[^\s"'=<>`]+)?/) .getRegex(); -const paragraph = edit(_paragraph) +const paragraph = edit(_paragraph, 'i') // <-- add 'i' flag for case-insensitivity .replace('hr', hr) .replace('heading', ' {0,3}#{1,6}(?:\\s|$)') .replace('|lheading', '') // setext headings don't interrupt commonmark paragraphs From d7839ae47010f2e7e55867b1070be4d5d54d7bd2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 21 Sep 2025 06:45:11 +0000 Subject: [PATCH 11/50] Bump postcss in the npm_and_yarn group across 1 directory Bumps the npm_and_yarn group with 1 update in the / directory: [postcss](https://github.com/postcss/postcss). Updates `postcss` from 8.4.44 to 8.4.45 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.4.44...8.4.45) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.4.45 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index a6183a0abdbf..7b9d247a9369 100644 --- a/package-lock.json +++ b/package-lock.json @@ -140,7 +140,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.44", + "postcss": "^8.4.45", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", @@ -12545,9 +12545,9 @@ } }, "node_modules/postcss": { - "version": "8.4.44", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.44.tgz", - "integrity": "sha512-Aweb9unOEpQ3ezu4Q00DPvvM2ZTUitJdNKeP/+uQgr1IBIqu574IaZoURId7BKtWMREwzKa9OgzPzezWGPWFQw==", + "version": "8.4.45", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.45.tgz", + "integrity": "sha512-7KTLTdzdZZYscUc65XmjFiB73vBhBfbPztCYdUNvlaso9PrzjzcmjqBPR0lNGkcVlcO4BjiO5rK/qNz+XAen1Q==", "dev": true, "funding": [ { diff --git a/package.json b/package.json index a89b49c93c2a..f01a0466ab40 100644 --- a/package.json +++ b/package.json @@ -199,7 +199,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.44", + "postcss": "^8.4.45", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", From 516f1b32caf8d307197672c4f523653a289118ba Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Sun, 21 Sep 2025 00:46:33 -0600 Subject: [PATCH 12/50] Potential fix for code scanning alert no. 9: Incomplete string escaping or encoding Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- src/vs/base/common/htmlContent.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/src/vs/base/common/htmlContent.ts b/src/vs/base/common/htmlContent.ts index 070103b838d2..4fa81895fa27 100644 --- a/src/vs/base/common/htmlContent.ts +++ b/src/vs/base/common/htmlContent.ts @@ -70,6 +70,7 @@ export class MarkdownString implements IMarkdownString { appendText(value: string, newlineStyle: MarkdownStringTextNewlineStyle = MarkdownStringTextNewlineStyle.Paragraph): MarkdownString { this.value += escapeMarkdownSyntaxTokens(this.supportThemeIcons ? escapeIcons(value) : value) // CodeQL [SM02383] The Markdown is fully sanitized after being rendered. + .replace(/\\/g, '\\\\') // Escape backslash characters .replace(/([ \t]+)/g, (_match, g1) => ' '.repeat(g1.length)) // CodeQL [SM02383] The Markdown is fully sanitized after being rendered. .replace(/\>/gm, '\\>') // CodeQL [SM02383] The Markdown is fully sanitized after being rendered. .replace(/\n/g, newlineStyle === MarkdownStringTextNewlineStyle.Break ? '\\\n' : '\n\n'); // CodeQL [SM02383] The Markdown is fully sanitized after being rendered. From 56686c24f0d8c55bb405d02fda359038062f56f5 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Sun, 21 Sep 2025 00:48:36 -0600 Subject: [PATCH 13/50] Potential fix for code scanning alert no. 13: Incomplete string escaping or encoding Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- src/vs/workbench/contrib/debug/node/debugAdapter.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/vs/workbench/contrib/debug/node/debugAdapter.ts b/src/vs/workbench/contrib/debug/node/debugAdapter.ts index 4892338a1c1a..c6cdb3c6979e 100644 --- a/src/vs/workbench/contrib/debug/node/debugAdapter.ts +++ b/src/vs/workbench/contrib/debug/node/debugAdapter.ts @@ -240,7 +240,10 @@ export class ExecutableDebugAdapter extends StreamDebugAdapter { spawnOptions.shell = true; spawnCommand = `"${command}"`; spawnArgs = args.map(a => { - a = a.replace(/"/g, '\\"'); // Escape existing double quotes with \ + // Escape backslashes first + a = a.replace(/\\/g, '\\\\'); + // Then escape double quotes + a = a.replace(/"/g, '\\"'); // Wrap in double quotes return `"${a}"`; }); From 6bb4b18dcf37f1532c8e60f3a9bd30bb82941f49 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 21 Sep 2025 23:20:57 +0000 Subject: [PATCH 14/50] Bump postcss in the npm_and_yarn group across 1 directory Bumps the npm_and_yarn group with 1 update in the / directory: [postcss](https://github.com/postcss/postcss). Updates `postcss` from 8.4.45 to 8.4.46 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.4.45...8.4.46) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.4.46 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- package-lock.json | 19 ++++++++++--------- package.json | 2 +- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/package-lock.json b/package-lock.json index 7b9d247a9369..1836a776d5a5 100644 --- a/package-lock.json +++ b/package-lock.json @@ -140,7 +140,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.45", + "postcss": "^8.4.46", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", @@ -12545,9 +12545,9 @@ } }, "node_modules/postcss": { - "version": "8.4.45", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.45.tgz", - "integrity": "sha512-7KTLTdzdZZYscUc65XmjFiB73vBhBfbPztCYdUNvlaso9PrzjzcmjqBPR0lNGkcVlcO4BjiO5rK/qNz+XAen1Q==", + "version": "8.4.46", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.46.tgz", + "integrity": "sha512-73x4XLhY0QNN+87/u6F7TRq+yl3xPAjlbRRvhly1mAKJgNO4q5fiqegez/Yi3u+ez8wbBXXqY9N1+RAJAVCzEw==", "dev": true, "funding": [ { @@ -12566,8 +12566,8 @@ "license": "MIT", "dependencies": { "nanoid": "^3.3.7", - "picocolors": "^1.0.1", - "source-map-js": "^1.2.0" + "picocolors": "^1.1.0", + "source-map-js": "^1.2.1" }, "engines": { "node": "^10 || ^12 || >=14" @@ -14327,10 +14327,11 @@ } }, "node_modules/source-map-js": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.0.tgz", - "integrity": "sha512-itJW8lvSA0TXEphiRoawsCksnlf8SyvmFzIhltqAHluXd88pkCd+cXJVHTDwdCr0IzwptSm035IHQktUu1QUMg==", + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz", + "integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==", "dev": true, + "license": "BSD-3-Clause", "engines": { "node": ">=0.10.0" } diff --git a/package.json b/package.json index f01a0466ab40..64a6a2a3e512 100644 --- a/package.json +++ b/package.json @@ -199,7 +199,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.45", + "postcss": "^8.4.46", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", From b74e1deb365dc9524c7c6501b58640065897b9dc Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Sun, 21 Sep 2025 17:21:57 -0600 Subject: [PATCH 15/50] Potential fix for code scanning alert no. 42: Useless regular-expression character escape Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .../workbench/contrib/replNotebook/browser/replEditorInput.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/vs/workbench/contrib/replNotebook/browser/replEditorInput.ts b/src/vs/workbench/contrib/replNotebook/browser/replEditorInput.ts index 271af8eac541..eb0dc144a1a0 100644 --- a/src/vs/workbench/contrib/replNotebook/browser/replEditorInput.ts +++ b/src/vs/workbench/contrib/replNotebook/browser/replEditorInput.ts @@ -69,7 +69,7 @@ export class ReplEditorInput extends NotebookEditorInput implements ICompositeNo } if (resource.scheme === 'untitled') { - const match = new RegExp('Untitled-(\\d+)\.').exec(resource.path); + const match = new RegExp('Untitled-(\\d+)\\.').exec(resource.path); if (match?.length === 2) { return `REPL - ${match[1]}`; } From adf1228ffa06909eb4acef82e139ba6610d6a613 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Sun, 21 Sep 2025 19:01:20 -0600 Subject: [PATCH 16/50] Potential fix for code scanning alert no. 48: DOM text reinterpreted as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .../simple-browser/preview-src/index.ts | 25 +++++++++++++------ 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/extensions/simple-browser/preview-src/index.ts b/extensions/simple-browser/preview-src/index.ts index 3d804aa60fa4..0e16b0b24695 100644 --- a/extensions/simple-browser/preview-src/index.ts +++ b/extensions/simple-browser/preview-src/index.ts @@ -90,18 +90,27 @@ onceDocumentLoaded(() => { toggleFocusLockIndicatorEnabled(settings.focusLockIndicatorEnabled); function navigateTo(rawUrl: string): void { + let safeUrl: string | null = null; try { const url = new URL(rawUrl); - - // Try to bust the cache for the iframe - // There does not appear to be any way to reliably do this except modifying the url - url.searchParams.append('vscodeBrowserReqId', Date.now().toString()); - - iframe.src = url.toString(); + if (url.protocol === 'http:' || url.protocol === 'https:') { + // Try to bust the cache for the iframe + url.searchParams.append('vscodeBrowserReqId', Date.now().toString()); + safeUrl = url.toString(); + } } catch { - iframe.src = rawUrl; + // Fallback if URL parsing fails + // Try to match http/https only + if (/^(https?:\/\/)/i.test(rawUrl)) { + safeUrl = rawUrl; + } + } + if (safeUrl) { + iframe.src = safeUrl; + } else { + // Optionally, display an error or set to about:blank + iframe.src = 'about:blank'; } - vscode.setState({ url: rawUrl }); } }); From 9fbe30808efa4913ae6665479b4e995dc9c1710a Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Sun, 21 Sep 2025 20:55:10 -0600 Subject: [PATCH 17/50] Potential fix for code scanning alert no. 20: Regular expression injection Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- src/vs/base/common/marshalling.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/vs/base/common/marshalling.ts b/src/vs/base/common/marshalling.ts index 82fcd1234d09..f32bbd68ff30 100644 --- a/src/vs/base/common/marshalling.ts +++ b/src/vs/base/common/marshalling.ts @@ -33,6 +33,10 @@ function replacer(key: string, value: any): any { return value; } +// Utility function to escape RegExp special characters +function escapeRegExp(string: string): string { + return string.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'); // $& means the whole matched string +} type Deserialize = T extends UriComponents ? URI : T extends VSBuffer ? VSBuffer @@ -51,7 +55,7 @@ export function revive(obj: any, depth = 0): Revived { switch ((obj).$mid) { case MarshalledId.Uri: return URI.revive(obj); - case MarshalledId.Regexp: return new RegExp(obj.source, obj.flags); + case MarshalledId.Regexp: return new RegExp(escapeRegExp(obj.source), obj.flags); case MarshalledId.Date: return new Date(obj.source); } From 144689735fe84aa79c01cad445a25b17c92d861e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 02:55:45 +0000 Subject: [PATCH 18/50] Bump postcss in the npm_and_yarn group across 1 directory Bumps the npm_and_yarn group with 1 update in the / directory: [postcss](https://github.com/postcss/postcss). Updates `postcss` from 8.4.46 to 8.4.47 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.4.46...8.4.47) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.4.47 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 1836a776d5a5..27b384d59b6a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -140,7 +140,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.46", + "postcss": "^8.4.47", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", @@ -12545,9 +12545,9 @@ } }, "node_modules/postcss": { - "version": "8.4.46", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.46.tgz", - "integrity": "sha512-73x4XLhY0QNN+87/u6F7TRq+yl3xPAjlbRRvhly1mAKJgNO4q5fiqegez/Yi3u+ez8wbBXXqY9N1+RAJAVCzEw==", + "version": "8.4.47", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.47.tgz", + "integrity": "sha512-56rxCq7G/XfB4EkXq9Egn5GCqugWvDFjafDOThIdMBsI15iqPqR5r15TfSr1YPYeEI19YeaXMCbY6u88Y76GLQ==", "dev": true, "funding": [ { diff --git a/package.json b/package.json index 64a6a2a3e512..1761adc81015 100644 --- a/package.json +++ b/package.json @@ -199,7 +199,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.46", + "postcss": "^8.4.47", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", From f0fe825edeb79734c85a8e092bda5c40dd85e98c Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Sun, 21 Sep 2025 20:56:27 -0600 Subject: [PATCH 19/50] Potential fix for code scanning alert no. 8: Incomplete string escaping or encoding Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .../src/languageFeatures/util/textRendering.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/extensions/typescript-language-features/src/languageFeatures/util/textRendering.ts b/extensions/typescript-language-features/src/languageFeatures/util/textRendering.ts index f44ac0c4f407..b0acc74db201 100644 --- a/extensions/typescript-language-features/src/languageFeatures/util/textRendering.ts +++ b/extensions/typescript-language-features/src/languageFeatures/util/textRendering.ts @@ -210,7 +210,8 @@ function convertLinkTags( } function escapeMarkdownSyntaxTokensForCode(text: string): string { - return text.replace(/`/g, '\\$&'); // CodeQL [SM02383] This is only meant to escape backticks. The Markdown is fully sanitized after being rendered. + // First escape backslashes, then backticks + return text.replace(/\\/g, '\\\\').replace(/`/g, '\\$&'); // CodeQL [SM02383] This now escapes backticks and backslashes. } export function tagsToMarkdown( From b19c101d47141e672c7f1bc7306afcc6d243ab97 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Sun, 21 Sep 2025 21:00:55 -0600 Subject: [PATCH 20/50] Potential fix for code scanning alert no. 18: Information exposure through a stack trace Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- src/vs/workbench/api/node/extHostCLIServer.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/vs/workbench/api/node/extHostCLIServer.ts b/src/vs/workbench/api/node/extHostCLIServer.ts index 01bc190d579f..0b040acb868a 100644 --- a/src/vs/workbench/api/node/extHostCLIServer.ts +++ b/src/vs/workbench/api/node/extHostCLIServer.ts @@ -112,8 +112,7 @@ export class CLIServerBase { } sendResponse(200, returnObj); } catch (e) { - const message = e instanceof Error ? e.message : JSON.stringify(e); - sendResponse(500, message); + sendResponse(500, "An internal server error occurred."); this.logService.error('Error while processing pipe request', e); } }); From 929159a6a185f4769498e3618dc7a479d7e17aff Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Sun, 21 Sep 2025 22:55:04 -0600 Subject: [PATCH 21/50] Potential fix for code scanning alert no. 78: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .github/workflows/monaco-editor.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/monaco-editor.yml b/.github/workflows/monaco-editor.yml index 842e327735f5..83159b8c5f3b 100644 --- a/.github/workflows/monaco-editor.yml +++ b/.github/workflows/monaco-editor.yml @@ -1,4 +1,6 @@ name: Monaco Editor checks +permissions: + contents: read on: push: From 36c1b5b4ecbb821629283b9d02564201d762a8cb Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Sun, 21 Sep 2025 22:56:03 -0600 Subject: [PATCH 22/50] Potential fix for code scanning alert no. 15: Incomplete string escaping or encoding Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .../contrib/terminal/browser/terminalProfileQuickpick.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/vs/workbench/contrib/terminal/browser/terminalProfileQuickpick.ts b/src/vs/workbench/contrib/terminal/browser/terminalProfileQuickpick.ts index eff79840baf6..78f4ea23fede 100644 --- a/src/vs/workbench/contrib/terminal/browser/terminalProfileQuickpick.ts +++ b/src/vs/workbench/contrib/terminal/browser/terminalProfileQuickpick.ts @@ -275,7 +275,7 @@ export class TerminalProfileQuickpick { } const argsString = profile.args.map(e => { if (e.includes(' ')) { - return `"${e.replace(/"/g, '\\"')}"`; // CodeQL [SM02383] js/incomplete-sanitization This is only used as a label on the UI so this isn't a problem + return `"${e.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"`; // First escape backslashes, then quotes for correct display } return e; }).join(' '); From 093e6166e08ec69c329ca6363f8f5edab6ea731a Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Sun, 21 Sep 2025 22:56:16 -0600 Subject: [PATCH 23/50] Potential fix for code scanning alert no. 7: Incomplete string escaping or encoding Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .../src/languageFeatures/jsDocCompletions.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/typescript-language-features/src/languageFeatures/jsDocCompletions.ts b/extensions/typescript-language-features/src/languageFeatures/jsDocCompletions.ts index f2c1b49c67f2..7bf3eb47da71 100644 --- a/extensions/typescript-language-features/src/languageFeatures/jsDocCompletions.ts +++ b/extensions/typescript-language-features/src/languageFeatures/jsDocCompletions.ts @@ -103,7 +103,7 @@ class JsDocCompletionProvider implements vscode.CompletionItemProvider { export function templateToSnippet(template: string): vscode.SnippetString { // TODO: use append placeholder let snippetIndex = 1; - template = template.replace(/\$/g, '\\$'); // CodeQL [SM02383] This is only used for text which is put into the editor. It is not for rendered html + template = template.replace(/\\/g, '\\\\').replace(/\$/g, '\\$'); // Escape backslash and dollar for VSCode snippets template = template.replace(/^[ \t]*(?=(\/|[ ]\*))/gm, ''); template = template.replace(/^(\/\*\*\s*\*[ ]*)$/m, (x) => x + `\$0`); template = template.replace(/\* @param([ ]\{\S+\})?\s+(\S+)[ \t]*$/gm, (_param, type, post) => { From da1a0d5ce1555cf2c6faafd08879e4f8e59095e8 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Sun, 21 Sep 2025 22:57:23 -0600 Subject: [PATCH 24/50] Potential fix for code scanning alert no. 81: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .github/workflows/basic.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml index a1a5c5ad477f..7b3ead417366 100644 --- a/.github/workflows/basic.yml +++ b/.github/workflows/basic.yml @@ -1,4 +1,6 @@ name: Basic checks +permissions: + contents: read on: workflow_dispatch From 594cf4bbe28e9557978a3461fb56b8185b70bfd8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:46:17 +0000 Subject: [PATCH 25/50] Bump postcss in the npm_and_yarn group across 1 directory Bumps the npm_and_yarn group with 1 update in the / directory: [postcss](https://github.com/postcss/postcss). Updates `postcss` from 8.4.47 to 8.4.48 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.4.47...8.4.48) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.4.48 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- package-lock.json | 16 ++++++++-------- package.json | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/package-lock.json b/package-lock.json index 27b384d59b6a..0c50b3e3d652 100644 --- a/package-lock.json +++ b/package-lock.json @@ -140,7 +140,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.47", + "postcss": "^8.4.48", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", @@ -12348,9 +12348,9 @@ "integrity": "sha1-elfrVQpng/kRUzH89GY9XI4AelA= sha512-F3asv42UuXchdzt+xXqfW1OGlVBe+mxa2mqI0pg5yAHZPvFmY3Y6drSf/GQ1A86WgWEN9Kzh/WrgKa6iGcHXLg==" }, "node_modules/picocolors": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.0.tgz", - "integrity": "sha512-TQ92mBOW0l3LeMeyLV6mzy/kWr8lkd/hp3mTg7wYK7zJhuBStmGMBG0BdeDZS/dZx1IukaX6Bk11zcln25o1Aw==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz", + "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==", "dev": true, "license": "ISC" }, @@ -12545,9 +12545,9 @@ } }, "node_modules/postcss": { - "version": "8.4.47", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.47.tgz", - "integrity": "sha512-56rxCq7G/XfB4EkXq9Egn5GCqugWvDFjafDOThIdMBsI15iqPqR5r15TfSr1YPYeEI19YeaXMCbY6u88Y76GLQ==", + "version": "8.4.48", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.48.tgz", + "integrity": "sha512-GCRK8F6+Dl7xYniR5a4FYbpBzU8XnZVeowqsQFYdcXuSbChgiks7qybSkbvnaeqv0G0B+dd9/jJgH8kkLDQeEA==", "dev": true, "funding": [ { @@ -12566,7 +12566,7 @@ "license": "MIT", "dependencies": { "nanoid": "^3.3.7", - "picocolors": "^1.1.0", + "picocolors": "^1.1.1", "source-map-js": "^1.2.1" }, "engines": { diff --git a/package.json b/package.json index 1761adc81015..2418d62ac339 100644 --- a/package.json +++ b/package.json @@ -199,7 +199,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.47", + "postcss": "^8.4.48", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", From 7dd199ab01c1172fa3e00d4dcfb5029f07b369f2 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Tue, 23 Sep 2025 14:46:42 -0600 Subject: [PATCH 26/50] Potential fix for code scanning alert no. 92: DOM text reinterpreted as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- extensions/simple-browser/preview-src/index.ts | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/extensions/simple-browser/preview-src/index.ts b/extensions/simple-browser/preview-src/index.ts index 0e16b0b24695..106146f86579 100644 --- a/extensions/simple-browser/preview-src/index.ts +++ b/extensions/simple-browser/preview-src/index.ts @@ -99,11 +99,7 @@ onceDocumentLoaded(() => { safeUrl = url.toString(); } } catch { - // Fallback if URL parsing fails - // Try to match http/https only - if (/^(https?:\/\/)/i.test(rawUrl)) { - safeUrl = rawUrl; - } + // On parse error, do not attempt to match with regex; keep safeUrl as null. } if (safeUrl) { iframe.src = safeUrl; From e60a883e9b356530ec2c13f87227b960b1605af9 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Tue, 23 Sep 2025 15:03:59 -0600 Subject: [PATCH 27/50] Potential fix for code scanning alert no. 39: Prototype-polluting function Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- src/vs/base/common/objects.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/vs/base/common/objects.ts b/src/vs/base/common/objects.ts index 94c2fb717d2b..20b08dbe69fb 100644 --- a/src/vs/base/common/objects.ts +++ b/src/vs/base/common/objects.ts @@ -93,6 +93,10 @@ export function mixin(destination: any, source: any, overwrite: boolean = true): if (isObject(source)) { Object.keys(source).forEach(key => { + if (key === '__proto__' || key === 'constructor') { + // Prevent prototype pollution + return; + } if (key in destination) { if (overwrite) { if (isObject(destination[key]) && isObject(source[key])) { From eaccbc5faff69c5ca5ecb0ee942208435c39e769 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Tue, 23 Sep 2025 15:06:07 -0600 Subject: [PATCH 28/50] Potential fix for code scanning alert no. 46: DOM text reinterpreted as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- extensions/media-preview/media/videoPreview.js | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/extensions/media-preview/media/videoPreview.js b/extensions/media-preview/media/videoPreview.js index eeed26972a31..8ff6ddcb8d52 100644 --- a/extensions/media-preview/media/videoPreview.js +++ b/extensions/media-preview/media/videoPreview.js @@ -5,6 +5,18 @@ // @ts-check "use strict"; +// Returns true if src is a safe URL for video.src +function isSafeVideoSrc(src) { + try { + const allowedProtocols = ['http:', 'https:', 'blob:', 'filesystem:', '']; + // If relative URL, use document.baseURI as base + const url = new URL(src, document.baseURI); + return allowedProtocols.includes(url.protocol); + } catch { + return false; + } +} + (function () { // @ts-ignore const vscode = acquireVsCodeApi(); @@ -28,7 +40,7 @@ // Elements const video = document.createElement('video'); - if (settings.src !== null) { + if (settings.src !== null && isSafeVideoSrc(settings.src)) { video.src = settings.src; } video.playsInline = true; From 0037645dac4ce5002a914ce0d7054c2da1b4edaa Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Tue, 23 Sep 2025 15:58:41 -0600 Subject: [PATCH 29/50] Potential fix for code scanning alert no. 85: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6a860f588616..d87bd3621d06 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,6 @@ name: CI +permissions: + contents: read on: workflow_dispatch From a9e156b9f8960d9e1ec0f8d3785d5bd63ecb6d43 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Tue, 23 Sep 2025 16:05:20 -0600 Subject: [PATCH 30/50] Potential fix for code scanning alert no. 40: Prototype-polluting function Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- src/vs/editor/common/config/editorOptions.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/vs/editor/common/config/editorOptions.ts b/src/vs/editor/common/config/editorOptions.ts index 6388b3c386c8..d77ebf0f3bf4 100644 --- a/src/vs/editor/common/config/editorOptions.ts +++ b/src/vs/editor/common/config/editorOptions.ts @@ -1082,6 +1082,9 @@ function applyUpdate(value: T | undefined, update: T): ApplyUpdateResult { let didChange = false; for (const key in update) { if ((update as T & object).hasOwnProperty(key)) { + if (key === '__proto__' || key === 'constructor' || key === 'prototype') { + continue; + } const result = applyUpdate(value[key], update[key]); if (result.didChange) { value[key] = result.newValue; From c9d683e4fe42d4f51f20d269a71b2611def84ca4 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Tue, 23 Sep 2025 16:08:02 -0600 Subject: [PATCH 31/50] Potential fix for code scanning alert no. 37: Shell command built from environment values Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- build/azure-pipelines/publish-types/update-types.