Skip to content

ENG-33: CVE updates #245

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kariharju merged 7 commits into from
Dec 18, 2025
Merged

ENG-33: CVE updates #245

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
5033587
CVE updates, switch from yarn to npm
kariharju Dec 17, 2025
d6eeb1f
Updated vsce to latest
kariharju Dec 17, 2025
79b1981
Updating codegen
kariharju Dec 17, 2025
1f780ae
Fixing file read writes with utf and linux linefeeds
kariharju Dec 17, 2025
0273146
Fixed package.json codegen
kariharju Dec 17, 2025
8939b3e
Added a lot of excludes to .vscodeignore
kariharju Dec 17, 2025
a11b490
Version bump to 2.19.0
kariharju Dec 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 13 additions & 13 deletions .github/workflows/pre-release-sema4ai-sdk.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,14 @@ jobs:
fetch-depth: 0
fetch-tags: true
- name: Setup node
uses: actions/setup-node@v4
uses: actions/setup-node@v6
Copy link
Copy Markdown
Contributor

@fabioz fabioz Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since you touched it, maybe it'd be nice to actually pin it with the hash...

Copy link
Copy Markdown
Contributor Author

@kariharju kariharju Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I've been hoping to avoid it, kind of wishing these would just get the semver support, but I guess that is wishful thinking.
Maintaining the hashes on +400 repositories is absolute insanity, compared to having something like ^6.1.2
I'll try to get everything to v6 and using the caching correctly first then some massive search and replace agent or bot.

with:
node-version: 20.x
cache: 'npm'
cache-dependency-path: sema4ai/package-lock.json

- name: Yarn install
run: yarn install
- name: Install dependencies
run: npm ci

- name: Set up Python 3.11
uses: actions/setup-python@v4
Expand Down Expand Up @@ -58,23 +60,21 @@ jobs:
working-directory: ./sema4ai
run: poetry install

- run: npm install -g vsce@2.15.0

# Platforms: win32-x64, win32-ia32, win32-arm64, linux-x64, linux-arm64, linux-armhf, alpine-x64, alpine-arm64, darwin-x64, darwin-arm64 and web.

# Deal with Windows --------------
- name: Download rcc for windows
run: python -m dev download-rcc win32

- run: vsce package --pre-release --target win32-x64 -o sema4ai-win32-x64.vsix
- run: npm run vsce:package -- --pre-release --target win32-x64 -o sema4ai-win32-x64.vsix

- uses: actions/upload-artifact@v4
with:
name: sema4ai-win32-x64.vsix
path: ./sema4ai/sema4ai-win32-x64.vsix

- name: Publish pre-release to vscode marketplace
run: vsce publish --packagePath ./sema4ai-win32-x64.vsix -p $VSCODE_VSCE_TOKEN --pre-release
run: npm run vsce:publish -- --packagePath ./sema4ai-win32-x64.vsix -p $VSCODE_VSCE_TOKEN --pre-release
env:
VSCODE_VSCE_TOKEN: ${{ secrets.VSCODE_VSCE_TOKEN }}

Expand All @@ -87,15 +87,15 @@ jobs:
- name: Download rcc for linux
run: python -m dev download-rcc linux

- run: vsce package --pre-release --target linux-x64 -o sema4ai-linux-x64.vsix
- run: npm run vsce:package -- --pre-release --target linux-x64 -o sema4ai-linux-x64.vsix

- uses: actions/upload-artifact@v4
with:
name: sema4ai-linux-x64.vsix
path: ./sema4ai/sema4ai-linux-x64.vsix

- name: Publish pre-release to vscode marketplace
run: vsce publish --packagePath ./sema4ai-linux-x64.vsix -p $VSCODE_VSCE_TOKEN --pre-release
run: npm run vsce:publish -- --packagePath ./sema4ai-linux-x64.vsix -p $VSCODE_VSCE_TOKEN --pre-release
env:
VSCODE_VSCE_TOKEN: ${{ secrets.VSCODE_VSCE_TOKEN }}

Expand All @@ -108,15 +108,15 @@ jobs:
- name: Download rcc for darwin
run: python -m dev download-rcc darwin

- run: vsce package --pre-release --target darwin-x64 -o sema4ai-darwin-x64.vsix
- run: npm run vsce:package -- --pre-release --target darwin-x64 -o sema4ai-darwin-x64.vsix

- uses: actions/upload-artifact@v4
with:
name: sema4ai-darwin-x64.vsix
path: ./sema4ai/sema4ai-darwin-x64.vsix

