Skip to content

Fix CVE for glob 10.4.5 with adjustments to VS Code integration testing#3095

Open
vukelich wants to merge 2 commits into
mainfrom
users/vukelich/globdep
Open

Fix CVE for glob 10.4.5 with adjustments to VS Code integration testing#3095
vukelich wants to merge 2 commits into
mainfrom
users/vukelich/globdep

Conversation

@vukelich

Copy link
Copy Markdown
Member

What does this PR do?

Fixes Component Governance detection of CVE-2026-6734. Moves the download of the @playwright/test NPM package into package.json and package-lock.json as a real devDependency. Script-based installation of this package caused non-deterministic package resolution which often caused Azure DevOps build machines to swap the safe glob@10.5.0 with glob@10.4.5.

I also noticed the VS Code Integration job doesn't use any of the Build job artifacts. I removed that dependency in the build pipeline so that this job can be run quickly and without running the Build or Live Tests jobs. I created #3093 to track a longer-term change to how this job is run or what bits it tests.

GitHub issue number?

Component Governance detection of CVE-2026-6734.

Pre-merge Checklist

  • Required for All PRs
    • Read contribution guidelines
    • PR title clearly describes the change
    • Commit history is clean with descriptive messages (cleanup guide)
    • Added comprehensive tests for new/modified functionality
    • Created a changelog entry if the change falls among the following: new feature, bug fix, UI/UX update, breaking change, or updated dependencies. Follow the changelog entry guide
  • For MCP tool changes:
    • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
    • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
    • Validate README.md changes running the script ./eng/scripts/Process-PackageReadMe.ps1. See Package README
    • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
    • For tools with new names, including new tools or renamed tools, update consolidated-tools.json
    • For renamed tools, follow the Tool Rename Checklist and tag the PR with the breaking-change label
    • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
  • Extra steps for Azure MCP Server tool changes:
    • Updated command list in servers/Azure.Mcp.Server/docs/azmcp-commands.md
    • Ran ./eng/scripts/Update-AzCommandsMetadata.ps1 to update tool metadata in azmcp-commands.md (required for CI)
    • Updated test prompts in servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
    • 👉 For Community (non-Microsoft team member) PRs:
      • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
      • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

Copilot AI review requested due to automatic review settings July 17, 2026 22:16
@vukelich
vukelich requested review from a team as code owners July 17, 2026 22:16
@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
Successfully started running 1 pipeline(s).
There may be pipelines that require an authorized user to comment /azp run to run.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Component Governance findings around CVE-2026-6734 by making the VS Code integration test’s Playwright dependency deterministic (moving it into package.json / package-lock.json instead of installing it ad-hoc at runtime). It also decouples the VS Code integration stage from the Build stage so the integration stage can run independently (e.g., via stage selection) without requiring Build to execute first.

Changes:

  • Move @playwright/test from script-time installation to a pinned devDependency (and remove the install script wrapper).
  • Update package-lock.json to reflect the deterministic Playwright dependency tree.
  • Remove the Build stage dependency from the VSCodeIntegration stage in the pipeline template.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
servers/Azure.Mcp.Server/vscode/package.json Removes script-based Playwright install and adds @playwright/test as a devDependency for deterministic installs.
servers/Azure.Mcp.Server/vscode/package-lock.json Locks Playwright (and related) packages into the dependency graph to avoid non-deterministic resolution.
eng/pipelines/templates/common.yml Drops the Build stage dependency for VSCodeIntegration, enabling it to run without waiting on Build.
Files not reviewed (1)
  • servers/Azure.Mcp.Server/vscode/package-lock.json: Generated file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants