Skip to content

[auto-sec] Consolidate npm security remediations (vite, Angular, undici, hono, protobufjs, and more)#18735

Open
IEvangelist wants to merge 7 commits into
mainfrom
dapire/security-deps/aspire-npmfix
Open

[auto-sec] Consolidate npm security remediations (vite, Angular, undici, hono, protobufjs, and more)#18735
IEvangelist wants to merge 7 commits into
mainfrom
dapire/security-deps/aspire-npmfix

Conversation

@IEvangelist

@IEvangelist IEvangelist commented Jul 11, 2026

Copy link
Copy Markdown
Member

[auto-sec] Consolidate npm security remediations across all frontend manifests

This PR addresses 100+ Dependabot security alerts across 29 npm/yarn/pnpm manifests.

Alerts addressed

Package CVE/Advisory Severity Fix version
vite (8.x) CVE-2026-53571, CVE-2026-53632 HIGH, medium ^8.0.16
vite (7.x) CVE-2026-53571, CVE-2026-53632 HIGH, medium 7.3.5
vite (6.x) CVE-2026-53571, CVE-2026-53632 HIGH, medium ^6.4.3
@angular/core CVE-2026-54267 HIGH 21.2.17
@angular/common CVE-2026-54266, CVE-2026-54268 HIGH 21.2.17
@angular/compiler CVE-2026-54265 medium 21.2.17
http-proxy-middleware CVE-2026-55602, CVE-2026-55603 HIGH, medium 3.0.7
piscina CVE-2026-55388 HIGH 5.2.0
form-data CVE-2026-12143 HIGH 4.0.6
tmp CVE-2026-49982 HIGH 0.2.7
hono CVE-2026-54286/54287/54288/54289/54290 HIGH, medium 4.12.25
undici CVE-2026-6733/6734/9678/9679/9697/11525/12151 HIGH/medium/low 7.28.0
protobufjs CVE-2026-48712, CVE-2026-54269/54270 HIGH, medium 8.6.0
js-yaml CVE-2026-53550 medium 4.2.0
webpack-dev-server CVE-2026-9595 medium ^5.2.5
@opentelemetry/core CVE-2026-54285 medium 2.8.0
launch-editor CVE-2026-53632 medium 2.14.1
markdown-it CVE-2026-48988 medium 14.2.0
tar CVE-2026-53655 medium 7.5.16
@babel/core CVE-2026-49356 low ^7.29.6
esbuild GHSA-g7r4-m6w7-qqqr low 0.28.1

Strategy

  • Direct deps: bumped minimum version where packages are direct dependencies- Transitive deps: added overrides (npm), resolutions (yarn v1), or pnpm.overrides (pnpm) to pin vulnerable transitive deps
  • Angular ecosystem: pinned all @angular/* to 21.2.17 via overrides to resolve peer dep cascade### Lockfiles regenerated
  • All package-lock.json: npm install --package-lock-only returned found 0 vulnerabilities
  • extension/yarn.lock: regenerated with yarn v1
  • pnpm-lock.yaml files: regenerated with pnpm
  • TypeScript.PackageManagers.Yarn yarn.lock: resolutions added to package.json; regenerates on next yarn install

Verification- npm audit shows 0 vulnerabilities for all npm manifests- Cannot fully verify CI locally; submitting for CI validation

Auto-sec refresh (2026-07-13)

  • Cluster: JS/npm low-risk consolidation (canonical for open Dependabot npm advisories in this repo).
  • Open alerts currently in repo: 100 Dependabot alerts (high: 27, medium: 48, low: 25), code scanning: 0.
  • Canonical branch freshness: Updated branch with latest main via GitHub update-branch.
  • Superseded overlapping PRs closed this run: none.
  • Verification status:
    • CI checks: ✅ passing after rerunning flaky infra failures (read ECONNRESET in Set up .NET Core for 3 Ubuntu CLI E2E jobs).
    • Mergeability: ✅ mergeable / conflict-free.
  • Blockers: awaiting review/approval (reviewDecision: REVIEW_REQUIRED).

…manifests

Addresses 100+ Dependabot security alerts across 29 npm/yarn/pnpm manifests
in playground/, src/Aspire.Cli/Templating/Templates/, src/Aspire.ProjectTemplates/,
tests/, and extension/.

## Packages fixed (via overrides/resolutions/pnpm.overrides or direct version bumps):

### CVE remediations
- vite: bumped to ^8.0.16 (was ^8.0.0) — CVE-2026-53571 (high), CVE-2026-53632 (medium)
  - vite 7.x projects: override to 7.3.5
  - vite 6.x projects: bumped to ^6.4.3
- @angular/core + @angular/common + @angular/compiler + Angular ecosystem:
  - playground/AspireJavaScript.Angular: pinned all @angular/* to 21.2.17 via overrides
    — CVE-2026-54266/54267/54268 (high), CVE-2026-54265 (medium)
- hono: 4.12.25 — CVE-2026-54286/54287/54288/54289/54290
- http-proxy-middleware: 3.0.7 — CVE-2026-55602 (medium), CVE-2026-55603 (high)
- piscina: 5.2.0 — CVE-2026-55388 (high)
- webpack-dev-server: bumped to ^5.2.5 — CVE-2026-9595 (medium)
- undici: 7.28.0 (npm/yarn), 6.27.0 (yarn test) — multiple CVEs (high/medium/low)
- js-yaml: 4.2.0 — CVE-2026-53550 (medium)
- @babel/core: bumped to ^7.29.6 — CVE-2026-49356 (low)
- protobufjs: 8.6.0 — CVE-2026-48712/54269/54270 (high/medium)
- @opentelemetry/core: 2.8.0 — CVE-2026-54285 (medium)
- launch-editor: 2.14.1 — CVE-2026-53632 (medium)
- markdown-it: 14.2.0 — CVE-2026-48988 (medium)
- form-data: 4.0.6 — CVE-2026-12143 (high)
- tmp: 0.2.7 — CVE-2026-49982 (high)
- tar: 7.5.16 — CVE-2026-53655 (medium)
- esbuild: 0.28.1 — GHSA-g7r4-m6w7-qqqr (low)
- brace-expansion: 5.0.7 — moderate vuln in py-starter/ts-starter templates

### Lockfile regeneration
- All package-lock.json files regenerated with 'npm install --package-lock-only'
- extension/yarn.lock regenerated with yarn v1 (resolutions applied)
- NodeFrontend pnpm-lock.yaml regenerated with pnpm
- tests/PolyglotAppHosts pnpm-lock.yaml regenerated

Note: tests/PolyglotAppHosts/TypeScript.PackageManagers.Yarn yarn.lock has
resolutions added to package.json; lockfile will be regenerated on next
'yarn install' run (requires Yarn v4).

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 11, 2026 11:30
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 18735

Or

  • Run remotely in PowerShell:
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 18735"

@IEvangelist IEvangelist added the automated-security Automated security fix label Jul 11, 2026
@github-actions github-actions Bot added the area-integrations Issues pertaining to Aspire Integrations packages label Jul 11, 2026
@github-actions

This comment has been minimized.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates frontend dependency manifests and lockfiles to remediate npm security advisories.

Changes:

  • Upgrades Vite, Angular, Babel, webpack, and related tooling.
  • Pins vulnerable transitive dependencies using package-manager overrides.
  • Regenerates affected npm and extension Yarn lockfiles.