- name: Publish pre-release to vscode marketplace
run: vsce publish --packagePath ./sema4ai-darwin-x64.vsix -p $VSCODE_VSCE_TOKEN --pre-release
run: npm run vsce:publish -- --packagePath ./sema4ai-darwin-x64.vsix -p $VSCODE_VSCE_TOKEN --pre-release
env:
VSCODE_VSCE_TOKEN: ${{ secrets.VSCODE_VSCE_TOKEN }}

Expand All @@ -129,15 +129,15 @@ jobs:
- name: Download rcc for darwin arm64
run: python -m dev download-rcc darwin-arm64

- run: vsce package --pre-release --target darwin-arm64 -o sema4ai-darwin-arm64.vsix
- run: npm run vsce:package -- --pre-release --target darwin-arm64 -o sema4ai-darwin-arm64.vsix

- uses: actions/upload-artifact@v4
with:
name: sema4ai-darwin-arm64.vsix
path: ./sema4ai/sema4ai-darwin-arm64.vsix

- name: Publish pre-release to vscode marketplace
run: vsce publish --packagePath ./sema4ai-darwin-arm64.vsix -p $VSCODE_VSCE_TOKEN --pre-release
run: npm run vsce:publish -- --packagePath ./sema4ai-darwin-arm64.vsix -p $VSCODE_VSCE_TOKEN --pre-release
env:
VSCODE_VSCE_TOKEN: ${{ secrets.VSCODE_VSCE_TOKEN }}

Expand Down
33 changes: 17 additions & 16 deletions .github/workflows/release-sema4ai-sdk.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,13 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Setup node
uses: actions/setup-node@v4
uses: actions/setup-node@v6
with:
node-version: 20.x
- name: Yarn install
run: yarn install
cache: 'npm'
cache-dependency-path: sema4ai/package-lock.json
- name: Install dependencies
run: npm ci
- name: Set up Python 3.11
uses: actions/setup-python@v4
with:
Expand All @@ -37,7 +39,6 @@ jobs:
- name: Install locally
working-directory: ./sema4ai
run: poetry install
- run: npm install -g vsce@2.15.0
- name: Run codegen
run: python -m dev codegen
working-directory: ./sema4ai
Expand All @@ -54,15 +55,15 @@ jobs:
- name: Download rcc for windows
run: python -m dev download-rcc win32

- run: vsce package --target win32-x64 -o sema4ai-win32-x64.vsix
- run: npm run vsce:package -- --target win32-x64 -o sema4ai-win32-x64.vsix

- uses: actions/upload-artifact@v4
with:
name: sema4ai-win32-x64.vsix
path: ./sema4ai/sema4ai-win32-x64.vsix

- name: Publish pre-release to vscode marketplace
run: vsce publish --packagePath ./sema4ai-win32-x64.vsix -p $VSCODE_VSCE_TOKEN
- name: Publish to vscode marketplace
run: npm run vsce:publish -- --packagePath ./sema4ai-win32-x64.vsix -p $VSCODE_VSCE_TOKEN
env:
VSCODE_VSCE_TOKEN: ${{ secrets.VSCODE_VSCE_TOKEN }}

Expand All @@ -75,15 +76,15 @@ jobs:
- name: Download rcc for linux
run: python -m dev download-rcc linux

- run: vsce package --target linux-x64 -o sema4ai-linux-x64.vsix
- run: npm run vsce:package -- --target linux-x64 -o sema4ai-linux-x64.vsix

- uses: actions/upload-artifact@v4
with:
name: sema4ai-linux-x64.vsix
path: ./sema4ai/sema4ai-linux-x64.vsix

- name: Publish pre-release to vscode marketplace
run: vsce publish --packagePath ./sema4ai-linux-x64.vsix -p $VSCODE_VSCE_TOKEN
- name: Publish to vscode marketplace
run: npm run vsce:publish -- --packagePath ./sema4ai-linux-x64.vsix -p $VSCODE_VSCE_TOKEN
env:
VSCODE_VSCE_TOKEN: ${{ secrets.VSCODE_VSCE_TOKEN }}

Expand All @@ -96,15 +97,15 @@ jobs:
- name: Download rcc for darwin
run: python -m dev download-rcc darwin

- run: vsce package --target darwin-x64 -o sema4ai-darwin-x64.vsix
- run: npm run vsce:package -- --target darwin-x64 -o sema4ai-darwin-x64.vsix

- uses: actions/upload-artifact@v4
with:
name: sema4ai-darwin-x64.vsix
path: ./sema4ai/sema4ai-darwin-x64.vsix

