From 3e17ccf648d011d84af5ef5437f05ae731aaa24c Mon Sep 17 00:00:00 2001 From: Ivan Duplenskikh <115665590+ivanduplenskikh@users.noreply.github.com> Date: Mon, 11 Aug 2025 12:19:10 +0200 Subject: [PATCH 1/2] Resolve high vulnerabilities by bumping artifacts-common package to v2.256.0 --- .../DownloadArtifactsTfsGit/package-lock.json | 84 ++++++++++------- .../DownloadArtifactsTfsGit/package.json | 2 +- .../package-lock.json | 93 +++++++++++-------- .../package.json | 2 +- 4 files changed, 108 insertions(+), 73 deletions(-) diff --git a/Extensions/ExternalTfs/Src/Tasks/DownloadArtifactsTfsGit/package-lock.json b/Extensions/ExternalTfs/Src/Tasks/DownloadArtifactsTfsGit/package-lock.json index 4105c5ec4..c0ccaeff7 100644 --- a/Extensions/ExternalTfs/Src/Tasks/DownloadArtifactsTfsGit/package-lock.json +++ b/Extensions/ExternalTfs/Src/Tasks/DownloadArtifactsTfsGit/package-lock.json @@ -9,7 +9,7 @@ "@azure/msal-node": "^2.7.0", "azure-devops-node-api": "14.1.0", "azure-pipelines-task-lib": "^4.13.0", - "azure-pipelines-tasks-artifacts-common": "2.230.0" + "azure-pipelines-tasks-artifacts-common": "2.256.0" } }, "node_modules/@azure/msal-common": { @@ -116,50 +116,30 @@ } }, "node_modules/azure-pipelines-tasks-artifacts-common": { - "version": "2.230.0", - "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/azure-pipelines-tasks-artifacts-common/-/azure-pipelines-tasks-artifacts-common-2.230.0.tgz", - "integrity": "sha1-auvD4xclbRvsWARm36mev2tKJlQ=", + "version": "2.256.0", + "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/azure-pipelines-tasks-artifacts-common/-/azure-pipelines-tasks-artifacts-common-2.256.0.tgz", + "integrity": "sha1-xXPpdL+nOa+4MS/NOk39/N0tPgo=", "license": "MIT", "dependencies": { "@types/fs-extra": "8.0.0", "@types/mocha": "^5.2.6", "@types/node": "^16.11.39", - "azure-devops-node-api": "12.0.0", - "azure-pipelines-task-lib": "^4.2.0", + "azure-devops-node-api": "^14.0.2", + "azure-pipelines-task-lib": "^4.13.0", "fs-extra": "8.1.0", - "semver": "6.3.0" - } - }, - "node_modules/azure-pipelines-tasks-artifacts-common/node_modules/azure-devops-node-api": { - "version": "12.0.0", - "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/azure-devops-node-api/-/azure-devops-node-api-12.0.0.tgz", - "integrity": "sha1-OLmJL4jobaRiRiGEEZIJI9jdalI=", - "license": "MIT", - "dependencies": { - "tunnel": "0.0.6", - "typed-rest-client": "^1.8.4" + "node-fetch": "^2.7.0", + "semver": "^6.3.1" } }, "node_modules/azure-pipelines-tasks-artifacts-common/node_modules/semver": { - "version": "6.3.0", - "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/semver/-/semver-6.3.0.tgz", - "integrity": "sha1-7gpkyK9ejO6mdoexM3YeG+y9HT0=", + "version": "6.3.1", + "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/semver/-/semver-6.3.1.tgz", + "integrity": "sha1-VW0u+GiRRuRtzqS/3QlfNDTf/LQ=", "license": "ISC", "bin": { "semver": "bin/semver.js" } }, - "node_modules/azure-pipelines-tasks-artifacts-common/node_modules/typed-rest-client": { - "version": "1.8.11", - "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/typed-rest-client/-/typed-rest-client-1.8.11.tgz", - "integrity": "sha1-aQbwLjyR6NhRV58lWr8P1ggAoE0=", - "license": "MIT", - "dependencies": { - "qs": "^6.9.1", - "tunnel": "0.0.6", - "underscore": "^1.12.1" - } - }, "node_modules/balanced-match": { "version": "1.0.2", "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/balanced-match/-/balanced-match-1.0.2.tgz", @@ -678,6 +658,26 @@ "integrity": "sha1-V0yBOM4dK1hh8LRFedut1gxmFbI=", "license": "MIT" }, + "node_modules/node-fetch": { + "version": "2.7.0", + "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/node-fetch/-/node-fetch-2.7.0.tgz", + "integrity": "sha1-0PD6bj4twdJ+/NitmdVQvalNGH0=", + "license": "MIT", + "dependencies": { + "whatwg-url": "^5.0.0" + }, + "engines": { + "node": "4.x || >=6.0.0" + }, + "peerDependencies": { + "encoding": "^0.1.0" + }, + "peerDependenciesMeta": { + "encoding": { + "optional": true + } + } + }, "node_modules/nodejs-file-downloader": { "version": "4.13.0", "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/nodejs-file-downloader/-/nodejs-file-downloader-4.13.0.tgz", @@ -922,6 +922,12 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/tr46": { + "version": "0.0.3", + "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/tr46/-/tr46-0.0.3.tgz", + "integrity": "sha1-gYT9NH2snNwYWZLzpmIuFLnZq2o=", + "license": "MIT" + }, "node_modules/truncate-utf8-bytes": { "version": "1.0.2", "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/truncate-utf8-bytes/-/truncate-utf8-bytes-1.0.2.tgz", @@ -986,6 +992,22 @@ "uuid": "dist/bin/uuid" } }, + "node_modules/webidl-conversions": { + "version": "3.0.1", + "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/webidl-conversions/-/webidl-conversions-3.0.1.tgz", + "integrity": "sha1-JFNCdeKnvGvnvIZhHMFq4KVlSHE=", + "license": "BSD-2-Clause" + }, + "node_modules/whatwg-url": { + "version": "5.0.0", + "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/whatwg-url/-/whatwg-url-5.0.0.tgz", + "integrity": "sha1-lmRU6HZUYuN2RNNib2dCzotwll0=", + "license": "MIT", + "dependencies": { + "tr46": "~0.0.3", + "webidl-conversions": "^3.0.0" + } + }, "node_modules/wrappy": { "version": "1.0.2", "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/wrappy/-/wrappy-1.0.2.tgz", diff --git a/Extensions/ExternalTfs/Src/Tasks/DownloadArtifactsTfsGit/package.json b/Extensions/ExternalTfs/Src/Tasks/DownloadArtifactsTfsGit/package.json index 7286de38b..82f1a5a9d 100644 --- a/Extensions/ExternalTfs/Src/Tasks/DownloadArtifactsTfsGit/package.json +++ b/Extensions/ExternalTfs/Src/Tasks/DownloadArtifactsTfsGit/package.json @@ -5,6 +5,6 @@ "@azure/msal-node": "^2.7.0", "azure-devops-node-api": "14.1.0", "azure-pipelines-task-lib": "^4.13.0", - "azure-pipelines-tasks-artifacts-common": "2.230.0" + "azure-pipelines-tasks-artifacts-common": "2.256.0" } } diff --git a/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/package-lock.json b/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/package-lock.json index d616b52bf..a75ea56cb 100644 --- a/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/package-lock.json +++ b/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/package-lock.json @@ -10,7 +10,7 @@ "artifact-engine": "^1.5.0", "azure-devops-node-api": "14.1.0", "azure-pipelines-task-lib": "^4.13.0", - "azure-pipelines-tasks-artifacts-common": "2.230.0" + "azure-pipelines-tasks-artifacts-common": "2.256.0" }, "devDependencies": { "typescript": "^4.5" @@ -153,59 +153,30 @@ } }, "node_modules/azure-pipelines-tasks-artifacts-common": { - "version": "2.230.0", - "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/azure-pipelines-tasks-artifacts-common/-/azure-pipelines-tasks-artifacts-common-2.230.0.tgz", - "integrity": "sha1-auvD4xclbRvsWARm36mev2tKJlQ=", + "version": "2.256.0", + "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/azure-pipelines-tasks-artifacts-common/-/azure-pipelines-tasks-artifacts-common-2.256.0.tgz", + "integrity": "sha1-xXPpdL+nOa+4MS/NOk39/N0tPgo=", "license": "MIT", "dependencies": { "@types/fs-extra": "8.0.0", "@types/mocha": "^5.2.6", "@types/node": "^16.11.39", - "azure-devops-node-api": "12.0.0", - "azure-pipelines-task-lib": "^4.2.0", + "azure-devops-node-api": "^14.0.2", + "azure-pipelines-task-lib": "^4.13.0", "fs-extra": "8.1.0", - "semver": "6.3.0" - } - }, - "node_modules/azure-pipelines-tasks-artifacts-common/node_modules/azure-devops-node-api": { - "version": "12.0.0", - "