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/azure-pipelines/publish-types/update-types.ts b/build/azure-pipelines/publish-types/update-types.ts index 0f99b07cf9a3..3bb02b7adabd 100644 --- a/build/azure-pipelines/publish-types/update-types.ts +++ b/build/azure-pipelines/publish-types/update-types.ts @@ -16,7 +16,7 @@ try { const dtsUri = `https://raw.githubusercontent.com/microsoft/vscode/${tag}/src/vscode-dts/vscode.d.ts`; const outPath = path.resolve(process.cwd(), 'DefinitelyTyped/types/vscode/index.d.ts'); - cp.execSync(`curl ${dtsUri} --output ${outPath}`); + cp.execFileSync('curl', [dtsUri, '--output', outPath]); updateDTSFile(outPath, tag); From 97a1df3a287b3292df434ebe84cf5ff9abc352d0 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Tue, 23 Sep 2025 19:13:49 -0600 Subject: [PATCH 32/50] Potential fix for code scanning alert no. 47: DOM text reinterpreted as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .../media-preview/media/imagePreview.js | 39 ++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/extensions/media-preview/media/imagePreview.js b/extensions/media-preview/media/imagePreview.js index ab8ad542a2d9..e400a0cd2bcf 100644 --- a/extensions/media-preview/media/imagePreview.js +++ b/extensions/media-preview/media/imagePreview.js @@ -311,7 +311,44 @@ document.body.classList.remove('loading'); }); - image.src = settings.src; + /** + * Validate and ensure only safe image sources can be used. + * @param {string} src + * @return {boolean} + */ + function isSafeImageSrc(src) { + try { + if (typeof src !== 'string' || src.length > 2048) { + return false; + } + // Allow http, https, file, and data URIs for images only + const allowedSchemes = ['http:', 'https:', 'file:']; + const urlMatch = src.match(/^([a-zA-Z0-9+.-]+):/); + if (!urlMatch) { + return false; + } + const scheme = urlMatch[1].toLowerCase() + ':'; + if (allowedSchemes.includes(scheme)) { + return true; + } + if (scheme === 'data:') { + // Allow only image media types in data URLs + return /^data:image\/(png|jpe?g|gif|bmp|webp|svg\+xml);base64,/.test(src); + } + return false; + } catch { + return false; + } + } + + if (isSafeImageSrc(settings.src)) { + image.src = settings.src; + } else { + console.error('Unsafe image src detected:', settings.src); + image.src = ''; + document.body.classList.add('error'); + document.body.classList.remove('loading'); + } document.querySelector('.open-file-link')?.addEventListener('click', (e) => { e.preventDefault(); From a97406bac907ea5ab9e5c4282d017ad96da89279 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Tue, 23 Sep 2025 19:16:14 -0600 Subject: [PATCH 33/50] Potential fix for code scanning alert no. 71: Prototype-polluting function Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .../common/observableInternal/logging/debugger/utils.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/vs/base/common/observableInternal/logging/debugger/utils.ts b/src/vs/base/common/observableInternal/logging/debugger/utils.ts index 2648b82cffdd..be076beded13 100644 --- a/src/vs/base/common/observableInternal/logging/debugger/utils.ts +++ b/src/vs/base/common/observableInternal/logging/debugger/utils.ts @@ -96,6 +96,9 @@ export class Throttler implements IDisposable { export function deepAssign(target: T, source: T): void { for (const key in source) { + if (key === '__proto__' || key === 'constructor' || key === 'prototype') { + continue; + } if (!!target[key] && typeof target[key] === 'object' && !!source[key] && typeof source[key] === 'object') { deepAssign(target[key], source[key]); } else { @@ -106,6 +109,9 @@ export function deepAssign(target: T, source: T): void { export function deepAssignDeleteNulls(target: T, source: T): void { for (const key in source) { + if (key === '__proto__' || key === 'constructor' || key === 'prototype') { + continue; + } if (source[key] === null) { delete target[key]; } else if (!!target[key] && typeof target[key] === 'object' && !!source[key] && typeof source[key] === 'object') { From da75f831f499b685abfe3f29b9f079d019cc2bb1 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Tue, 23 Sep 2025 19:17:02 -0600 Subject: [PATCH 34/50] Potential fix for code scanning alert no. 72: Prototype-polluting function Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .../base/common/observableInternal/logging/debugger/utils.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/vs/base/common/observableInternal/logging/debugger/utils.ts b/src/vs/base/common/observableInternal/logging/debugger/utils.ts index 2648b82cffdd..891be7ea9e72 100644 --- a/src/vs/base/common/observableInternal/logging/debugger/utils.ts +++ b/src/vs/base/common/observableInternal/logging/debugger/utils.ts @@ -106,6 +106,9 @@ export function deepAssign(target: T, source: T): void { export function deepAssignDeleteNulls(target: T, source: T): void { for (const key in source) { + if (key === '__proto__' || key === 'constructor') { + continue; + } if (source[key] === null) { delete target[key]; } else if (!!target[key] && typeof target[key] === 'object' && !!source[key] && typeof source[key] === 'object') { From 4341e3b6dde742586c24c452bdda18aa8b2941ad Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Tue, 23 Sep 2025 19:17:50 -0600 Subject: [PATCH 35/50] Potential fix for code scanning alert no. 82: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .github/workflows/telemetry.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/telemetry.yml b/.github/workflows/telemetry.yml index 8b28897b16fe..8863d52e8194 100644 --- a/.github/workflows/telemetry.yml +++ b/.github/workflows/telemetry.yml @@ -4,6 +4,8 @@ on: jobs: check-metdata: name: 'Check metadata' + permissions: + contents: read runs-on: 'ubuntu-latest' steps: From 2cac66f6cfd1011bced26dedb80a3ab76dc0a6ac Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Tue, 23 Sep 2025 21:17:21 -0600 Subject: [PATCH 36/50] Potential fix for code scanning alert no. 2: Bad HTML filtering regexp Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- src/vs/base/common/marked/marked.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/vs/base/common/marked/marked.js b/src/vs/base/common/marked/marked.js index 9b3c3630e8f0..3f45884d5d25 100644 --- a/src/vs/base/common/marked/marked.js +++ b/src/vs/base/common/marked/marked.js @@ -1045,7 +1045,7 @@ const blockNormal = { */ const gfmTable = edit('^ *([^\\n ].*)\\n' // Header + ' {0,3}((?:\\| *)?:?-+:? *(?:\\| *:?-+:? *)*(?:\\| *)?)' // Align - + '(?:\\n((?:(?! *\\n|hr|heading|blockquote|code|fences|list|html).*(?:\\n|$))*)\\n*|$)') // Cells + + '(?:\\n((?:(?! *\\n|hr|heading|blockquote|code|fences|list|html).*(?:\\n|$))*)\\n*|$)', 'i') // Cells: add case-insensitive flag .replace('hr', hr) .replace('heading', ' {0,3}#{1,6}(?:\\s|$)') .replace('blockquote', ' {0,3}>') @@ -1058,7 +1058,7 @@ const gfmTable = edit('^ *([^\\n ].*)\\n' // Header const blockGfm = { ...blockNormal, table: gfmTable, - paragraph: edit(_paragraph) + paragraph: edit(_paragraph, 'i') // add case-insensitive flag .replace('hr', hr) .replace('heading', ' {0,3}#{1,6}(?:\\s|$)') .replace('|lheading', '') // setext headings don't interrupt commonmark paragraphs From 95a3f735f81320b9fc411aba9adaa14997021b57 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Tue, 23 Sep 2025 23:19:34 -0600 Subject: [PATCH 37/50] Potential fix for code scanning alert no. 93: DOM text reinterpreted as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- extensions/media-preview/media/imagePreview.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/extensions/media-preview/media/imagePreview.js b/extensions/media-preview/media/imagePreview.js index e400a0cd2bcf..282e2a82cb94 100644 --- a/extensions/media-preview/media/imagePreview.js +++ b/extensions/media-preview/media/imagePreview.js @@ -333,7 +333,8 @@ } if (scheme === 'data:') { // Allow only image media types in data URLs - return /^data:image\/(png|jpe?g|gif|bmp|webp|svg\+xml);base64,/.test(src); + // Disallow SVG images for data URIs to mitigate XSS + return /^data:image\/(png|jpe?g|gif|bmp|webp);base64,/.test(src); } return false; } catch { From dd94758a48e80e568176e8cd0ccd073d34272514 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Tue, 23 Sep 2025 23:28:06 -0600 Subject: [PATCH 38/50] Potential fix for code scanning alert no. 5: Bad HTML filtering regexp Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- src/vs/editor/test/common/modes/supports/indentationRules.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/vs/editor/test/common/modes/supports/indentationRules.ts b/src/vs/editor/test/common/modes/supports/indentationRules.ts index 0967de48bff7..996d990d6696 100644 --- a/src/vs/editor/test/common/modes/supports/indentationRules.ts +++ b/src/vs/editor/test/common/modes/supports/indentationRules.ts @@ -27,7 +27,7 @@ export const goIndentationRules = { }; export const htmlIndentationRules = { - decreaseIndentPattern: /^\s*(<\/(?!html)[-_\.A-Za-z0-9]+\b[^>]*>|-->|\})/, + decreaseIndentPattern: /^\s*(<\/(?!html)[-_\.A-Za-z0-9]+\b[^>]*>|--!?>|\})/, increaseIndentPattern: /<(?!\?|(?:area|base|br|col|frame|hr|html|img|input|keygen|link|menuitem|meta|param|source|track|wbr)\b|[^>]*\/>)([-_\.A-Za-z0-9]+)(?=\s|>)\b[^>]*>(?!.*<\/\1>)|)|\{[^}"']*$/, }; From 51b8d78304bc71c2b6995874a7231ca9aedb21ff Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Sep 2025 20:15:19 +0000 Subject: [PATCH 39/50] Bump postcss in the npm_and_yarn group across 1 directory Bumps the npm_and_yarn group with 1 update in the / directory: [postcss](https://github.com/postcss/postcss). Updates `postcss` from 8.4.48 to 8.4.49 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.4.48...8.4.49) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.4.49 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- package-lock.json | 20 ++++++++++---------- package.json | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/package-lock.json b/package-lock.json index 0c50b3e3d652..f06f4f2878c1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -140,7 +140,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.48", + "postcss": "^8.4.49", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", @@ -12545,9 +12545,9 @@ } }, "node_modules/postcss": { - "version": "8.4.48", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.48.tgz", - "integrity": "sha512-GCRK8F6+Dl7xYniR5a4FYbpBzU8XnZVeowqsQFYdcXuSbChgiks7qybSkbvnaeqv0G0B+dd9/jJgH8kkLDQeEA==", + "version": "8.4.49", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.49.tgz", + "integrity": "sha512-OCVPnIObs4N29kxTjzLfUryOkvZEq+pf8jTF0lg8E7uETuWHA+v7j3c/xJmiqpX450191LlmZfUKkXxkTry7nA==", "dev": true, "funding": [ { @@ -13245,9 +13245,9 @@ } }, "node_modules/prebuild-install/node_modules/tar-fs": { - "version": "2.1.3", - "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.3.tgz", - "integrity": "sha512-090nwYJDmlhwFwEW3QQl+vaNnxsO2yVsd45eTKRBzSzu+hlb1w2K9inVq5b0ngXuLVqQ4ApvsUHHnu/zQNkWAg==", + "version": "2.1.4", + "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.4.tgz", + "integrity": "sha512-mDAjwmZdh7LTT6pNleZ05Yt65HC3E+NiQzl672vQG38jIrehtJk/J3mNwIg+vShQPcLF/LV7CMnDW6vjj6sfYQ==", "license": "MIT", "dependencies": { "chownr": "^1.1.1", @@ -14995,9 +14995,9 @@ } }, "node_modules/tar-fs": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-3.1.0.tgz", - "integrity": "sha512-5Mty5y/sOF1YWj1J6GiBodjlDc05CUR8PKXrsnFAiSG0xA+GHeWLovaZPYUDXkH/1iKRf2+M5+OrRgzC7O9b7w==", + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-3.1.1.tgz", + "integrity": "sha512-LZA0oaPOc2fVo82Txf3gw+AkEd38szODlptMYejQUhndHMLQ9M059uXR+AfS7DNo0NpINvSqDsvyaCrBVkptWg==", "dev": true, "license": "MIT", "dependencies": { diff --git a/package.json b/package.json index 2418d62ac339..70de746baf8d 100644 --- a/package.json +++ b/package.json @@ -199,7 +199,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.48", + "postcss": "^8.4.49", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", From 021c828699e1d88410cb0666609432f3e5ce8734 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Wed, 24 Sep 2025 17:02:57 -0600 Subject: [PATCH 40/50] Potential fix for code scanning alert no. 4: Bad HTML filtering regexp Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- src/vs/base/common/marked/marked.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/vs/base/common/marked/marked.js b/src/vs/base/common/marked/marked.js index 3f45884d5d25..d3f5308839b1 100644 --- a/src/vs/base/common/marked/marked.js +++ b/src/vs/base/common/marked/marked.js @@ -1143,7 +1143,7 @@ const autolink = edit(/^<(scheme:[^\s\x00-\x1f<>]*|email)>/) .replace('scheme', /[a-zA-Z][a-zA-Z0-9+.-]{1,31}/) .replace('email', /[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+(@)[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)+(?![-_])/) .getRegex(); -const _inlineComment = edit(_comment).replace('(?:-->|$)', '-->').getRegex(); +const _inlineComment = edit(_comment).replace('(?:-->|$)', '(?:-->|--!>|$)').getRegex(); const tag = edit('^comment' + '|^' // self-closing tag + '|^<[a-zA-Z][\\w-]*(?:attribute)*?\\s*/?>' // open tag From e9e53730f3ef9df7694263c9800d511297083854 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Wed, 24 Sep 2025 17:45:58 -0600 Subject: [PATCH 41/50] Potential fix for code scanning alert no. 6: Incomplete string escaping or encoding Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .../src/languageFeatures/copyFiles/shared.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/markdown-language-features/src/languageFeatures/copyFiles/shared.ts b/extensions/markdown-language-features/src/languageFeatures/copyFiles/shared.ts index 273fa56a6bb5..17f7ad1b8050 100644 --- a/extensions/markdown-language-features/src/languageFeatures/copyFiles/shared.ts +++ b/extensions/markdown-language-features/src/languageFeatures/copyFiles/shared.ts @@ -302,7 +302,7 @@ function escapeMarkdownLinkPath(mdPath: string): string { } function escapeBrackets(value: string): string { - value = value.replace(/[\[\]]/g, '\\$&'); // CodeQL [SM02383] The Markdown is fully sanitized after being rendered. + value = value.replace(/\\/g, '\\\\').replace(/[\[\]]/g, '\\$&'); // CodeQL [SM02383] The Markdown is fully sanitized after being rendered. return value; } From a944d8d032834bb792659ba71aec2a8ecfc069f9 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Thu, 25 Sep 2025 20:27:24 -0600 Subject: [PATCH 42/50] Potential fix for code scanning alert no. 11: Incomplete string escaping or encoding Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .../editor/contrib/smartSelect/test/browser/smartSelect.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/vs/editor/contrib/smartSelect/test/browser/smartSelect.test.ts b/src/vs/editor/contrib/smartSelect/test/browser/smartSelect.test.ts index 3e774fc932f4..ff60c2733b20 100644 --- a/src/vs/editor/contrib/smartSelect/test/browser/smartSelect.test.ts +++ b/src/vs/editor/contrib/smartSelect/test/browser/smartSelect.test.ts @@ -214,7 +214,7 @@ suite('SmartSelect', () => { async function assertRanges(provider: SelectionRangeProvider, value: string, ...expected: IRange[]): Promise { const index = value.indexOf('|'); - value = value.replace('|', ''); // CodeQL [SM02383] js/incomplete-sanitization this is purpose only the first | character + value = value.replace(/\|/g, ''); // Remove all '|' characters, not just the first const model = modelService.createModel(value, new StaticLanguageSelector(languageId), URI.parse('fake:lang')); const pos = model.getPositionAt(index); From 43e7a73839fd8f771bb02cd00ec58e54c65557e3 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Thu, 25 Sep 2025 20:28:03 -0600 Subject: [PATCH 43/50] Potential fix for code scanning alert no. 14: Incomplete string escaping or encoding Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- src/vs/workbench/contrib/files/browser/fileActions.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/vs/workbench/contrib/files/browser/fileActions.ts b/src/vs/workbench/contrib/files/browser/fileActions.ts index 50f786ea2f7e..bc7f9549458a 100644 --- a/src/vs/workbench/contrib/files/browser/fileActions.ts +++ b/src/vs/workbench/contrib/files/browser/fileActions.ts @@ -756,7 +756,7 @@ export function validateFileName(pathService: IPathService, item: ExplorerItem, // Check for invalid file name. if (names.some(folderName => !pathService.hasValidBasename(item.resource, os, folderName))) { // Escape * characters - const escapedName = name.replace(/\*/g, '\\*'); // CodeQL [SM02383] This only processes filenames which are enforced against having backslashes in them farther up in the stack. + const escapedName = name.replace(/\\/g, '\\\\').replace(/\*/g, '\\*'); // Escapes backslashes first, then asterisks. return { content: nls.localize('invalidFileNameError', "The name **{0}** is not valid as a file or folder name. Please choose a different name.", trimLongName(escapedName)), severity: Severity.Error From 39704b12a0322ccfea8f60cd74ee60d601076e21 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Sep 2025 02:28:11 +0000 Subject: [PATCH 44/50] Bump postcss in the npm_and_yarn group across 1 directory Bumps the npm_and_yarn group with 1 update in the / directory: [postcss](https://github.com/postcss/postcss). Updates `postcss` from 8.4.49 to 8.5.0 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.4.49...8.5.0) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.5.0 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- package-lock.json | 10 +++++----- package.json | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package-lock.json b/package-lock.json index f06f4f2878c1..ea793cb9daa9 100644 --- a/package-lock.json +++ b/package-lock.json @@ -140,7 +140,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.49", + "postcss": "^8.5.0", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", @@ -12545,9 +12545,9 @@ } }, "node_modules/postcss": { - "version": "8.4.49", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.49.tgz", - "integrity": "sha512-OCVPnIObs4N29kxTjzLfUryOkvZEq+pf8jTF0lg8E7uETuWHA+v7j3c/xJmiqpX450191LlmZfUKkXxkTry7nA==", + "version": "8.5.0", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.0.tgz", + "integrity": "sha512-27VKOqrYfPncKA2NrFOVhP5MGAfHKLYn/Q0mz9cNQyRAKYi3VNHwYU2qKKqPCqgBmeeJ0uAFB56NumXZ5ZReXg==", "dev": true, "funding": [ { @@ -12565,7 +12565,7 @@ ], "license": "MIT", "dependencies": { - "nanoid": "^3.3.7", + "nanoid": "^3.3.8", "picocolors": "^1.1.1", "source-map-js": "^1.2.1" }, diff --git a/package.json b/package.json index 70de746baf8d..b3a9aa57b816 100644 --- a/package.json +++ b/package.json @@ -199,7 +199,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.4.49", + "postcss": "^8.5.0", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", From b6ebd8e722f6518fb0588c52ebb0c795eb6b5b1e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Sep 2025 18:25:40 +0000 Subject: [PATCH 45/50] Bump the npm_and_yarn group across 2 directories with 2 updates Bumps the npm_and_yarn group with 1 update in the / directory: [postcss](https://github.com/postcss/postcss). Bumps the npm_and_yarn group with 1 update in the /remote directory: [tar-fs](https://github.com/mafintosh/tar-fs). Updates `postcss` from 8.5.0 to 8.5.1 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.5.0...8.5.1) Updates `tar-fs` from 2.1.3 to 2.1.4 - [Commits](https://github.com/mafintosh/tar-fs/compare/v2.1.3...v2.1.4) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.5.1 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: tar-fs dependency-version: 2.1.4 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- build/package-lock.json | 6 +++--- package-lock.json | 8 ++++---- package.json | 2 +- remote/package-lock.json | 6 +++--- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/build/package-lock.json b/build/package-lock.json index 940ab861a34d..93fdaa4335e7 100644 --- a/build/package-lock.json +++ b/build/package-lock.json @@ -4117,9 +4117,9 @@ } }, "node_modules/tar-fs": { - "version": "2.1.3", - "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.3.tgz", - "integrity": "sha512-090nwYJDmlhwFwEW3QQl+vaNnxsO2yVsd45eTKRBzSzu+hlb1w2K9inVq5b0ngXuLVqQ4ApvsUHHnu/zQNkWAg==", + "version": "2.1.4", + "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.4.tgz", + "integrity": "sha512-mDAjwmZdh7LTT6pNleZ05Yt65HC3E+NiQzl672vQG38jIrehtJk/J3mNwIg+vShQPcLF/LV7CMnDW6vjj6sfYQ==", "devOptional": true, "license": "MIT", "dependencies": { diff --git a/package-lock.json b/package-lock.json index ea793cb9daa9..e66e2c6d7b18 100644 --- a/package-lock.json +++ b/package-lock.json @@ -140,7 +140,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.5.0", + "postcss": "^8.5.1", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", @@ -12545,9 +12545,9 @@ } }, "node_modules/postcss": { - "version": "8.5.0", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.0.tgz", - "integrity": "sha512-27VKOqrYfPncKA2NrFOVhP5MGAfHKLYn/Q0mz9cNQyRAKYi3VNHwYU2qKKqPCqgBmeeJ0uAFB56NumXZ5ZReXg==", + "version": "8.5.1", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.1.tgz", + "integrity": "sha512-6oz2beyjc5VMn/KV1pPw8fliQkhBXrVn1Z3TVyqZxU8kZpzEKhBdmCFqI6ZbmGtamQvQGuU1sgPTk8ZrXDD7jQ==", "dev": true, "funding": [ { diff --git a/package.json b/package.json index b3a9aa57b816..030bc2761de3 100644 --- a/package.json +++ b/package.json @@ -199,7 +199,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.5.0", + "postcss": "^8.5.1", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", diff --git a/remote/package-lock.json b/remote/package-lock.json index 96ec8d454ce0..7996a5deea8b 100644 --- a/remote/package-lock.json +++ b/remote/package-lock.json @@ -1351,9 +1351,9 @@ } }, "node_modules/tar-fs": { - "version": "2.1.3", - "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.3.tgz", - "integrity": "sha512-090nwYJDmlhwFwEW3QQl+vaNnxsO2yVsd45eTKRBzSzu+hlb1w2K9inVq5b0ngXuLVqQ4ApvsUHHnu/zQNkWAg==", + "version": "2.1.4", + "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.4.tgz", + "integrity": "sha512-mDAjwmZdh7LTT6pNleZ05Yt65HC3E+NiQzl672vQG38jIrehtJk/J3mNwIg+vShQPcLF/LV7CMnDW6vjj6sfYQ==", "license": "MIT", "dependencies": { "chownr": "^1.1.1", From 17d7841e13a9aba64d4b363ebabd0e51e6d4f1d2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 28 Sep 2025 05:21:44 +0000 Subject: [PATCH 46/50] Bump postcss in the npm_and_yarn group across 1 directory Bumps the npm_and_yarn group with 1 update in the / directory: [postcss](https://github.com/postcss/postcss). Updates `postcss` from 8.5.1 to 8.5.2 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.5.1...8.5.2) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.5.2 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index e66e2c6d7b18..389d11d1d3ff 100644 --- a/package-lock.json +++ b/package-lock.json @@ -140,7 +140,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.5.1", + "postcss": "^8.5.2", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", @@ -12545,9 +12545,9 @@ } }, "node_modules/postcss": { - "version": "8.5.1", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.1.tgz", - "integrity": "sha512-6oz2beyjc5VMn/KV1pPw8fliQkhBXrVn1Z3TVyqZxU8kZpzEKhBdmCFqI6ZbmGtamQvQGuU1sgPTk8ZrXDD7jQ==", + "version": "8.5.2", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.2.tgz", + "integrity": "sha512-MjOadfU3Ys9KYoX0AdkBlFEF1Vx37uCCeN4ZHnmwm9FfpbsGWMZeBLMmmpY+6Ocqod7mkdZ0DT31OlbsFrLlkA==", "dev": true, "funding": [ { diff --git a/package.json b/package.json index 030bc2761de3..b5f974f942dc 100644 --- a/package.json +++ b/package.json @@ -199,7 +199,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.5.1", + "postcss": "^8.5.2", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", From 5c7d623c5dffbede492d0387c060da67af50810f Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Wed, 1 Oct 2025 02:12:39 -0600 Subject: [PATCH 47/50] Delete .github/workflows/monaco-editor.yml Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .github/workflows/monaco-editor.yml | 99 ----------------------------- 1 file changed, 99 deletions(-) delete mode 100644 .github/workflows/monaco-editor.yml diff --git a/.github/workflows/monaco-editor.yml b/.github/workflows/monaco-editor.yml deleted file mode 100644 index 83159b8c5f3b..000000000000 --- a/.github/workflows/monaco-editor.yml +++ /dev/null @@ -1,99 +0,0 @@ -name: Monaco Editor checks -permissions: - contents: read - -on: - push: - branches: - - main - - release/* - pull_request: - branches: - - main - - release/* - -jobs: - main: - name: Monaco Editor checks - runs-on: ubuntu-latest - timeout-minutes: 40 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - steps: - - uses: actions/checkout@v4 - - - uses: actions/setup-node@v5 - with: - node-version-file: .nvmrc - - - name: Compute node modules cache key - id: nodeModulesCacheKey - run: echo "value=$(node build/azure-pipelines/common/computeNodeModulesCacheKey.js)" >> $GITHUB_OUTPUT - - name: Cache node modules - id: cacheNodeModules - uses: actions/cache@v4 - with: - path: "**/node_modules" - key: ${{ runner.os }}-cacheNodeModules20-${{ steps.nodeModulesCacheKey.outputs.value }} - restore-keys: ${{ runner.os }}-cacheNodeModules20- - - name: Get npm cache directory path - id: npmCacheDirPath - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT - - name: Cache npm directory - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - uses: actions/cache@v4 - with: - path: ${{ steps.npmCacheDirPath.outputs.dir }} - key: ${{ runner.os }}-npmCacheDir-${{ steps.nodeModulesCacheKey.outputs.value }} - restore-keys: ${{ runner.os }}-npmCacheDir- - - name: Install system dependencies - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - run: | - sudo apt update - sudo apt install -y libxkbfile-dev pkg-config libkrb5-dev libxss1 - - name: Execute npm - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - env: - PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 - ELECTRON_SKIP_BINARY_DOWNLOAD: 1 - run: | - npm ci - - - name: Download Playwright - run: npm run playwright-install - - - name: Run Monaco Editor Checks - run: npm run monaco-compile-check - - - name: Editor Distro & ESM - run: npm run gulp editor-esm - - - name: Editor ESM sources check - working-directory: ./test/monaco - run: npm run esm-check - - - name: Typings validation prep - run: | - mkdir typings-test - - - name: Typings validation - working-directory: ./typings-test - run: | - npm init -yp - ../node_modules/.bin/tsc --init - echo "import '../out-monaco-editor-core';" > a.ts - ../node_modules/.bin/tsc --noEmit - - - name: Package Editor with Webpack - working-directory: ./test/monaco - run: npm run bundle-webpack - - - name: Compile Editor Tests - working-directory: ./test/monaco - run: npm run compile - - - name: Run Editor Tests - timeout-minutes: 5 - working-directory: ./test/monaco - run: npm run test From 0614da575e0749011dd936a6cd8c4f8f1977482a Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Wed, 1 Oct 2025 02:13:03 -0600 Subject: [PATCH 48/50] Delete .github/workflows/basic.yml Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .github/workflows/basic.yml | 181 ------------------------------------ 1 file changed, 181 deletions(-) delete mode 100644 .github/workflows/basic.yml diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml deleted file mode 100644 index 7b3ead417366..000000000000 --- a/.github/workflows/basic.yml +++ /dev/null @@ -1,181 +0,0 @@ -name: Basic checks -permissions: - contents: read - -on: workflow_dispatch - -# on: -# push: -# branches: -# - main -# pull_request: -# branches: -# - main - -jobs: - main: - if: github.ref != 'refs/heads/main' - name: Compilation, Unit and Integration Tests - runs-on: ubuntu-latest - timeout-minutes: 40 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - steps: - - uses: actions/checkout@v4 - - # TODO: rename azure-pipelines/linux/xvfb.init to github-actions - - name: Setup Build Environment - run: | - sudo cp build/azure-pipelines/linux/xvfb.init /etc/init.d/xvfb - sudo chmod +x /etc/init.d/xvfb - sudo update-rc.d xvfb defaults - sudo service xvfb start - - - uses: actions/setup-node@v5 - with: - node-version-file: .nvmrc - - - name: Compute node modules cache key - id: nodeModulesCacheKey - run: echo "value=$(node build/azure-pipelines/common/computeNodeModulesCacheKey.js)" >> $GITHUB_OUTPUT - - name: Cache node modules - id: cacheNodeModules - uses: actions/cache@v4 - with: - path: "**/node_modules" - key: ${{ runner.os }}-cacheNodeModulesLinux-${{ steps.nodeModulesCacheKey.outputs.value }} - - name: Get npm cache directory path - id: npmCacheDirPath - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT - - name: Cache npm directory - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - uses: actions/cache@v4 - with: - path: ${{ steps.npmCacheDirPath.outputs.dir }} - key: ${{ runner.os }}-npmCacheDir-${{ steps.nodeModulesCacheKey.outputs.value }} - restore-keys: ${{ runner.os }}-npmCacheDir- - - name: Execute npm - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - env: - PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 - ELECTRON_SKIP_BINARY_DOWNLOAD: 1 - run: npm ci - - - name: Compile and Download - run: npm exec -- npm-run-all -lp compile "electron x64" - - - name: Run Unit Tests - id: electron-unit-tests - run: DISPLAY=:10 ./scripts/test.sh - - - name: Run Integration Tests (Electron) - id: electron-integration-tests - run: DISPLAY=:10 ./scripts/test-integration.sh - - hygiene: - if: github.ref != 'refs/heads/main' - name: Hygiene and Layering - runs-on: ubuntu-latest - timeout-minutes: 40 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - steps: - - uses: actions/checkout@v4 - - - uses: actions/setup-node@v5 - with: - node-version-file: .nvmrc - - - name: Compute node modules cache key - id: nodeModulesCacheKey - run: echo "value=$(node build/azure-pipelines/common/computeNodeModulesCacheKey.js)" >> $GITHUB_OUTPUT - - name: Cache node modules - id: cacheNodeModules - uses: actions/cache@v4 - with: - path: "**/node_modules" - key: ${{ runner.os }}-cacheNodeModulesLinux-${{ steps.nodeModulesCacheKey.outputs.value }} - - name: Get npm cache directory path - id: npmCacheDirPath - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT - - name: Cache npm directory - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - uses: actions/cache@v4 - with: - path: ${{ steps.npmCacheDirPath.outputs.dir }} - key: ${{ runner.os }}-npmCacheDir-${{ steps.nodeModulesCacheKey.outputs.value }} - restore-keys: ${{ runner.os }}-npmCacheDir- - - name: Execute npm - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - env: - PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 - ELECTRON_SKIP_BINARY_DOWNLOAD: 1 - run: npm ci - - - name: Run Hygiene Checks - run: npm run gulp hygiene - - - name: Run Valid Layers Checks - run: npm run valid-layers-check - - - name: Run Property Init Order Checks - run: npm run property-init-order-check - - - name: Compile /build/ - run: npm run compile - working-directory: build - - - name: Check clean git state - run: ./.github/workflows/check-clean-git-state.sh - - - name: Run eslint - run: npm run eslint - - - name: Run vscode-dts Compile Checks - run: npm run vscode-dts-compile-check - - - name: Run Trusted Types Checks - run: npm run tsec-compile-check - - warm-cache: - name: Warm up node modules cache - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - timeout-minutes: 40 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - steps: - - uses: actions/checkout@v4 - - - uses: actions/setup-node@v5 - with: - node-version-file: .nvmrc - - - name: Compute node modules cache key - id: nodeModulesCacheKey - run: echo "value=$(node build/azure-pipelines/common/computeNodeModulesCacheKey.js)" >> $GITHUB_OUTPUT - - name: Cache node modules - id: cacheNodeModules - uses: actions/cache@v4 - with: - path: "**/node_modules" - key: ${{ runner.os }}-cacheNodeModulesLinux-${{ steps.nodeModulesCacheKey.outputs.value }} - - name: Get npm cache directory path - id: npmCacheDirPath - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT - - name: Cache npm directory - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - uses: actions/cache@v4 - with: - path: ${{ steps.npmCacheDirPath.outputs.dir }} - key: ${{ runner.os }}-npmCacheDir-${{ steps.nodeModulesCacheKey.outputs.value }} - restore-keys: ${{ runner.os }}-npmCacheDir- - - name: Execute npm - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - env: - PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 - ELECTRON_SKIP_BINARY_DOWNLOAD: 1 - run: npm ci From a55b8b452d54beb00d4be542a46a958757c5c790 Mon Sep 17 00:00:00 2001 From: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> Date: Wed, 1 Oct 2025 02:13:19 -0600 Subject: [PATCH 49/50] Delete .github/workflows/ci.yml Signed-off-by: Christopher Birnie-Browne <153604499+Git-Hub-Chris@users.noreply.github.com> --- .github/workflows/ci.yml | 321 --------------------------------------- 1 file changed, 321 deletions(-) delete mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index d87bd3621d06..000000000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,321 +0,0 @@ -name: CI -permissions: - contents: read - -on: workflow_dispatch - -# on: -# push: -# branches: -# - main -# - release/* -# pull_request: -# branches: -# - main -# - release/* - -jobs: - windows: - name: Windows - runs-on: windows-2022 - timeout-minutes: 60 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - steps: - - uses: actions/checkout@v4 - - - uses: actions/setup-node@v5 - with: - node-version-file: .nvmrc - - - uses: actions/setup-python@v6 - with: - python-version: "3.x" - - - name: Compute node modules cache key - id: nodeModulesCacheKey - run: echo "value=$(node build/azure-pipelines/common/computeNodeModulesCacheKey.js)" >> $GITHUB_OUTPUT - - name: Cache node_modules archive - id: cacheNodeModules - uses: actions/cache@v4 - with: - path: ".build/node_modules_cache" - key: "${{ runner.os }}-cacheNodeModulesArchive-${{ steps.nodeModulesCacheKey.outputs.value }}" - - name: Extract node_modules archive - if: ${{ steps.cacheNodeModules.outputs.cache-hit == 'true' }} - run: 7z.exe x .build/node_modules_cache/cache.7z -aos - - name: Get npm cache directory path - id: npmCacheDirPath - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT - - name: Cache npm directory - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - uses: actions/cache@v4 - with: - path: ${{ steps.npmCacheDirPath.outputs.dir }} - key: ${{ runner.os }}-npmCacheDir-${{ steps.nodeModulesCacheKey.outputs.value }} - restore-keys: ${{ runner.os }}-npmCacheDir- - - name: Execute npm - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - env: - npm_config_foreground_scripts: "true" - PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 - ELECTRON_SKIP_BINARY_DOWNLOAD: 1 - run: npm ci - - name: Create node_modules archive - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - run: | - mkdir -Force .build - node build/azure-pipelines/common/listNodeModules.js .build/node_modules_list.txt - mkdir -Force .build/node_modules_cache - 7z.exe a .build/node_modules_cache/cache.7z -mx3 `@.build/node_modules_list.txt - - - name: Compile and Download - run: npm exec -- npm-run-all -lp compile "electron x64" playwright-install download-builtin-extensions - - - name: Compile Integration Tests - run: npm run compile - working-directory: test/integration/browser - - - name: Run Unit Tests (Electron) - run: .\scripts\test.bat - - - name: Run Unit Tests (node.js) - run: npm run test-node - - - name: Run Unit Tests (Browser, Chromium) - run: npm run test-browser-no-install -- --browser chromium - - - name: Run Integration Tests (Electron) - run: .