Skip to content

[Snyk] Fix for 1 vulnerabilities#12932

Open
sestinj wants to merge 1 commit into
mainfrom
snyk-fix-3cb01a3bed0c86dbf668d9e81ebe8ba1
Open

[Snyk] Fix for 1 vulnerabilities#12932
sestinj wants to merge 1 commit into
mainfrom
snyk-fix-3cb01a3bed0c86dbf668d9e81ebe8ba1

Conversation

@sestinj

@sestinj sestinj commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • extensions/vscode/package.json

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Inefficient Algorithmic Complexity
SNYK-JS-BRACEEXPANSION-17706650
  721  

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@sestinj

sestinj commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Merge Risk: High

This set of upgrades includes a major, high-risk update to vscode-languageclient and a low-risk patch for @electron/rebuild.

High Risk: vscode-languageclient 8.1.0 → 10.0.0

This is a double-major version upgrade that introduces significant breaking changes requiring code modifications. The upgrade spans Language Server Protocol versions up to 3.18.

Key Breaking Changes:

  • Asynchronous Client Start: The client.start() method is now asynchronous and must be awaited. The previous pattern of using client.onReady() is deprecated. Code should be changed from client.start(); client.onReady().then(...) to await client.start();.
  • Module Imports: Since v7, the package has been split into common, node, and browser entry points. You must update your imports to pull from the correct entry point, for example: import { LanguageClient } from 'vscode-languageclient/node';.
  • Logging API: The upgrade to v10 may require replacing vscode.OutputChannel with vscode.LogOutputChannel in your client options.

Recommendation: Developers must carefully review the official changelogs for both v9 and v10, update client initialization and lifecycle management code, and adjust import paths as necessary before merging.

Low Risk: @electron/rebuild 4.0.3 → 4.0.4

This is a patch release that fixes a native module build issue on macOS Sequoia by switching to @electron/node-gyp. No breaking changes are expected for typical usage.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@sestinj sestinj requested a review from a team as a code owner July 1, 2026 08:57
@dosubot dosubot Bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Jul 1, 2026

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="extensions/vscode/package.json">

<violation number="1" location="extensions/vscode/package.json:766">
P2: Upgrading unused dependency `vscode-languageclient` from `^8.0.2` to `^10.0.0` skips v9 and brings a VS Code engine requirement of `^1.91.0`, far above the extension's `^1.70.0` target. Since the package is never imported in any source file, the brace-expansion vulnerability would be better fixed with a targeted override instead. This change adds unnecessary install-time risk with zero runtime benefit.</violation>
</file>

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

"vectordb": "0.4.20",
"vitest": "^3.1.4",
"vscode-languageclient": "^8.0.2",
"vscode-languageclient": "^10.0.0",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Upgrading unused dependency vscode-languageclient from ^8.0.2 to ^10.0.0 skips v9 and brings a VS Code engine requirement of ^1.91.0, far above the extension's ^1.70.0 target. Since the package is never imported in any source file, the brace-expansion vulnerability would be better fixed with a targeted override instead. This change adds unnecessary install-time risk with zero runtime benefit.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At extensions/vscode/package.json, line 766:

<comment>Upgrading unused dependency `vscode-languageclient` from `^8.0.2` to `^10.0.0` skips v9 and brings a VS Code engine requirement of `^1.91.0`, far above the extension's `^1.70.0` target. Since the package is never imported in any source file, the brace-expansion vulnerability would be better fixed with a targeted override instead. This change adds unnecessary install-time risk with zero runtime benefit.</comment>

<file context>
@@ -763,7 +763,7 @@
     "vectordb": "0.4.20",
     "vitest": "^3.1.4",
-    "vscode-languageclient": "^8.0.2",
+    "vscode-languageclient": "^10.0.0",
     "ws": "^8.19.0",
     "yarn": "^1.22.21"
</file context>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants