Skip to content

Maintenance updates for dependabot alerts #451

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lionel- wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Maintenance updates for dependabot alerts #451

lionel- wants to merge 10 commits into from

Conversation

@lionel-
Copy link
Collaborator

@lionel- lionel- commented Dec 2, 2025
edited
Loading

  • Update TS packages glob, js-yaml, and brace-expansion
  • Update Rust crates tokio and tracing-subscriber
  • Bump Air to 0.8.1 (also for the Unicode fix)
  • Bump extension to 0.18.1 (also for the notebook cell support)

@lionel- lionel- force-pushed the task/security-update branch 2 times, most recently from 554d612 to 9579236 Compare December 2, 2025 11:22
@lionel- lionel- requested a review from DavisVaughan December 2, 2025 11:25
@lionel- lionel- force-pushed the task/security-update branch 2 times, most recently from ef3826e to d79753d Compare December 2, 2025 12:25
@DavisVaughan
Copy link
Collaborator

DavisVaughan commented Dec 2, 2025

Looks like we need === instead of == here

air/editors/code/src/process.ts

Lines 15 to 25 in 1502872

export function isResult(
result: CommandResult | CommandError,
): result is CommandResult {
return result.type == "result";
}
export function isError(
result: CommandResult | CommandError,
): result is CommandError {
return result.type == "error";
}

Can you please make that change too? Trying to get the Code extension test workflow passing

DavisVaughan
DavisVaughan reviewed Dec 2, 2025
View reviewed changes
@lionel- lionel- force-pushed the task/security-update branch 2 times, most recently from 9e587fb to 7622118 Compare December 2, 2025 14:28
@lionel-
Copy link
Collaborator Author

lionel- commented Dec 2, 2025
edited
Loading

To fix:


node:internal/util:409
  validateFunction(original, 'original');
  ^

TypeError [ERR_INVALID_ARG_TYPE]: The "original" argument must be of type function. Received an instance of Object
    at promisify (node:internal/util:409:3)
    at Object.<anonymous> (/home/runner/work/air/air/editors/code/node_modules/test-exclude/index.js:5:14)
    at Module._compile (node:internal/modules/cjs/loader:1521:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1623:10)
    at Module.load (node:internal/modules/cjs/loader:1266:32)
    at Module._load (node:internal/modules/cjs/loader:1091:12)
    at Module.require (node:internal/modules/cjs/loader:1289:19)
    at require (node:internal/modules/helpers:182:18)
    at Object.<anonymous> (/home/runner/work/air/air/editors/code/node_modules/c8/lib/report.js:1:17)
    at Module._compile (node:internal/modules/cjs/loader:1521:14) {
  code: 'ERR_INVALID_ARG_TYPE'
}

Caused by vs-code depending on a version of glob that is incompatible with the latest safe version: istanbuljs/test-exclude#67

I've downgraded glob to 9.x.x, which is safe: isaacs/node-glob#639 (comment)

There was also a dep cycle issue with brace-expansion:

Error [ERR_REQUIRE_CYCLE_MODULE]: Cannot require() ES Module /Users/lionel/Sync/Projects/Positron/air/editors/code/node_modules/brace-expansion/index.js in a cycle. (from /Users/lionel/Sync/Projects/Positron/air/editors/code/node_modules/minimatch/dist/cjs/index.js)A cycle involving require(esm) is disallowed to maintain invariants madated by the ECMAScript specificationTry making at least part of the dependency in the graph lazily loaded.

I downgraded to Node 22 to fix it. It seems generally better to lag a few versions of Node in vscode extensions.

This all seemed a bit unnecessary for a dev dependency but this got my feet wet with web dev dependency hell...

@lionel- lionel- force-pushed the task/security-update branch from 7622118 to 4b2f586 Compare December 2, 2025 14:31
@lionel- lionel- requested a review from DavisVaughan December 2, 2025 14:31
@lionel- lionel- force-pushed the task/security-update branch from 4b2f586 to 8681737 Compare December 3, 2025 16:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DavisVaughan DavisVaughan Awaiting requested review from DavisVaughan

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lionel- @DavisVaughan