Reviewed changes

Copilot reviewed 28 out of 56 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tests/PolyglotAppHosts/TypeScript.PackageManagers.Yarn/TypeScript/package.json Adds Yarn security resolutions.
tests/PolyglotAppHosts/TypeScript.PackageManagers.Pnpm/TypeScript/package.json Adds a pnpm esbuild override.
tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package.json Adds an npm esbuild override.
tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package-lock.json Locks esbuild 0.28.1.
tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package.json Pins esbuild.
tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package-lock.json Refreshes esbuild packages.
tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package.json Pins esbuild.
tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package-lock.json Refreshes esbuild packages.
tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package.json Pins esbuild.
tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package-lock.json Refreshes esbuild packages.
tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package.json Pins esbuild.
tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package-lock.json Refreshes esbuild packages.
tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package.json Pins esbuild.
tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package-lock.json Refreshes esbuild packages.
src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package.json Updates Vite and security overrides.
src/Aspire.Cli/Templating/Templates/ts-starter/package.json Adds esbuild and brace-expansion overrides.
src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package.json Updates Vite and security overrides.
src/Aspire.Cli/Templating/Templates/py-starter/package.json Adds esbuild and brace-expansion overrides.
src/Aspire.Cli/Templating/Templates/py-starter/frontend/package.json Updates Vite and security overrides.
src/Aspire.Cli/Templating/Templates/java-starter/frontend/package.json Updates Vite and security overrides.
playground/TypeScriptApps/RpsArena/arena-frontend/package.json Updates Vite, esbuild, and Babel.
playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package.json Pins esbuild.
playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package-lock.json Locks esbuild 0.28.1.
playground/TypeScriptAppHost/vite-frontend/package.json Updates Vite and esbuild.
playground/PythonAppHost/frontend/package.json Updates Vite and security overrides.
playground/JavaAppHost/frontend/package.json Updates Vite and security overrides.
playground/FoundryAgentEnterprise/frontend/package.json Updates Vite and security overrides.
playground/BrowserTelemetry/BrowserTelemetry.Web/package.json Pins esbuild and OpenTelemetry core.
playground/BrowserTelemetry/BrowserTelemetry.Web/package-lock.json Locks OpenTelemetry core 2.8.0.
playground/AspireWithNode/NodeFrontend/package.json Updates protobufjs and OpenTelemetry overrides.
playground/AspireWithNode/NodeFrontend/package-lock.json Refreshes gRPC, protobufjs, and OpenTelemetry.
playground/AspireWithJavaScript/AspireJavaScript.Vue/package.json Updates Vite and security overrides.
playground/AspireWithJavaScript/AspireJavaScript.Vite/package.json Updates Vite, Babel, and YAML tooling.
playground/AspireWithJavaScript/AspireJavaScript.React/package.json Updates Babel and webpack tooling.
playground/AspireWithJavaScript/AspireJavaScript.Angular/package.json Updates Angular and vulnerable transitive packages.
playground/AspireWithBun/package.json Pins esbuild.
playground/AspireWithBun/package-lock.json Locks esbuild 0.28.1.
extension/yarn.lock Refreshes resolved security-sensitive packages.
extension/package.json Updates extension dependency resolutions.
Files not reviewed (26)
  • playground/AspireWithBun/package-lock.json: Generated file
  • playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.json: Generated file
  • playground/AspireWithJavaScript/AspireJavaScript.Vite/package-lock.json: Generated file
  • playground/AspireWithJavaScript/AspireJavaScript.Vue/package-lock.json: Generated file
  • playground/AspireWithNode/NodeFrontend/package-lock.json: Generated file
  • playground/AspireWithNode/NodeFrontend/pnpm-lock.yaml: Generated file
  • playground/BrowserTelemetry/BrowserTelemetry.Web/package-lock.json: Generated file
  • playground/FoundryAgentEnterprise/frontend/package-lock.json: Generated file
  • playground/JavaAppHost/frontend/package-lock.json: Generated file
  • playground/PythonAppHost/frontend/package-lock.json: Generated file
  • playground/TypeScriptAppHost/vite-frontend/package-lock.json: Generated file
  • playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package-lock.json: Generated file
  • playground/TypeScriptApps/RpsArena/arena-frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/java-starter/frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/py-starter/frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/py-starter/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/ts-starter/package-lock.json: Generated file
  • src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/TypeScript.PackageManagers.Pnpm/TypeScript/pnpm-lock.yaml: Generated file

@github-actions

Copy link
Copy Markdown
Contributor

Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt.

@github-actions

Copy link
Copy Markdown
Contributor

Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt.

@github-actions

Copy link
Copy Markdown
Contributor

Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 12, 2026 11:05
@github-actions

This comment has been minimized.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 29 out of 57 changed files in this pull request and generated 1 comment.

Files not reviewed (26)
  • playground/AspireWithBun/package-lock.json: Generated file
  • playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.json: Generated file
  • playground/AspireWithJavaScript/AspireJavaScript.Vite/package-lock.json: Generated file
  • playground/AspireWithJavaScript/AspireJavaScript.Vue/package-lock.json: Generated file
  • playground/AspireWithNode/NodeFrontend/package-lock.json: Generated file
  • playground/AspireWithNode/NodeFrontend/pnpm-lock.yaml: Generated file
  • playground/BrowserTelemetry/BrowserTelemetry.Web/package-lock.json: Generated file
  • playground/FoundryAgentEnterprise/frontend/package-lock.json: Generated file
  • playground/JavaAppHost/frontend/package-lock.json: Generated file
  • playground/PythonAppHost/frontend/package-lock.json: Generated file
  • playground/TypeScriptAppHost/vite-frontend/package-lock.json: Generated file
  • playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package-lock.json: Generated file
  • playground/TypeScriptApps/RpsArena/arena-frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/java-starter/frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/py-starter/frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/py-starter/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/ts-starter/package-lock.json: Generated file
  • src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/TypeScript.PackageManagers.Pnpm/TypeScript/pnpm-lock.yaml: Generated file

Copilot AI review requested due to automatic review settings July 13, 2026 11:03

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 29 out of 57 changed files in this pull request and generated 1 comment.

