Update package.json deps with npm audit, component governance#2527
Update package.json deps with npm audit, component governance#2527KarishmaGhiya wants to merge 2 commits intomicrosoft:mainfrom
Conversation
KarishmaGhiya
requested review from
JonathanCrd,
anannya03,
conniey,
jairmyree,
jongio,
sandeep-sen and
xirzec
There was a problem hiding this comment.
Pull request overview
Updates VS Code extension npm dependencies (primarily to address npm audit findings) across the MCP server extensions, including major-version bumps that change runtime/tooling requirements.
Changes:
- Updated
@microsoft/vscode-azext-utilsto^4.0.7in multiple VS Code extensions. - Updated VS Code extension packaging tooling dependency
@vscode/vsce(Azure/Fabric) and refreshed lockfiles (Template shown). - Reflowed JSON formatting for
serverModeenum arrays (Azure/Fabric).
Reviewed changes
Copilot reviewed 3 out of 6 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| servers/Template.Mcp.Server/vscode/package.json | Bumps @microsoft/vscode-azext-utils to v4. |
| servers/Template.Mcp.Server/vscode/package-lock.json | Regenerated lockfile; introduces new transitive engine constraints (notably tas-client). |
| servers/Fabric.Mcp.Server/vscode/package.json | Bumps @microsoft/vscode-azext-utils to v4 and updates @vscode/vsce. |
| servers/Azure.Mcp.Server/vscode/package.json | Bumps @microsoft/vscode-azext-utils to v4 and updates @vscode/vsce; also expands serverMode enum formatting. |
| "dependencies": { | ||
| "@microsoft/vscode-azext-utils": "~2", | ||
| "@microsoft/vscode-azext-utils": "^4.0.7", |
There was a problem hiding this comment.
The PR description says it updates Fabric + Template VS Code extension dependencies, but this change also updates the Azure VS Code extension. Please update the PR description (or drop the Azure change) so reviewers understand the full scope and can validate Azure-specific packaging/runtime impact.
| }, | ||
| "dependencies": { | ||
| "@microsoft/vscode-azext-utils": "~2", | ||
| "@microsoft/vscode-azext-utils": "^4.0.7", |
There was a problem hiding this comment.
Bumping @microsoft/vscode-azext-utils to v4 introduces a minimum VS Code engine requirement of ^1.105.0 (per the package’s engines.vscode). This extension still declares engines.vscode as ^1.101.0, so it may be activated on VS Code versions where the dependency is unsupported. Please align this extension’s engines.vscode (and typically @types/vscode) to at least ^1.105.0, or pin @microsoft/vscode-azext-utils to a version compatible with ^1.101.0.
| "@microsoft/vscode-azext-utils": "^4.0.7", | |
| "@microsoft/vscode-azext-utils": "^3.0.0", |
| "dependencies": { | ||
| "@microsoft/vscode-azext-utils": "~2", | ||
| "@microsoft/vscode-azext-utils": "^4.0.7", | ||
| "@microsoft/vscode-azureresources-api": "~2", | ||
| "dayjs": "~1", |
There was a problem hiding this comment.
Bumping @microsoft/vscode-azext-utils to v4 introduces a minimum VS Code engine requirement of ^1.105.0 (per the package’s engines.vscode). This extension still declares engines.vscode as ^1.101.0, so it may be activated on VS Code versions where the dependency is unsupported. Please align this extension’s engines.vscode (and typically @types/vscode) to at least ^1.105.0, or pin @microsoft/vscode-azext-utils to a version compatible with ^1.101.0.
| "version": "0.3.2", | ||
| "resolved": "https://registry.npmjs.org/tas-client/-/tas-client-0.3.2.tgz", | ||
| "integrity": "sha512-Hr0k7swJSyI7fsgqWf28GoME3lDXysTV1pJW/OBCrokhkqd3dTL+79SLKRGaYNHNaHii5N7VLRlZZc/up6xdAA==", | ||
| "license": "MIT", | ||
| "engines": { | ||
| "node": ">=22" |
There was a problem hiding this comment.
tas-client@0.3.2 declares engines.node: >=22. Our VSIX packaging pipeline uses Node 20.x (see eng/pipelines/templates/jobs/vsix/pack-and-sign-vsix.yml), and VS Code’s extension host is typically Node 20.x as well. This can lead to engine warnings during install and potential runtime failures if tas-client actually relies on Node 22 features. Consider pinning vscode-tas-client/tas-client to a Node 20-compatible version, or updating the build/runtime Node version expectations accordingly.
