[auto-sec] Consolidate npm security remediations (vite, Angular, undici, hono, protobufjs, and more)#18735
[auto-sec] Consolidate npm security remediations (vite, Angular, undici, hono, protobufjs, and more)#18735IEvangelist wants to merge 7 commits into
Conversation
…manifests Addresses 100+ Dependabot security alerts across 29 npm/yarn/pnpm manifests in playground/, src/Aspire.Cli/Templating/Templates/, src/Aspire.ProjectTemplates/, tests/, and extension/. ## Packages fixed (via overrides/resolutions/pnpm.overrides or direct version bumps): ### CVE remediations - vite: bumped to ^8.0.16 (was ^8.0.0) — CVE-2026-53571 (high), CVE-2026-53632 (medium) - vite 7.x projects: override to 7.3.5 - vite 6.x projects: bumped to ^6.4.3 - @angular/core + @angular/common + @angular/compiler + Angular ecosystem: - playground/AspireJavaScript.Angular: pinned all @angular/* to 21.2.17 via overrides — CVE-2026-54266/54267/54268 (high), CVE-2026-54265 (medium) - hono: 4.12.25 — CVE-2026-54286/54287/54288/54289/54290 - http-proxy-middleware: 3.0.7 — CVE-2026-55602 (medium), CVE-2026-55603 (high) - piscina: 5.2.0 — CVE-2026-55388 (high) - webpack-dev-server: bumped to ^5.2.5 — CVE-2026-9595 (medium) - undici: 7.28.0 (npm/yarn), 6.27.0 (yarn test) — multiple CVEs (high/medium/low) - js-yaml: 4.2.0 — CVE-2026-53550 (medium) - @babel/core: bumped to ^7.29.6 — CVE-2026-49356 (low) - protobufjs: 8.6.0 — CVE-2026-48712/54269/54270 (high/medium) - @opentelemetry/core: 2.8.0 — CVE-2026-54285 (medium) - launch-editor: 2.14.1 — CVE-2026-53632 (medium) - markdown-it: 14.2.0 — CVE-2026-48988 (medium) - form-data: 4.0.6 — CVE-2026-12143 (high) - tmp: 0.2.7 — CVE-2026-49982 (high) - tar: 7.5.16 — CVE-2026-53655 (medium) - esbuild: 0.28.1 — GHSA-g7r4-m6w7-qqqr (low) - brace-expansion: 5.0.7 — moderate vuln in py-starter/ts-starter templates ### Lockfile regeneration - All package-lock.json files regenerated with 'npm install --package-lock-only' - extension/yarn.lock regenerated with yarn v1 (resolutions applied) - NodeFrontend pnpm-lock.yaml regenerated with pnpm - tests/PolyglotAppHosts pnpm-lock.yaml regenerated Note: tests/PolyglotAppHosts/TypeScript.PackageManagers.Yarn yarn.lock has resolutions added to package.json; lockfile will be regenerated on next 'yarn install' run (requires Yarn v4). Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 18735Or
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 18735" |
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Pull request overview
Updates frontend dependency manifests and lockfiles to remediate npm security advisories.
Changes:
- Upgrades Vite, Angular, Babel, webpack, and related tooling.
- Pins vulnerable transitive dependencies using package-manager overrides.
- Regenerates affected npm and extension Yarn lockfiles.