Files not reviewed (26)
  • playground/AspireWithBun/package-lock.json: Generated file
  • playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.json: Generated file
  • playground/AspireWithJavaScript/AspireJavaScript.Vite/package-lock.json: Generated file
  • playground/AspireWithJavaScript/AspireJavaScript.Vue/package-lock.json: Generated file
  • playground/AspireWithNode/NodeFrontend/package-lock.json: Generated file
  • playground/AspireWithNode/NodeFrontend/pnpm-lock.yaml: Generated file
  • playground/BrowserTelemetry/BrowserTelemetry.Web/package-lock.json: Generated file
  • playground/FoundryAgentEnterprise/frontend/package-lock.json: Generated file
  • playground/JavaAppHost/frontend/package-lock.json: Generated file
  • playground/PythonAppHost/frontend/package-lock.json: Generated file
  • playground/TypeScriptAppHost/vite-frontend/package-lock.json: Generated file
  • playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package-lock.json: Generated file
  • playground/TypeScriptApps/RpsArena/arena-frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/java-starter/frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/py-starter/frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/py-starter/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/ts-starter/package-lock.json: Generated file
  • src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/TypeScript.PackageManagers.Pnpm/TypeScript/pnpm-lock.yaml: Generated file

@github-actions

This comment has been minimized.

* Install Radius CLI in the test instead of the workflow

Move the `rad` CLI install out of the deployment-tests.yml workflow and
into RadiusStarterDeploymentTests itself (new Step 1a). This keeps the
Radius prerequisite self-contained in the only test that needs it: other
deployment scenarios no longer pay the download cost or risk failing on
an install-endpoint outage, and the test can run locally without
workflow-specific setup. The CLI installs into a workspace-local dir so
nothing leaks into ~/.rad.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: b84daeef-5ebd-4d6e-bc4f-c8579a5c287d

* Harden Radius CLI install against masked curl failures

Wrap the `curl | install.sh` pipe in a `set -o pipefail` subshell so a
failed download propagates instead of being masked by install.sh's exit
code. The interactive test terminal does not enable pipefail by default,
unlike the GitHub Actions runner shell this install replaced. The PATH
export stays outside the subshell so it persists for later steps.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: b84daeef-5ebd-4d6e-bc4f-c8579a5c287d

* Isolate Radius installer HOME

Set HOME to the workspace home while installing the pinned Radius CLI so the installer-triggered bicep download stays under the temporary workspace.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Copilot-Session: b84daeef-5ebd-4d6e-bc4f-c8579a5c287d

* Update Radius deployment test docs

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Copilot-Session: b84daeef-5ebd-4d6e-bc4f-c8579a5c287d

* Clarify Radius installer sudo check

Update the Step 1a comment to describe the pinned installer needsSudo behavior accurately.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Copilot-Session: b84daeef-5ebd-4d6e-bc4f-c8579a5c287d

* Keep Radius version check isolated

Run the immediate Radius CLI verification under the workspace HOME used by the installer subshell.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Copilot-Session: b84daeef-5ebd-4d6e-bc4f-c8579a5c287d

* Pin Radius installer to commit SHA and add retry

Pin install.sh to the immutable commit SHA behind the v0.59.0 tag so the
executed installer content cannot drift if the tag is retargeted, retry the
download to tolerate transient CDN failures, and describe the pipefail scope
in state-based terms.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: b84daeef-5ebd-4d6e-bc4f-c8579a5c287d

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Allow external service URIs without trailing slash

Removes trailing-slash validation for external service URIs and direct URI references while preserving absolute URI, fragment, and query validation. Updates hosting tests to cover path URIs with and without a trailing slash.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Update WithReference test for path URIs

Adjusts WithReferenceTests to validate successful environment injection for a URI with a non-trailing-slash path, matching the new URI validation behavior.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Comment thread extension/package.json
"serialize-javascript": "7.0.5",
"flatted": "3.4.2",
"lodash": "4.18.1",
"undici": "7.27.0",

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@IEvangelist did we do any sort of manual testing for the changes here and yarn.lock to ensure the extension still works as expected?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes - I validated the extension changes at 756a4c9 (the follow-up commit only fixes the separate Yarn fixture lockfile).