| "version": "0.3.2", | |
| "resolved": "https://registry.npmjs.org/tas-client/-/tas-client-0.3.2.tgz", | |
| "integrity": "sha512-Hr0k7swJSyI7fsgqWf28GoME3lDXysTV1pJW/OBCrokhkqd3dTL+79SLKRGaYNHNaHii5N7VLRlZZc/up6xdAA==", | |
| "license": "MIT", | |
| "engines": { | |
| "node": ">=22" | |
| "version": "<REPLACE_WITH_NODE20_COMPATIBLE_VERSION>", | |
| "resolved": "https://registry.npmjs.org/tas-client/-/tas-client-<REPLACE_WITH_NODE20_COMPATIBLE_VERSION>.tgz", | |
| "integrity": "<REPLACE_WITH_MATCHING_INTEGRITY>", | |
| "license": "MIT", | |
| "engines": { | |
| "node": ">=20" |
| "dependencies": { | ||
| "@microsoft/vscode-azext-utils": "~2", | ||
| "@microsoft/vscode-azext-utils": "^4.0.7", | ||
| "@microsoft/vscode-azureresources-api": "~2", | ||
| "dayjs": "~1", |
There was a problem hiding this comment.
Bumping @microsoft/vscode-azext-utils to v4 introduces a minimum VS Code engine requirement of ^1.105.0 (per the package’s engines.vscode). This extension still declares engines.vscode as ^1.101.0, so it may be activated on VS Code versions where the dependency is unsupported. Please align this extension’s engines.vscode (and typically @types/vscode) to at least ^1.105.0, or pin @microsoft/vscode-azext-utils to a version compatible with ^1.101.0.
| "@typescript-eslint/parser": "^8.47.0", | ||
| "@vscode/test-electron": "~2", | ||
| "@vscode/vsce": "~3", | ||
| "@vscode/vsce": "^2.25.0", |
There was a problem hiding this comment.
Why are we pinning to a random version from 2 years ago?
| "@typescript-eslint/parser": "^8.47.0", | ||
| "@vscode/test-electron": "~2", | ||
| "@vscode/vsce": "~3", | ||
| "@vscode/vsce": "^2.25.0", |
There was a problem hiding this comment.
Why did we drop the major version to 2?
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
Two questions on the dependency version changes:
-
The vsce downgrade (3.x to 2.x) is unexpected for an npm audit fix - typically audit fix upgrades packages. Was this intentional? vsce 3 requires Node >= 20 and dropped some deprecated APIs, so going back to 2.25 could affect extension packaging if the build pipeline is on Node 20+.
-
The azext-utils jump from v2 to v4 skips an entire major version. Has the extension code been verified against v4's API surface? Major versions usually ship breaking changes.
Minor: the PR description mentions only Fabric and Template but Azure.Mcp.Server/vscode is also changed.
| "@typescript-eslint/parser": "^8.47.0", | ||
| "@vscode/test-electron": "~2", | ||
| "@vscode/vsce": "~3", | ||
| "@vscode/vsce": "^2.25.0", |
There was a problem hiding this comment.
This downgrades vsce from 3.x to 2.x. npm audit fix normally upgrades - was this intentional? vsce 3 dropped some deprecated APIs and requires Node >= 20. If the CI/packaging pipeline uses Node 20+, the older vsce might still work but you'd lose signing support (@vscode/vsce-sign is removed from the lockfile). Also this change isn't applied to Template.Mcp.Server - intentional inconsistency?
| }, | ||
| "dependencies": { | ||
| "@microsoft/vscode-azext-utils": "~2", | ||
| "@microsoft/vscode-azext-utils": "^4.0.7", |
There was a problem hiding this comment.
This jumps from v2 to v4 (skipping v3 entirely). Has the extension source been verified against azext-utils v4's API? Major versions typically ship breaking changes. If the extension builds and tests pass with v4, this is fine - just want to confirm it was validated.
Summary
Updates package.json dependencies in Fabric and Template MCP Server VS Code extensions by running
pm audit fix\ to resolve security vulnerabilities. Will also fix some Component Governance alerts.
Changes
Invoking Livetests
Copilot submitted PRs are not trustworthy by default. Users with \write\ access to the repo need to validate the contents of this PR before leaving a comment with the text /azp run mcp - pullrequest - live. This will trigger the necessary livetest workflows to complete required validation.