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/azure-devops-node-api/-/azure-devops-node-api-12.0.0.tgz", - "integrity": "sha1-OLmJL4jobaRiRiGEEZIJI9jdalI=", - "license": "MIT", - "dependencies": { - "tunnel": "0.0.6", - "typed-rest-client": "^1.8.4" + "node-fetch": "^2.7.0", + "semver": "^6.3.1" } }, "node_modules/azure-pipelines-tasks-artifacts-common/node_modules/semver": { - "version": "6.3.0", - "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/semver/-/semver-6.3.0.tgz", - "integrity": "sha1-7gpkyK9ejO6mdoexM3YeG+y9HT0=", + "version": "6.3.1", + "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/semver/-/semver-6.3.1.tgz", + "integrity": "sha1-VW0u+GiRRuRtzqS/3QlfNDTf/LQ=", "license": "ISC", "bin": { "semver": "bin/semver.js" } }, - "node_modules/azure-pipelines-tasks-artifacts-common/node_modules/tunnel": { - "version": "0.0.6", - "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/tunnel/-/tunnel-0.0.6.tgz", - "integrity": "sha1-cvExSzSlsZLbASMk3yzFh8pH+Sw=", - "license": "MIT", - "engines": { - "node": ">=0.6.11 <=0.7.0 || >=0.7.3" - } - }, - "node_modules/azure-pipelines-tasks-artifacts-common/node_modules/typed-rest-client": { - "version": "1.8.11", - "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/typed-rest-client/-/typed-rest-client-1.8.11.tgz", - "integrity": "sha1-aQbwLjyR6NhRV58lWr8P1ggAoE0=", - "license": "MIT", - "dependencies": { - "qs": "^6.9.1", - "tunnel": "0.0.6", - "underscore": "^1.12.1" - } - }, "node_modules/balanced-match": { "version": "1.0.2", "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/balanced-match/-/balanced-match-1.0.2.tgz", @@ -748,6 +719,26 @@ "integrity": "sha1-tKr7k+OustgXTKU88WOrfXMIMF8=", "license": "MIT" }, + "node_modules/node-fetch": { + "version": "2.7.0", + "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/node-fetch/-/node-fetch-2.7.0.tgz", + "integrity": "sha1-0PD6bj4twdJ+/NitmdVQvalNGH0=", + "license": "MIT", + "dependencies": { + "whatwg-url": "^5.0.0" + }, + "engines": { + "node": "4.x || >=6.0.0" + }, + "peerDependencies": { + "encoding": "^0.1.0" + }, + "peerDependenciesMeta": { + "encoding": { + "optional": true + } + } + }, "node_modules/nodejs-file-downloader": { "version": "4.13.0", "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/nodejs-file-downloader/-/nodejs-file-downloader-4.13.0.tgz", @@ -1001,6 +992,12 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/tr46": { + "version": "0.0.3", + "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/tr46/-/tr46-0.0.3.tgz", + "integrity": "sha1-gYT9NH2snNwYWZLzpmIuFLnZq2o=", + "license": "MIT" + }, "node_modules/truncate-utf8-bytes": { "version": "1.0.2", "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/truncate-utf8-bytes/-/truncate-utf8-bytes-1.0.2.tgz", @@ -1101,6 +1098,22 @@ "uuid": "dist/bin/uuid" } }, + "node_modules/webidl-conversions": { + "version": "3.0.1", + "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/webidl-conversions/-/webidl-conversions-3.0.1.tgz", + "integrity": "sha1-JFNCdeKnvGvnvIZhHMFq4KVlSHE=", + "license": "BSD-2-Clause" + }, + "node_modules/whatwg-url": { + "version": "5.0.0", + "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/whatwg-url/-/whatwg-url-5.0.0.tgz", + "integrity": "sha1-lmRU6HZUYuN2RNNib2dCzotwll0=", + "license": "MIT", + "dependencies": { + "tr46": "~0.0.3", + "webidl-conversions": "^3.0.0" + } + }, "node_modules/wordwrap": { "version": "1.0.0", "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/wordwrap/-/wordwrap-1.0.0.tgz", diff --git a/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/package.json b/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/package.json index 5ebcd3494..7da649c40 100644 --- a/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/package.json +++ b/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/package.json @@ -6,7 +6,7 @@ "artifact-engine": "^1.5.0", "azure-devops-node-api": "14.1.0", "azure-pipelines-task-lib": "^4.13.0", - "azure-pipelines-tasks-artifacts-common": "2.230.0" + "azure-pipelines-tasks-artifacts-common": "2.256.0" }, "devDependencies": { "typescript": "^4.5" From 086f0db1a906153b18cd110831ee3fd95fbf74a6 Mon Sep 17 00:00:00 2001 From: Ivan Duplenskikh <115665590+ivanduplenskikh@users.noreply.github.com> Date: Mon, 11 Aug 2025 13:25:46 +0200 Subject: [PATCH 2/2] Bump versions --- .../Tasks/DownloadArtifactsTfsGit/task.json | 2 +- .../DownloadExternalBuildArtifacts/task.json | 2 +- .../task.loc.json | 2 +- Extensions/ExternalTfs/Src/vss-extension.json | 18 +++++++++--------- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/Extensions/ExternalTfs/Src/Tasks/DownloadArtifactsTfsGit/task.json b/Extensions/ExternalTfs/Src/Tasks/DownloadArtifactsTfsGit/task.json index c0d05df66..e057e562e 100644 --- a/Extensions/ExternalTfs/Src/Tasks/DownloadArtifactsTfsGit/task.json +++ b/Extensions/ExternalTfs/Src/Tasks/DownloadArtifactsTfsGit/task.json @@ -13,7 +13,7 @@ "demands": [], "version": { "Major": 15, - "Minor": 254, + "Minor": 261, "Patch": 0 }, "minimumAgentVersion": "2.144.0", diff --git a/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/task.json b/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/task.json index d18dd33f3..6a2f3e6f4 100644 --- a/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/task.json +++ b/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/task.json @@ -8,7 +8,7 @@ "author": "ms-vscs-rm", "version": { "Major": 15, - "Minor": 254, + "Minor": 261, "Patch": 0 }, "demands": [], diff --git a/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/task.loc.json b/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/task.loc.json index bb68fde5d..b6d984099 100644 --- a/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/task.loc.json +++ b/Extensions/ExternalTfs/Src/Tasks/DownloadExternalBuildArtifacts/task.loc.json @@ -9,7 +9,7 @@ "author": "ms-vscs-rm", "version": { "Major": 15, - "Minor": 254, + "Minor": 261, "Patch": 0 }, "demands": [], diff --git a/Extensions/ExternalTfs/Src/vss-extension.json b/Extensions/ExternalTfs/Src/vss-extension.json index 21d15c0e6..6e85085d0 100644 --- a/Extensions/ExternalTfs/Src/vss-extension.json +++ b/Extensions/ExternalTfs/Src/vss-extension.json @@ -1,7 +1,7 @@ { "manifestVersion": 1.0, "id": "vss-services-externaltfs", - "version": "15.254.0", + "version": "15.261.0", "name": "TFS artifacts for Release Management", "publisher": "ms-vscs-rm", "description": "Deploy external TFS/ Azure DevOps artifacts using Release Management", @@ -29,9 +29,9 @@ "path": "images/screen3.png" } ], - "content": { - "details": { - "path": "readme.md" + "content": { + "details": { + "path": "readme.md" }, "license": { "path": "mp_terms.md" @@ -67,7 +67,7 @@ "branding": { "color": "#5C2D91", "theme": "dark" - }, + }, "contributions": [ { "id": "externalTFSBuild-release-artifact-type", @@ -242,7 +242,7 @@ "properties": { "name": "Tasks/DownloadExternalBuildArtifacts" } - }, + }, { "id": "externalTFVC-release-artifact-type", "description": "External TFS Version Control", @@ -386,7 +386,7 @@ "source": "artifactItems" } } - }, + }, { "id": "externalTfvc-task", "type": "ms.vss-distributed-task.task", @@ -396,7 +396,7 @@ "properties": { "name": "Tasks/DownloadArtifactsTfsVersionControl" } - }, + }, { "id": "externalTfGit-release-artifact-type", "description": "External TFS Git", @@ -574,7 +574,7 @@ "properties": { "name": "Tasks/DownloadArtifactsTfsGit" } - }, + }, { "id": "externalTFSXamlBuild-release-artifact-type", "description": "External TFS XAML Build Artifact",