- name: Publish pre-release to vscode marketplace
run: vsce publish --packagePath ./sema4ai-darwin-x64.vsix -p $VSCODE_VSCE_TOKEN
- name: Publish to vscode marketplace
run: npm run vsce:publish -- --packagePath ./sema4ai-darwin-x64.vsix -p $VSCODE_VSCE_TOKEN
env:
VSCODE_VSCE_TOKEN: ${{ secrets.VSCODE_VSCE_TOKEN }}

Expand All @@ -117,15 +118,15 @@ jobs:
- name: Download rcc for darwin arm64
run: python -m dev download-rcc darwin-arm64

- run: vsce package --target darwin-arm64 -o sema4ai-darwin-arm64.vsix
- run: npm run vsce:package -- --target darwin-arm64 -o sema4ai-darwin-arm64.vsix

- uses: actions/upload-artifact@v4
with:
name: sema4ai-darwin-arm64.vsix
path: ./sema4ai/sema4ai-darwin-arm64.vsix

- name: Publish pre-release to vscode marketplace
run: vsce publish --packagePath ./sema4ai-darwin-arm64.vsix -p $VSCODE_VSCE_TOKEN
- name: Publish to vscode marketplace
run: npm run vsce:publish -- --packagePath ./sema4ai-darwin-arm64.vsix -p $VSCODE_VSCE_TOKEN
env:
VSCODE_VSCE_TOKEN: ${{ secrets.VSCODE_VSCE_TOKEN }}

Expand Down
5 changes: 5 additions & 0 deletions docs/changelog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
## Unreleased

## New in 2.19.0 (2025-12-17)

- CVE updates
- Fixes to .vsix content exclusions

## New in 2.18.0 (2025-12-16)

- Added support for document-intelligence `v2.1` for agent spec
Expand Down
8 changes: 4 additions & 4 deletions docs/develop.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,15 @@
### Prerequisites

- **Node.js**: Install [NVM](https://github.com/nvm-sh/nvm?tab=readme-ov-file#installing-and-updating) to manage Node versions
- `nvm install 20.12.2` - installs correct Node version
- `nvm use 20.12.2` - switch to the correct version
- `nvm install 20.19.6` - installs correct Node version
- `nvm use 20.19.6` - switch to the correct version
- Verify installation:
- `node --version`
- `npm --version`

- **Python**: Python 3.11 (see [pyproject.toml](/sema4ai/pyproject.toml) for exact version requirements)
- **Poetry**: For Python dependency management (`pip install poetry`)
- **vsce**: For packaging VSIX files (`npm install -g vsce@2.15.0`)
- **vsce**: For packaging VSIX files [@vscode/vsce](https://www.npmjs.com/package/@vscode/vsce) - installed as a dev dependency via npm

### Initial Setup

Expand Down Expand Up @@ -97,7 +97,7 @@ This will:
Alternatively, to just package without installing:
```bash
python -m dev vendor-robocorp-ls-core
vsce package
npm run vsce:package
python -m dev remove-vendor-robocorp-ls-core
```

Expand Down
54 changes: 52 additions & 2 deletions sema4ai/.vscodeignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,59 @@ vscode-client/src
**/.pytest_cache/**
**/*.pyc
**/__pycache__

# Build/dist artifacts
src/build/**
src/dist/**
src/sema4ai_code.egg-info/**
output/**
node_modules/http-proxy-agent/test/**
node_modules/agent-base/test/**

# Python caches
.mypy_cache/**
.ruff_cache/**

# Dev-only files
dev.py
codegen/**
poetry.lock
pyproject.toml
console.ts
vsce-tree.log

# Config files not needed at runtime
.nvmrc
.prettierignore
.yarnrc.yml
.editorconfig
tsconfig.json
vscode-client/tsconfig.json
vscode-client/.vscodeignore

# TypeScript source (only need compiled JS)
vscode-client/**/*.ts
!vscode-client/**/*.d.ts

# Source maps (not needed in production)
**/*.js.map

# Test files
vscode-client/out/tests/**

# Node modules cleanup
node_modules/**/README.md
node_modules/**/CHANGELOG.md
node_modules/**/History.md
node_modules/**/.travis.yml
node_modules/**/.eslintrc*
node_modules/**/.coveralls.yml
node_modules/**/.npmignore
node_modules/**/.editorconfig
node_modules/**/.mocharc.json
node_modules/**/Makefile
node_modules/**/karma.conf.js
node_modules/**/example/**
node_modules/**/test/**
node_modules/**/*.map
node_modules/**/LICENSE*
node_modules/**/license*
node_modules/**/.github/**
Loading