[Beta] Merge [Main] into beta - prepare for beta release#2705
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the beta branch in preparation for a beta release by syncing configuration/package versions and refreshing Rush-managed dependency lockfiles.
Changes:
- Bump
applicationinsights-web-configand related config JSON versions to1.0.6. - Enable
zipPayloadfeature opt-in (mode: 3) in config and add it to the test config. - Update Rush shrinkwrap / common dependency preferences, including pinning
globand upgrading a number of tooling dependencies.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/config/test-config.json | Updates test config version and adds zipPayload opt-in configuration. |
| tools/config/package.json | Bumps applicationinsights-web-config package version to 1.0.6. |
| tools/config/config.json | Bumps config version and switches zipPayload.mode to enabled (3). |
| common/config/rush/npm-shrinkwrap.json | Updates lockfile with new/changed dependency resolutions (notably eslint/tooling and glob). |
| common/config/rush/common-versions.json | Adds a preferred version pin for glob (7.2.3). |
Files not reviewed (1)
- common/config/rush/npm-shrinkwrap.json: Language not supported
| * instead of the latest version. | ||
| */ | ||
| // "some-library": "1.2.3" | ||
| "glob": "7.2.3", |
There was a problem hiding this comment.
Pinning glob to 7.2.3 introduces a deprecated version that the package itself flags as containing widely publicized security vulnerabilities. If possible, prefer upgrading glob to a currently supported major (and adjust any dependent tooling accordingly), or document why the repo must remain on 7.2.3 and how vulnerability risk is mitigated.
| "glob": "7.2.3", | |
| "glob": "^10.3.10", |
| "node_modules/glob": { | ||
| "version": "8.1.0", | ||
| "resolved": "https://registry.npmjs.org/glob/-/glob-8.1.0.tgz", | ||
| "integrity": "sha512-r8hpEjiQEYlF2QU0df3dS+nxxSIreXQS1qRhMJM0Q5NDdR386C7jb7Hwwod8Fgiuex+k0GFjgft18yvxm5XoCQ==", | ||
| "version": "7.2.3", | ||
| "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", | ||
| "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", | ||
| "deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me", | ||
| "dependencies": { | ||
| "fs.realpath": "^1.0.0", |
There was a problem hiding this comment.
The resolved glob dependency is 7.2.3 and includes a deprecation notice warning about widely publicized security vulnerabilities. If this is being forced via overrides/preferredVersions, consider upgrading to a supported glob major (or otherwise justify/mitigate keeping 7.2.3).
3 participants
No description provided.