Reviewed changes
Copilot reviewed 28 out of 56 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
tests/PolyglotAppHosts/TypeScript.PackageManagers.Yarn/TypeScript/package.json |
Adds Yarn security resolutions. |
tests/PolyglotAppHosts/TypeScript.PackageManagers.Pnpm/TypeScript/package.json |
Adds a pnpm esbuild override. |
tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package.json |
Adds an npm esbuild override. |
tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package-lock.json |
Locks esbuild 0.28.1. |
tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package.json |
Pins esbuild. |
tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package-lock.json |
Refreshes esbuild packages. |
tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package.json |
Pins esbuild. |
tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package-lock.json |
Refreshes esbuild packages. |
tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package.json |
Pins esbuild. |
tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package-lock.json |
Refreshes esbuild packages. |
tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package.json |
Pins esbuild. |
tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package-lock.json |
Refreshes esbuild packages. |
tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package.json |
Pins esbuild. |
tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package-lock.json |
Refreshes esbuild packages. |
src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package.json |
Updates Vite and security overrides. |
src/Aspire.Cli/Templating/Templates/ts-starter/package.json |
Adds esbuild and brace-expansion overrides. |
src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package.json |
Updates Vite and security overrides. |
src/Aspire.Cli/Templating/Templates/py-starter/package.json |
Adds esbuild and brace-expansion overrides. |
src/Aspire.Cli/Templating/Templates/py-starter/frontend/package.json |
Updates Vite and security overrides. |
src/Aspire.Cli/Templating/Templates/java-starter/frontend/package.json |
Updates Vite and security overrides. |
playground/TypeScriptApps/RpsArena/arena-frontend/package.json |
Updates Vite, esbuild, and Babel. |
playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package.json |
Pins esbuild. |
playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package-lock.json |
Locks esbuild 0.28.1. |
playground/TypeScriptAppHost/vite-frontend/package.json |
Updates Vite and esbuild. |
playground/PythonAppHost/frontend/package.json |
Updates Vite and security overrides. |
playground/JavaAppHost/frontend/package.json |
Updates Vite and security overrides. |
playground/FoundryAgentEnterprise/frontend/package.json |
Updates Vite and security overrides. |
playground/BrowserTelemetry/BrowserTelemetry.Web/package.json |
Pins esbuild and OpenTelemetry core. |
playground/BrowserTelemetry/BrowserTelemetry.Web/package-lock.json |
Locks OpenTelemetry core 2.8.0. |
playground/AspireWithNode/NodeFrontend/package.json |
Updates protobufjs and OpenTelemetry overrides. |
playground/AspireWithNode/NodeFrontend/package-lock.json |
Refreshes gRPC, protobufjs, and OpenTelemetry. |
playground/AspireWithJavaScript/AspireJavaScript.Vue/package.json |
Updates Vite and security overrides. |
playground/AspireWithJavaScript/AspireJavaScript.Vite/package.json |
Updates Vite, Babel, and YAML tooling. |
playground/AspireWithJavaScript/AspireJavaScript.React/package.json |
Updates Babel and webpack tooling. |
playground/AspireWithJavaScript/AspireJavaScript.Angular/package.json |
Updates Angular and vulnerable transitive packages. |
playground/AspireWithBun/package.json |
Pins esbuild. |
playground/AspireWithBun/package-lock.json |
Locks esbuild 0.28.1. |
extension/yarn.lock |
Refreshes resolved security-sensitive packages. |
extension/package.json |
Updates extension dependency resolutions. |
Files not reviewed (26)
- playground/AspireWithBun/package-lock.json: Generated file
- playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.json: Generated file
- playground/AspireWithJavaScript/AspireJavaScript.Vite/package-lock.json: Generated file
- playground/AspireWithJavaScript/AspireJavaScript.Vue/package-lock.json: Generated file
- playground/AspireWithNode/NodeFrontend/package-lock.json: Generated file
- playground/AspireWithNode/NodeFrontend/pnpm-lock.yaml: Generated file
- playground/BrowserTelemetry/BrowserTelemetry.Web/package-lock.json: Generated file
- playground/FoundryAgentEnterprise/frontend/package-lock.json: Generated file
- playground/JavaAppHost/frontend/package-lock.json: Generated file
- playground/PythonAppHost/frontend/package-lock.json: Generated file
- playground/TypeScriptAppHost/vite-frontend/package-lock.json: Generated file
- playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package-lock.json: Generated file
- playground/TypeScriptApps/RpsArena/arena-frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/java-starter/frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/py-starter/frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/py-starter/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/ts-starter/package-lock.json: Generated file
- src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/TypeScript.PackageManagers.Pnpm/TypeScript/pnpm-lock.yaml: Generated file
|
Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt. |
|
Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt. |
|
Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt. |
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 29 out of 57 changed files in this pull request and generated 1 comment.
Files not reviewed (26)
- playground/AspireWithBun/package-lock.json: Generated file
- playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.json: Generated file
- playground/AspireWithJavaScript/AspireJavaScript.Vite/package-lock.json: Generated file
- playground/AspireWithJavaScript/AspireJavaScript.Vue/package-lock.json: Generated file
- playground/AspireWithNode/NodeFrontend/package-lock.json: Generated file
- playground/AspireWithNode/NodeFrontend/pnpm-lock.yaml: Generated file
- playground/BrowserTelemetry/BrowserTelemetry.Web/package-lock.json: Generated file
- playground/FoundryAgentEnterprise/frontend/package-lock.json: Generated file
- playground/JavaAppHost/frontend/package-lock.json: Generated file
- playground/PythonAppHost/frontend/package-lock.json: Generated file
- playground/TypeScriptAppHost/vite-frontend/package-lock.json: Generated file
- playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package-lock.json: Generated file
- playground/TypeScriptApps/RpsArena/arena-frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/java-starter/frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/py-starter/frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/py-starter/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/ts-starter/package-lock.json: Generated file
- src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/TypeScript.PackageManagers.Pnpm/TypeScript/pnpm-lock.yaml: Generated file
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 29 out of 57 changed files in this pull request and generated 1 comment.
Files not reviewed (26)
- playground/AspireWithBun/package-lock.json: Generated file
- playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.json: Generated file
- playground/AspireWithJavaScript/AspireJavaScript.Vite/package-lock.json: Generated file
- playground/AspireWithJavaScript/AspireJavaScript.Vue/package-lock.json: Generated file
- playground/AspireWithNode/NodeFrontend/package-lock.json: Generated file
- playground/AspireWithNode/NodeFrontend/pnpm-lock.yaml: Generated file
- playground/BrowserTelemetry/BrowserTelemetry.Web/package-lock.json: Generated file
- playground/FoundryAgentEnterprise/frontend/package-lock.json: Generated file
- playground/JavaAppHost/frontend/package-lock.json: Generated file
- playground/PythonAppHost/frontend/package-lock.json: Generated file
- playground/TypeScriptAppHost/vite-frontend/package-lock.json: Generated file
- playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package-lock.json: Generated file
- playground/TypeScriptApps/RpsArena/arena-frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/java-starter/frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/py-starter/frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/py-starter/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/ts-starter/package-lock.json: Generated file
- src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/TypeScript.PackageManagers.Pnpm/TypeScript/pnpm-lock.yaml: Generated file
This comment has been minimized.
This comment has been minimized.
* Install Radius CLI in the test instead of the workflow Move the `rad` CLI install out of the deployment-tests.yml workflow and into RadiusStarterDeploymentTests itself (new Step 1a). This keeps the Radius prerequisite self-contained in the only test that needs it: other deployment scenarios no longer pay the download cost or risk failing on an install-endpoint outage, and the test can run locally without workflow-specific setup. The CLI installs into a workspace-local dir so nothing leaks into ~/.rad. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: b84daeef-5ebd-4d6e-bc4f-c8579a5c287d * Harden Radius CLI install against masked curl failures Wrap the `curl | install.sh` pipe in a `set -o pipefail` subshell so a failed download propagates instead of being masked by install.sh's exit code. The interactive test terminal does not enable pipefail by default, unlike the GitHub Actions runner shell this install replaced. The PATH export stays outside the subshell so it persists for later steps. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: b84daeef-5ebd-4d6e-bc4f-c8579a5c287d * Isolate Radius installer HOME Set HOME to the workspace home while installing the pinned Radius CLI so the installer-triggered bicep download stays under the temporary workspace. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: b84daeef-5ebd-4d6e-bc4f-c8579a5c287d * Update Radius deployment test docs Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: b84daeef-5ebd-4d6e-bc4f-c8579a5c287d * Clarify Radius installer sudo check Update the Step 1a comment to describe the pinned installer needsSudo behavior accurately. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: b84daeef-5ebd-4d6e-bc4f-c8579a5c287d * Keep Radius version check isolated Run the immediate Radius CLI verification under the workspace HOME used by the installer subshell. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: b84daeef-5ebd-4d6e-bc4f-c8579a5c287d * Pin Radius installer to commit SHA and add retry Pin install.sh to the immutable commit SHA behind the v0.59.0 tag so the executed installer content cannot drift if the tag is retargeted, retry the download to tolerate transient CDN failures, and describe the pipefail scope in state-based terms. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: b84daeef-5ebd-4d6e-bc4f-c8579a5c287d --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Allow external service URIs without trailing slash Removes trailing-slash validation for external service URIs and direct URI references while preserving absolute URI, fragment, and query validation. Updates hosting tests to cover path URIs with and without a trailing slash. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> * Update WithReference test for path URIs Adjusts WithReferenceTests to validate successful environment injection for a URI with a non-trailing-slash path, matching the new URI validation behavior. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
| "serialize-javascript": "7.0.5", | ||
| "flatted": "3.4.2", | ||
| "lodash": "4.18.1", | ||
| "undici": "7.27.0", |
There was a problem hiding this comment.
@IEvangelist did we do any sort of manual testing for the changes here and yarn.lock to ensure the extension still works as expected?
There was a problem hiding this comment.
Yes - I validated the extension changes at 756a4c9 (the follow-up commit only fixes the separate Yarn fixture lockfile).
corepack yarn install --frozen-lockfile --non-interactivesucceeded.extension\build.ps1succeeded, andcorepack yarn run testcompleted with 1,161 passing tests.- I built and installed the PR VSIX in VS Code 1.122.1, then ran the focused zero-to-running Extension Host E2E: 1/1 passed. It exercised New Project and Add Package routing, AppHost discovery/selection, adding
Aspire.Hosting.Redis, debugging, probing the dashboard, and stopping the session. - The installed graph contained
undici@7.28.0,tmp@0.2.7,js-yaml@4.2.0,markdown-it@14.2.0, andform-data@4.0.6.
So the extension still works end to end with the updated package.json and yarn.lock.
| "globals": "^16.5.0", | ||
| "typescript": "~5.9.3", | ||
| "typescript-eslint": "^8.48.1", | ||
| "vite": "^8.0.0" |
There was a problem hiding this comment.
Assuming we also did some validation here and ensure that we are able to instantiate the templates after these updates?
There was a problem hiding this comment.
Yes - I validated the changed starter templates with the PR dogfood CLI 13.5.0-pr.18735.g756a4c96 and PR hive.
- Created fresh
aspire-ts-starter,aspire-py-starter, andaspire-ts-cs-starterprojects non-interactively. - Clean dependency installs and frontend/AppHost builds succeeded for all three.
- Started each generated AppHost and waited for its frontend resource (
frontendorwebfrontend) to become healthy, then stopped it cleanly. The API/server and frontend resources were healthy, and installer resources exited with code 0. - The
src/Aspire.Cli/Templating/Templates/java-startersource is not currently registered or embedded as anaspire newtemplate, so I validated its changed frontend directly:npm cireported 0 vulnerabilities andnpm run buildsucceeded with Vite 8.1.3.
I also pushed 81d04ff0af to regenerate the separate Yarn 4 fixture lockfile; corepack yarn install --immutable now succeeds.
joperezr
left a comment
There was a problem hiding this comment.
Left two comments mostly to ensure that the changes impacting the product (extension and templates) were validated, but other than that this looks good. Thanks @IEvangelist!
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: ba8c860a-2cf2-4af4-8297-79de367a57a9
Update the Yarn 4 lockfile to reflect the security resolutions for esbuild, tar, and undici so immutable installs succeed. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: ba8c860a-2cf2-4af4-8297-79de367a57a9
Tests selector (audit mode)The full test matrix and all jobs still run in audit mode. The tests and jobs below are what selective CI would run under enforcement. 53 / 100 test projects · 7 jobs, from 64 changed files. Selected test projects (53 / 100)
Selected jobs (7)
How these were chosen — grouped by what changed
🔧 show 43
🧪 📦 affected project 📦 affected project 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 🔧 🔧 🔧 🧪 🧪 Job reasons
Selection computed for commit |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 36 out of 65 changed files in this pull request and generated 2 comments.