  • corepack yarn install --frozen-lockfile --non-interactive succeeded.
  • extension\build.ps1 succeeded, and corepack yarn run test completed with 1,161 passing tests.
  • I built and installed the PR VSIX in VS Code 1.122.1, then ran the focused zero-to-running Extension Host E2E: 1/1 passed. It exercised New Project and Add Package routing, AppHost discovery/selection, adding Aspire.Hosting.Redis, debugging, probing the dashboard, and stopping the session.
  • The installed graph contained undici@7.28.0, tmp@0.2.7, js-yaml@4.2.0, markdown-it@14.2.0, and form-data@4.0.6.

So the extension still works end to end with the updated package.json and yarn.lock.

"globals": "^16.5.0",
"typescript": "~5.9.3",
"typescript-eslint": "^8.48.1",
"vite": "^8.0.0"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming we also did some validation here and ensure that we are able to instantiate the templates after these updates?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes - I validated the changed starter templates with the PR dogfood CLI 13.5.0-pr.18735.g756a4c96 and PR hive.

  • Created fresh aspire-ts-starter, aspire-py-starter, and aspire-ts-cs-starter projects non-interactively.
  • Clean dependency installs and frontend/AppHost builds succeeded for all three.
  • Started each generated AppHost and waited for its frontend resource (frontend or webfrontend) to become healthy, then stopped it cleanly. The API/server and frontend resources were healthy, and installer resources exited with code 0.
  • The src/Aspire.Cli/Templating/Templates/java-starter source is not currently registered or embedded as an aspire new template, so I validated its changed frontend directly: npm ci reported 0 vulnerabilities and npm run build succeeded with Vite 8.1.3.

I also pushed 81d04ff0af to regenerate the separate Yarn 4 fixture lockfile; corepack yarn install --immutable now succeeds.

@joperezr joperezr left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left two comments mostly to ensure that the changes impacting the product (extension and templates) were validated, but other than that this looks good. Thanks @IEvangelist!

IEvangelist and others added 2 commits July 13, 2026 14:00
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: ba8c860a-2cf2-4af4-8297-79de367a57a9
Update the Yarn 4 lockfile to reflect the security resolutions for esbuild, tar, and undici so immutable installs succeed.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Copilot-Session: ba8c860a-2cf2-4af4-8297-79de367a57a9
Copilot AI review requested due to automatic review settings July 13, 2026 19:02
@github-actions

Copy link
Copy Markdown
Contributor

Tests selector (audit mode)

The full test matrix and all jobs still run in audit mode. The tests and jobs below are what selective CI would run under enforcement.

53 / 100 test projects · 7 jobs, from 64 changed files.

Selected test projects (53 / 100)

Aspire.Cli.EndToEnd.Tests, Aspire.Cli.Tests, Aspire.Deployment.EndToEnd.Tests, Aspire.EndToEnd.Tests, Aspire.Hosting.Analyzers.Tests, Aspire.Hosting.Azure.Kubernetes.Tests, Aspire.Hosting.Azure.Kusto.Tests, Aspire.Hosting.Azure.Tests, Aspire.Hosting.Blazor.Tests, Aspire.Hosting.Browsers.Tests, Aspire.Hosting.CodeGeneration.Go.Tests, Aspire.Hosting.CodeGeneration.Java.Tests, Aspire.Hosting.CodeGeneration.Python.Tests, Aspire.Hosting.CodeGeneration.Rust.Tests, Aspire.Hosting.CodeGeneration.TypeScript.Tests, Aspire.Hosting.Containers.Tests, Aspire.Hosting.DevTunnels.Tests, Aspire.Hosting.Docker.Tests, Aspire.Hosting.Dotnet.Tests, Aspire.Hosting.DotnetTool.Tests, Aspire.Hosting.EntityFrameworkCore.Tests, Aspire.Hosting.Foundry.Tests, Aspire.Hosting.Garnet.Tests, Aspire.Hosting.GitHub.Models.Tests, Aspire.Hosting.Go.Tests, Aspire.Hosting.JavaScript.Tests, Aspire.Hosting.Kafka.Tests, Aspire.Hosting.Keycloak.Tests, Aspire.Hosting.Kubernetes.Tests, Aspire.Hosting.Maui.Tests, Aspire.Hosting.Milvus.Tests, Aspire.Hosting.MongoDB.Tests, Aspire.Hosting.MySql.Tests, Aspire.Hosting.Nats.Tests, Aspire.Hosting.OpenAI.Tests, Aspire.Hosting.Oracle.Tests, Aspire.Hosting.Orleans.Tests, Aspire.Hosting.PostgreSQL.Tests, Aspire.Hosting.Python.Tests, Aspire.Hosting.Qdrant.Tests, Aspire.Hosting.RabbitMQ.Tests, Aspire.Hosting.Radius.Tests, Aspire.Hosting.Redis.Tests, Aspire.Hosting.RemoteHost.Tests, Aspire.Hosting.Seq.Tests, Aspire.Hosting.SqlServer.Tests, Aspire.Hosting.Testing.Tests, Aspire.Hosting.Tests, Aspire.Hosting.Valkey.Tests, Aspire.Hosting.Yarp.Tests, Aspire.Playground.Tests, Aspire.Templates.Tests, Infrastructure.Tests

Selected jobs (7)

cli-starter, deployment-e2e, extension-e2e, extension-unit, polyglot, typescript-api-compat, typescript-sdk


How these were chosen — grouped by what changed

⚠️ 43 of the 53 selected test projects come from a single change — src/Aspire.Hosting/ExternalServiceResource.cs.

🔧 src/Aspire.Hosting/ExternalServiceResource.cs (changed source)
43 via the project graph

show 43

Aspire.Hosting.Analyzers.Tests (2 hops), Aspire.Hosting.Azure.Kubernetes.Tests (2 hops), Aspire.Hosting.Azure.Kusto.Tests (2 hops), Aspire.Hosting.Azure.Tests, Aspire.Hosting.Browsers.Tests (2 hops), Aspire.Hosting.CodeGeneration.Go.Tests, Aspire.Hosting.CodeGeneration.Java.Tests, Aspire.Hosting.CodeGeneration.Python.Tests, Aspire.Hosting.CodeGeneration.Rust.Tests, Aspire.Hosting.CodeGeneration.TypeScript.Tests, Aspire.Hosting.Containers.Tests (2 hops), Aspire.Hosting.DevTunnels.Tests (2 hops), Aspire.Hosting.Docker.Tests (2 hops), Aspire.Hosting.DotnetTool.Tests (2 hops), Aspire.Hosting.EntityFrameworkCore.Tests (2 hops), Aspire.Hosting.Foundry.Tests (2 hops), Aspire.Hosting.Garnet.Tests (2 hops), Aspire.Hosting.GitHub.Models.Tests (2 hops), Aspire.Hosting.Go.Tests (2 hops), Aspire.Hosting.JavaScript.Tests (2 hops), Aspire.Hosting.Kafka.Tests (2 hops), Aspire.Hosting.Keycloak.Tests (2 hops), Aspire.Hosting.Kubernetes.Tests (2 hops), Aspire.Hosting.Maui.Tests, Aspire.Hosting.Milvus.Tests (2 hops), Aspire.Hosting.MongoDB.Tests (2 hops), Aspire.Hosting.MySql.Tests (2 hops), Aspire.Hosting.Nats.Tests (2 hops), Aspire.Hosting.OpenAI.Tests (2 hops), Aspire.Hosting.Oracle.Tests (2 hops), Aspire.Hosting.Orleans.Tests (2 hops), Aspire.Hosting.PostgreSQL.Tests (2 hops), Aspire.Hosting.Python.Tests (2 hops), Aspire.Hosting.Qdrant.Tests (2 hops), Aspire.Hosting.RabbitMQ.Tests (2 hops), Aspire.Hosting.Redis.Tests (2 hops), Aspire.Hosting.RemoteHost.Tests, Aspire.Hosting.Seq.Tests (2 hops), Aspire.Hosting.SqlServer.Tests (2 hops), Aspire.Hosting.Testing.Tests (2 hops), Aspire.Hosting.Valkey.Tests (2 hops), Aspire.Hosting.Yarp.Tests (2 hops), Aspire.Playground.Tests

🧪 tests/Aspire.Hosting.Tests/ExternalServiceTests.cs (changed test)
1 directly: Aspire.Hosting.Tests
3 via the project graph: Aspire.Hosting.Blazor.Tests, Aspire.Hosting.Dotnet.Tests, Aspire.Hosting.Radius.Tests