\scripts\test-integration.bat - - - name: Run Integration Tests (Browser, Firefox) - timeout-minutes: 20 - run: .\scripts\test-web-integration.bat --browser firefox - - - name: Run Integration Tests (Remote) - timeout-minutes: 20 - run: .\scripts\test-remote-integration.bat - - linux: - name: Linux - runs-on: ubuntu-latest - timeout-minutes: 40 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - steps: - - uses: actions/checkout@v4 - - # TODO: rename azure-pipelines/linux/xvfb.init to github-actions - - name: Setup Build Environment - run: | - sudo apt-get update - sudo apt-get install -y libxkbfile-dev pkg-config libkrb5-dev libxss1 dbus xvfb libgtk-3-0 libgbm1 - sudo cp build/azure-pipelines/linux/xvfb.init /etc/init.d/xvfb - sudo chmod +x /etc/init.d/xvfb - sudo update-rc.d xvfb defaults - sudo service xvfb start - - - uses: actions/setup-node@v5 - with: - node-version-file: .nvmrc - - - name: Compute node modules cache key - id: nodeModulesCacheKey - run: echo "value=$(node build/azure-pipelines/common/computeNodeModulesCacheKey.js)" >> $GITHUB_OUTPUT - - name: Cache node modules - id: cacheNodeModules - uses: actions/cache@v4 - with: - path: "**/node_modules" - key: ${{ runner.os }}-cacheNodeModulesLinux-${{ steps.nodeModulesCacheKey.outputs.value }} - - name: Get npm cache directory path - id: npmCacheDirPath - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT - - name: Cache npm directory - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - uses: actions/cache@v4 - with: - path: ${{ steps.npmCacheDirPath.outputs.dir }} - key: ${{ runner.os }}-npmCacheDir-${{ steps.nodeModulesCacheKey.outputs.value }} - restore-keys: ${{ runner.os }}-npmCacheDir- - - name: Execute npm - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - env: - PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 - ELECTRON_SKIP_BINARY_DOWNLOAD: 1 - run: npm ci - - - name: Compile and Download - run: npm exec -- npm-run-all -lp compile "electron x64" playwright-install download-builtin-extensions - - - name: Compile Integration Tests - run: npm run compile - working-directory: test/integration/browser - - - name: Run Unit Tests (Electron) - id: electron-unit-tests - run: DISPLAY=:10 ./scripts/test.sh - - - name: Run Unit Tests (node.js) - id: nodejs-unit-tests - run: npm run test-node - - - name: Run Unit Tests (Browser, Chromium) - id: browser-unit-tests - run: DISPLAY=:10 npm run test-browser-no-install -- --browser chromium - - - name: Run Integration Tests (Electron) - id: electron-integration-tests - run: DISPLAY=:10 ./scripts/test-integration.sh - - - name: Run Integration Tests (Browser, Chromium) - id: browser-integration-tests - run: DISPLAY=:10 ./scripts/test-web-integration.sh --browser chromium - - - name: Run Integration Tests (Remote) - id: electron-remote-integration-tests - timeout-minutes: 15 - run: DISPLAY=:10 ./scripts/test-remote-integration.sh - - darwin: - name: macOS - runs-on: macos-latest - timeout-minutes: 40 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - steps: - - uses: actions/checkout@v4 - - - uses: actions/setup-node@v5 - with: - node-version-file: .nvmrc - - - name: Compute node modules cache key - id: nodeModulesCacheKey - run: echo "value=$(node build/azure-pipelines/common/computeNodeModulesCacheKey.js)" >> $GITHUB_OUTPUT - - name: Cache node modules - id: cacheNodeModules - uses: actions/cache@v4 - with: - path: "**/node_modules" - key: ${{ runner.os }}-cacheNodeModulesMacOS-${{ steps.nodeModulesCacheKey.outputs.value }} - - name: Get npm cache directory path - id: npmCacheDirPath - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT - - name: Cache npm directory - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - uses: actions/cache@v4 - with: - path: ${{ steps.npmCacheDirPath.outputs.dir }} - key: ${{ runner.os }}-npmCacheDir-${{ steps.nodeModulesCacheKey.outputs.value }} - restore-keys: ${{ runner.os }}-npmCacheDir- - - name: Execute npm - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - env: - PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 - ELECTRON_SKIP_BINARY_DOWNLOAD: 1 - run: npm ci - - - name: Compile and Download - run: npm exec -- npm-run-all -lp compile "electron x64" playwright-install download-builtin-extensions - - - name: Compile Integration Tests - run: npm run compile - working-directory: test/integration/browser - - # This is required for SecretStorage unittests - - name: Create temporary keychain - run: | - security create-keychain -p pwd $RUNNER_TEMP/buildagent.keychain - security default-keychain -s $RUNNER_TEMP/buildagent.keychain - security unlock-keychain -p pwd $RUNNER_TEMP/buildagent.keychain - - - name: Run Unit Tests (Electron) - run: DISPLAY=:10 ./scripts/test.sh - - - name: Run Unit Tests (node.js) - run: npm run test-node - - - name: Run Unit Tests (Browser, Chromium) - run: DISPLAY=:10 npm run test-browser-no-install -- --browser chromium - - - name: Run Integration Tests (Electron) - run: DISPLAY=:10 ./scripts/test-integration.sh - - - name: Run Integration Tests (Browser, Webkit) - run: DISPLAY=:10 ./scripts/test-web-integration.sh --browser webkit - - - name: Run Integration Tests (Remote) - timeout-minutes: 15 - run: DISPLAY=:10 ./scripts/test-remote-integration.sh - - hygiene: - name: Hygiene and Layering - runs-on: ubuntu-latest - timeout-minutes: 40 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - steps: - - uses: actions/checkout@v4 - - - uses: actions/setup-node@v5 - with: - node-version-file: .nvmrc - - - name: Compute node modules cache key - id: nodeModulesCacheKey - run: echo "value=$(node build/azure-pipelines/common/computeNodeModulesCacheKey.js)" >> $GITHUB_OUTPUT - - name: Cache node modules - id: cacheNodeModules - uses: actions/cache@v4 - with: - path: "**/node_modules" - key: ${{ runner.os }}-cacheNodeModulesLinux-${{ steps.nodeModulesCacheKey.outputs.value }} - - name: Get npm cache directory path - id: npmCacheDirPath - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT - - name: Cache npm directory - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - uses: actions/cache@v4 - with: - path: ${{ steps.npmCacheDirPath.outputs.dir }} - key: ${{ runner.os }}-npmCacheDir-${{ steps.nodeModulesCacheKey.outputs.value }} - restore-keys: ${{ runner.os }}-npmCacheDir- - - name: Execute npm - if: ${{ steps.cacheNodeModules.outputs.cache-hit != 'true' }} - env: - PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1 - ELECTRON_SKIP_BINARY_DOWNLOAD: 1 - run: npm ci - - - name: Download Playwright - run: npm run playwright-install - - - name: Run Hygiene Checks - run: npm run gulp hygiene - - - name: Run Valid Layers Checks - run: npm run valid-layers-check - - - name: Run Property Init Order Checks - run: npm run property-init-order-check - - - name: Compile /build/ - run: npm run compile - working-directory: build - - - name: Check clean git state - run: ./.github/workflows/check-clean-git-state.sh - - - name: Run eslint - run: npm run eslint - - - name: Run vscode-dts Compile Checks - run: npm run vscode-dts-compile-check - - - name: Run Trusted Types Checks - run: npm run tsec-compile-check From 37cc9d2e51454da45e38903d30954b64ca0e17da Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Oct 2025 10:20:16 +0000 Subject: [PATCH 50/50] Bump postcss in the npm_and_yarn group across 1 directory Bumps the npm_and_yarn group with 1 update in the / directory: [postcss](https://github.com/postcss/postcss). Updates `postcss` from 8.5.2 to 8.5.3 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.5.2...8.5.3) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.5.3 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 389d11d1d3ff..f8fd5526daa9 100644 --- a/package-lock.json +++ b/package-lock.json @@ -140,7 +140,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.5.2", + "postcss": "^8.5.3", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0", @@ -12545,9 +12545,9 @@ } }, "node_modules/postcss": { - "version": "8.5.2", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.2.tgz", - "integrity": "sha512-MjOadfU3Ys9KYoX0AdkBlFEF1Vx37uCCeN4ZHnmwm9FfpbsGWMZeBLMmmpY+6Ocqod7mkdZ0DT31OlbsFrLlkA==", + "version": "8.5.3", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.3.tgz", + "integrity": "sha512-dle9A3yYxlBSrt8Fu+IpjGT8SY8hN0mlaA6GY8t0P5PjIOZemULz/E2Bnm/2dcUOena75OTNkHI76uZBNUUq3A==", "dev": true, "funding": [ { diff --git a/package.json b/package.json index b5f974f942dc..98c27429a685 100644 --- a/package.json +++ b/package.json @@ -199,7 +199,7 @@ "os-browserify": "^0.3.0", "p-all": "^1.0.0", "path-browserify": "^1.0.1", - "postcss": "^8.5.2", + "postcss": "^8.5.3", "postcss-nesting": "^12.0.2", "pump": "^1.0.1", "rcedit": "^1.1.0",