Files not reviewed (26)
- playground/AspireWithBun/package-lock.json: Generated file
- playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.json: Generated file
- playground/AspireWithJavaScript/AspireJavaScript.Vite/package-lock.json: Generated file
- playground/AspireWithJavaScript/AspireJavaScript.Vue/package-lock.json: Generated file
- playground/AspireWithNode/NodeFrontend/package-lock.json: Generated file
- playground/AspireWithNode/NodeFrontend/pnpm-lock.yaml: Generated file
- playground/BrowserTelemetry/BrowserTelemetry.Web/package-lock.json: Generated file
- playground/FoundryAgentEnterprise/frontend/package-lock.json: Generated file
- playground/JavaAppHost/frontend/package-lock.json: Generated file
- playground/PythonAppHost/frontend/package-lock.json: Generated file
- playground/TypeScriptAppHost/vite-frontend/package-lock.json: Generated file
- playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package-lock.json: Generated file
- playground/TypeScriptApps/RpsArena/arena-frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/java-starter/frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/py-starter/frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/py-starter/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package-lock.json: Generated file
- src/Aspire.Cli/Templating/Templates/ts-starter/package-lock.json: Generated file
- src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package-lock.json: Generated file
- tests/PolyglotAppHosts/TypeScript.PackageManagers.Pnpm/TypeScript/pnpm-lock.yaml: Generated file
| if (!uri.IsAbsoluteUri) | ||
| { | ||
| throw new InvalidOperationException($"The URI for service reference '{name}' is invalid while configuring target resource '{builder.Resource.Name}': it must be absolute."); | ||
| } |
| - name: Setup Helm | ||
| uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 | ||
| with: | ||
| version: v4.2.0 | ||
|
|
||
| # Install the Radius (`rad`) CLI only for the Radius deployment scenario. `aspire deploy` | ||
| # against a Radius environment shells out to `rad deploy`, so the CLI must be on PATH. | ||
| # Gated to the single matrix class so the ~dozens of other split jobs neither pay the | ||
| # download cost nor fail if the install endpoint is unavailable. RADIUS_VERSION pins the | ||
| # control-plane version (`rad install kubernetes` in the test installs the matching plane), | ||
| # keeping CI deterministic across Radius releases. | ||
| - name: Setup Radius | ||
| if: ${{ contains(matrix.classname, 'RadiusStarterDeploymentTests') }} | ||
| env: | ||
| # Full release tag component; install.sh resolves this to tag v0.59.0. Keep aligned | ||
| # with RadiusBicepExtension.Version (major.minor 0.59) so the installed control plane | ||
| # matches the Bicep types the publisher emits. | ||
| RADIUS_VERSION: "0.59.0" | ||
| run: | | ||
| # Pre-create the install dir (user-owned) BEFORE running install.sh. The | ||
| # Radius install.sh chooses whether to sudo by looking only at the install | ||
| # dir's immediate parent: for --install-dir "$HOME/.rad/bin" it inspects | ||
| # "$HOME/.rad", and on a fresh runner that does not exist yet, so it wrongly | ||
| # decides sudo is required and runs `sudo mkdir -p "$HOME/.rad/bin"`. That | ||
| # leaves "$HOME/.rad" owned by root, and the subsequent (non-sudo) | ||
| # `rad bicep download` then fails to create "$HOME/.rad/config.yaml.lock" | ||
| # with "permission denied". Creating the dir up front makes install.sh see a | ||
| # writable target and skip sudo entirely. | ||
| mkdir -p "$HOME/.rad/bin" | ||
| # Fetch install.sh pinned to the same release tag (v$RADIUS_VERSION) we install, rather | ||
| # than the moving `main` branch. This keeps the installer script content locked to the | ||
| # pinned version so it cannot drift independently (supply-chain hardening). | ||
| curl -fsSL "https://raw.githubusercontent.com/radius-project/radius/v${RADIUS_VERSION}/deploy/install.sh" | \ | ||
| /bin/bash -s -- --version "$RADIUS_VERSION" --install-dir "$HOME/.rad/bin" | ||
| echo "$HOME/.rad/bin" >> "$GITHUB_PATH" | ||
| "$HOME/.rad/bin/rad" version --cli | ||
|
|
||
| - name: Run deployment test (${{ matrix.shortname }}) | ||
| id: run_tests |
[auto-sec] Consolidate npm security remediations across all frontend manifests
This PR addresses 100+ Dependabot security alerts across 29 npm/yarn/pnpm manifests.
Alerts addressed
Strategy
overrides(npm),resolutions(yarn v1), orpnpm.overrides(pnpm) to pin vulnerable transitive depsnpm install --package-lock-onlyreturnedfound 0 vulnerabilitiesyarn installVerification-
npm auditshows 0 vulnerabilities for all npm manifests- Cannot fully verify CI locally; submitting for CI validationAuto-sec refresh (2026-07-13)
mainvia GitHub update-branch.read ECONNRESETinSet up .NET Corefor 3 Ubuntu CLI E2E jobs).reviewDecision: REVIEW_REQUIRED).