📦 affected project Aspire.Cli
1 test: Aspire.Cli.EndToEnd.Tests

📦 affected project Aspire.Hosting
1 test: Aspire.EndToEnd.Tests

📄 .github/workflows/deployment-tests.yml (changed)
1 directly: Infrastructure.Tests

📄 playground/AspireWithBun/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithBun/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithJavaScript/AspireJavaScript.Angular/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithJavaScript/AspireJavaScript.Angular/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithJavaScript/AspireJavaScript.React/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithJavaScript/AspireJavaScript.Vite/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithJavaScript/AspireJavaScript.Vite/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithJavaScript/AspireJavaScript.Vue/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithJavaScript/AspireJavaScript.Vue/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithNode/NodeFrontend/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithNode/NodeFrontend/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithNode/NodeFrontend/pnpm-lock.yaml (changed)
1 directly: Aspire.Playground.Tests

📄 playground/BrowserTelemetry/BrowserTelemetry.Web/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/BrowserTelemetry/BrowserTelemetry.Web/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/FoundryAgentEnterprise/frontend/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/FoundryAgentEnterprise/frontend/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/JavaAppHost/frontend/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/JavaAppHost/frontend/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/PythonAppHost/frontend/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/PythonAppHost/frontend/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/TypeScriptAppHost/vite-frontend/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/TypeScriptAppHost/vite-frontend/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/TypeScriptApps/RpsArena/arena-frontend/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/TypeScriptApps/RpsArena/arena-frontend/package.json (changed)
1 directly: Aspire.Playground.Tests

🔧 src/Aspire.Cli/Templating/Templates/java-starter/frontend/package-lock.json (changed source)
1 via the project graph: Aspire.Cli.Tests

🔧 src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package-lock.json (changed source)
1 directly: Aspire.Templates.Tests

🔧 src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package.json (changed source)
1 directly: Aspire.Templates.Tests

🧪 tests/Aspire.Deployment.EndToEnd.Tests/RadiusStarterDeploymentTests.cs (changed test)
1 directly: Aspire.Deployment.EndToEnd.Tests

🧪 tests/Aspire.Hosting.Tests/WithReferenceTests.cs (changed test)
1 directly: Aspire.Hosting.Tests

Job reasons

Job Triggered by
cli-starter • affected project Aspire.Cli
• selected test Aspire.Cli.Tests
deployment-e2e .github/workflows/deployment-tests.yml, src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package-lock.json, src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package.json, tests/Aspire.Deployment.EndToEnd.Tests/RadiusStarterDeploymentTests.cs
• affected project Aspire.Cli
extension-e2e extension/package.json, extension/src/test/e2eLaunchProfile.test.ts, extension/yarn.lock, src/Aspire.Cli/Templating/Templates/java-starter/frontend/package-lock.json, src/Aspire.Cli/Templating/Templates/java-starter/frontend/package.json, src/Aspire.Cli/Templating/Templates/py-starter/frontend/package-lock.json, src/Aspire.Cli/Templating/Templates/py-starter/frontend/package.json, src/Aspire.Cli/Templating/Templates/py-starter/package-lock.json, src/Aspire.Cli/Templating/Templates/py-starter/package.json, src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package-lock.json, src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package.json, src/Aspire.Cli/Templating/Templates/ts-starter/package-lock.json, src/Aspire.Cli/Templating/Templates/ts-starter/package.json, src/Aspire.Hosting/ExternalServiceResource.cs, src/Aspire.Hosting/ResourceBuilderExtensions.cs
• affected project Aspire.Cli
extension-unit extension/package.json, extension/src/test/e2eLaunchProfile.test.ts, extension/yarn.lock
polyglot tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package.json, tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package-lock.json, tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package.json, tests/PolyglotAppHosts/TypeScript.PackageManagers.Pnpm/TypeScript/package.json, tests/PolyglotAppHosts/TypeScript.PackageManagers.Pnpm/TypeScript/pnpm-lock.yaml, tests/PolyglotAppHosts/TypeScript.PackageManagers.Yarn/TypeScript/package.json, tests/PolyglotAppHosts/TypeScript.PackageManagers.Yarn/TypeScript/yarn.lock
• affected project Aspire.Cli
typescript-api-compat affected project Aspire.Cli
typescript-sdk src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package-lock.json, src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package.json, src/Aspire.Cli/Templating/Templates/ts-starter/package-lock.json, src/Aspire.Cli/Templating/Templates/ts-starter/package.json

Selection computed for commit 81d04ff.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 36 out of 65 changed files in this pull request and generated 2 comments.

Files not reviewed (26)
  • playground/AspireWithBun/package-lock.json: Generated file
  • playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.json: Generated file
  • playground/AspireWithJavaScript/AspireJavaScript.Vite/package-lock.json: Generated file
  • playground/AspireWithJavaScript/AspireJavaScript.Vue/package-lock.json: Generated file
  • playground/AspireWithNode/NodeFrontend/package-lock.json: Generated file
  • playground/AspireWithNode/NodeFrontend/pnpm-lock.yaml: Generated file
  • playground/BrowserTelemetry/BrowserTelemetry.Web/package-lock.json: Generated file
  • playground/FoundryAgentEnterprise/frontend/package-lock.json: Generated file
  • playground/JavaAppHost/frontend/package-lock.json: Generated file
  • playground/PythonAppHost/frontend/package-lock.json: Generated file
  • playground/TypeScriptAppHost/vite-frontend/package-lock.json: Generated file
  • playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package-lock.json: Generated file
  • playground/TypeScriptApps/RpsArena/arena-frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/java-starter/frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/py-starter/frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/py-starter/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package-lock.json: Generated file
  • src/Aspire.Cli/Templating/Templates/ts-starter/package-lock.json: Generated file
  • src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package-lock.json: Generated file
  • tests/PolyglotAppHosts/TypeScript.PackageManagers.Pnpm/TypeScript/pnpm-lock.yaml: Generated file

Comment on lines 1263 to 1266
if (!uri.IsAbsoluteUri)
{
throw new InvalidOperationException($"The URI for service reference '{name}' is invalid while configuring target resource '{builder.Resource.Name}': it must be absolute.");
}
Comment on lines 300 to 306
- name: Setup Helm
uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
with:
version: v4.2.0

# Install the Radius (`rad`) CLI only for the Radius deployment scenario. `aspire deploy`
# against a Radius environment shells out to `rad deploy`, so the CLI must be on PATH.
# Gated to the single matrix class so the ~dozens of other split jobs neither pay the
# download cost nor fail if the install endpoint is unavailable. RADIUS_VERSION pins the
# control-plane version (`rad install kubernetes` in the test installs the matching plane),
# keeping CI deterministic across Radius releases.
- name: Setup Radius
if: ${{ contains(matrix.classname, 'RadiusStarterDeploymentTests') }}
env:
# Full release tag component; install.sh resolves this to tag v0.59.0. Keep aligned
# with RadiusBicepExtension.Version (major.minor 0.59) so the installed control plane
# matches the Bicep types the publisher emits.
RADIUS_VERSION: "0.59.0"
run: |
# Pre-create the install dir (user-owned) BEFORE running install.sh. The
# Radius install.sh chooses whether to sudo by looking only at the install
# dir's immediate parent: for --install-dir "$HOME/.rad/bin" it inspects
# "$HOME/.rad", and on a fresh runner that does not exist yet, so it wrongly
# decides sudo is required and runs `sudo mkdir -p "$HOME/.rad/bin"`. That
# leaves "$HOME/.rad" owned by root, and the subsequent (non-sudo)
# `rad bicep download` then fails to create "$HOME/.rad/config.yaml.lock"
# with "permission denied". Creating the dir up front makes install.sh see a
# writable target and skip sudo entirely.
mkdir -p "$HOME/.rad/bin"
# Fetch install.sh pinned to the same release tag (v$RADIUS_VERSION) we install, rather
# than the moving `main` branch. This keeps the installer script content locked to the
# pinned version so it cannot drift independently (supply-chain hardening).
curl -fsSL "https://raw.githubusercontent.com/radius-project/radius/v${RADIUS_VERSION}/deploy/install.sh" | \
/bin/bash -s -- --version "$RADIUS_VERSION" --install-dir "$HOME/.rad/bin"
echo "$HOME/.rad/bin" >> "$GITHUB_PATH"
"$HOME/.rad/bin/rad" version --cli

- name: Run deployment test (${{ matrix.shortname }})
id: run_tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area-integrations Issues pertaining to Aspire Integrations packages automated-security Automated security fix

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants