microsoft · amitjoshi438 · Sep 2, 2025 · Sep 2, 2025 · Sep 2, 2025 · Sep 3, 2025
@@ -0,0 +1 @@
+../Agents.md
@@ -0,0 +1,10 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(npm run build:*)",
+      "Bash(npm run test:*)",
+      "Bash(npm run test-desktop-int:*)",
+      "Bash(npm run test-web-int:*)"
+    ]
+  }
+}
@@ -0,0 +1,140 @@
+---
+name: fix-dependabot-alerts
+description: Fix Dependabot security alerts by updating vulnerable npm dependencies. Use when the user mentions "dependabot", "security alerts", "vulnerability", "CVE", or wants to update packages with security issues.
+argument-hint: "[alert-number or package-name]"
+---
+
+# Fix Dependabot Security Alerts
+
+You are tasked with fixing Dependabot security alerts for this repository. Follow these steps carefully to resolve vulnerabilities while minimizing risk.
+
+## Step 1: Identify the Vulnerability
+
+If a specific alert number or package name was provided, focus on that. Otherwise, check for open alerts:
+
+```bash
+gh api repos/microsoft/powerplatform-vscode/dependabot/alerts --jq '.[] | select(.state=="open") | {number, package: .security_vulnerability.package.name, severity: .security_vulnerability.severity, vulnerable_versions: .security_vulnerability.vulnerable_version_range, patched_versions: .security_vulnerability.first_patched_version.identifier, summary: .security_advisory.summary}'
+```
+
+To get details on a specific alert:
+```bash
+gh api repos/microsoft/powerplatform-vscode/dependabot/alerts/<alert-number>
+```
+
+## Step 2: Analyze the Dependency
+
+Determine if the vulnerable package is:
+- A **direct dependency** (listed in `package.json`)
+- A **transitive dependency** (dependency of a dependency)
+
+Check where the package appears:
+```bash
+npm ls <package-name>
+```
+
+## Step 3: Choose the Fix Strategy
+
+### For Direct Dependencies
+
+1. Check the current version in `package.json`
+2. Review the changelog/release notes for breaking changes between versions
+3. Update using:
+   ```bash
+   npm install <package-name>@<patched-version> --save
+   ```
+
+### For Transitive Dependencies
+
+1. Identify which direct dependency brings in the vulnerable package
+2. Check if the direct dependency has a newer version that uses the patched transitive dependency
+3. If yes, update the direct dependency
+4. If no, add a resolution/override in `package.json`:
+   ```json
+   {
+     "overrides": {
+       "<vulnerable-package>": "<patched-version>"
+     }
+   }
+   ```
+
+## Step 4: Verify the Fix
+
+1. Run `npm ls <package-name>` to confirm the new version
+2. Run the build to ensure no breaking changes:
+   ```bash
+   npm run build
+   ```
+3. Run the test suite:
+   ```bash
+   npm test
+   ```
+
+## Step 5: Handle Common Issues
+
+### Version Conflicts
+
+If npm reports peer dependency conflicts:
+- Check if `--legacy-peer-deps` or `--force` resolves it (use cautiously)
+- Consider if the conflicting package needs updating first
+
+### Breaking Changes
+
+If the update introduces breaking changes:
+1. Read the migration guide from the package
+2. Update code to accommodate API changes
+3. Update tests if needed
+
+### Multiple Vulnerabilities in Same Package
+
+If multiple CVEs affect the same package, ensure the patched version addresses all of them before updating.
+
+## Step 6: Commit the Changes
+
+After verification passes, commit with a descriptive message:
+```
+Fix Dependabot security vulnerability in <package-name>
+
+- Updated <package-name> from <old-version> to <new-version>
+- Addresses CVE-XXXX-XXXXX (<severity>)
+- <any additional context about breaking changes handled>
+```
+
+## Important Notes
+
+- **Never skip tests** - security fixes should not break functionality
+- **Review changelogs** - understand what changed between versions
+- **Check for multiple alerts** - sometimes one update fixes multiple vulnerabilities
+- **Document workarounds** - if you use overrides, add a comment explaining why
+- For this codebase, run `npm run build` which uses gulp to build the extension
+
+## Critical: Never Manually Edit package-lock.json Integrity Hashes
+
+**Never manually edit integrity hashes in `package-lock.json`.** These are SHA-512 checksums of the actual tarball content from the npm registry. If you manually change them, CI builds will fail with `EINTEGRITY` errors.
+
+### Why This Happens
+
+When npm resolves a cached version that satisfies the constraint, it won't automatically update to a newer version even after changing `package.json`. Manually editing the lock file with an incorrect hash causes:
+
+```
+npm error code EINTEGRITY
+npm error sha512-<expected>== integrity checksum failed when using sha512: wanted sha512-<expected>== but got sha512-<actual>==
+```
+
+### Correct Approach to Force Version Updates
+
+Instead of manual edits, use one of these methods:
+
+```bash
+# Option 1: Clean install (recommended)
+rm -rf node_modules
+rm package-lock.json
+npm install
+
+# Option 2: Update specific package
+npm update <package-name>
+
+# Option 3: Force reinstall specific package
+npm install <package-name>@<version> --save
+```
+
+These commands let npm fetch the tarball and compute the correct integrity hash automatically.
@@ -0,0 +1,94 @@
+name: Bug Report
+description: Report a bug or unexpected behavior
+title: "[Bug]: "
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for reporting an issue! Please fill out the information below to help us investigate.
+
+  - type: dropdown
+    id: related-to-code-apps
+    attributes:
+      label: Is this bug related to Code Apps?
+      description: "If your bug is related to Code Apps, please report it at https://github.com/microsoft/PowerAppsCodeApps/ instead."
+      options:
+        - "No"
+        - "Yes - I will create the issue at https://github.com/microsoft/PowerAppsCodeApps/ instead"
+    validations:
+      required: true
+
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: A clear and concise description of the bug.
+      placeholder: Describe the issue you encountered...
+    validations:
+      required: true
+
+  - type: input
+    id: extension-version
+    attributes:
+      label: Extension Version
+      description: "The version of the Power Platform Tools extension. You can find this in VS Code: Extensions view > Power Platform Tools > version number."
+      placeholder: "e.g., 2.0.133"
+    validations:
+      required: true
+
+  - type: input
+    id: vscode-version
+    attributes:
+      label: VS Code Version
+      description: "The version of VS Code you are using. You can find this via Help > About."
+      placeholder: "e.g., 1.96.0"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: vscode-channel
+    attributes:
+      label: VS Code Channel
+      description: Which VS Code release channel are you using?
+      options:
+        - Stable
+        - Insiders
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps-to-reproduce
+    attributes:
+      label: Steps to Reproduce
+      description: List the steps to reproduce the issue.
+      placeholder: |
+        1. Open VS Code
+        2. ...
+        3. ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected-behavior
+    attributes:
+      label: Expected Behavior
+      description: What did you expect to happen?
+    validations:
+      required: false
+
+  - type: textarea
+    id: actual-behavior
+    attributes:
+      label: Actual Behavior
+      description: What actually happened?
+    validations:
+      required: false
+
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional Context
+      description: Add any other context, screenshots, or log output that may help.
+    validations:
+      required: false
@@ -0,0 +1,43 @@
+name: Feature Request
+description: Suggest a new feature or enhancement
+title: "[Feature]: "
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for suggesting a feature! Please provide as much detail as possible to help us understand your request.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem Statement
+      description: Is your feature request related to a problem? Please describe.
+      placeholder: "A clear and concise description of the problem. e.g., I'm always frustrated when..."
+    validations:
+      required: true
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed Solution
+      description: Describe the solution you'd like.
+      placeholder: A clear and concise description of what you want to happen.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives Considered
+      description: Describe any alternative solutions or features you've considered.
+    validations:
+      required: false
+
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional Context
+      description: Add any other context, mockups, or screenshots about the feature request.
+    validations:
+      required: false