Skip to content

[Snyk] Security upgrade vscode-languageclient from 9.0.1 to 10.0.0#9900

Open
rubenfiszel wants to merge 1 commit into
mainfrom
snyk-fix-1796a9f5d79c2fcaced77144b57ecfd6
Open

[Snyk] Security upgrade vscode-languageclient from 9.0.1 to 10.0.0#9900
rubenfiszel wants to merge 1 commit into
mainfrom
snyk-fix-1796a9f5d79c2fcaced77144b57ecfd6

Conversation

@rubenfiszel

@rubenfiszel rubenfiszel commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • frontend/package.json
  • frontend/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

Issue
high severity Inefficient Algorithmic Complexity
SNYK-JS-BRACEEXPANSION-17706650

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.


Summary by cubic

Upgrade vscode-languageclient from 9.0.1 to 10.0.0 to resolve a transitive brace-expansion vulnerability and keep the language client stack current. This updates the lockfile and raises engine requirements.

  • Dependencies

    • Bumped vscode-languageclient to ~10.0.0 in frontend/package.json.
    • Lockfile updates include semver 7.8.x, minimatch 10.x, and vscode-languageserver-textdocument; protocol moved to 3.18.0.
    • Fixes SNYK-JS-BRACEEXPANSION-17706650.
  • Migration

    • Requires Node 18+ due to minimatch/brace-expansion.
    • vscode-languageclient 10 targets vscode ^1.91.0. Verify compatibility with @codingame/monaco-vscode-extension-api.
    • Rebuild and smoke-test language features.

Written for commit 3607ff1. Summary will update on new commits.

Review in cubic

@rubenfiszel

Copy link
Copy Markdown
Contributor Author

Merge Risk: High

This is a major version upgrade from 9.x to 10.x which introduces significant and mandatory breaking changes for developers. The new version aligns with Language Server Protocol (LSP) version 3.18.

Key Breaking Changes:

  • Build System & Module Imports: The package and its dependencies have migrated to use the exports field in package.json. This is a critical change that will likely require updating your tsconfig.json to use a moduleResolution of node16 or similar to handle the new module resolution rules. [13]
  • API Changes: There are breaking API changes, including the replacement of vscode.OutputChannel with vscode.LogOutputChannel. [14] Code that uses the output channel for logging will need to be updated.
  • Environment Requirements: This version introduces stricter environment dependencies. The package now requires a minimum VS Code engine version of ^1.91.0 and has been updated to depend on newer versions of Node.js. [13, 17]

Recommendation:
This upgrade requires careful migration. Developers must review their build configurations (tsconfig.json), update their code to accommodate API changes like the new LogOutputChannel, and ensure their development environment meets the new VS Code and Node.js version requirements. A thorough review of the official changelog is strongly recommended before upgrading.

Source: vscode-languageserver-node Releases

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 3, 2026

Copy link
Copy Markdown

Deploying windmill with  Cloudflare Pages  Cloudflare Pages

Latest commit: 3607ff1
Status: ✅  Deploy successful!
Preview URL: https://81b7543b.windmill.pages.dev
Branch Preview URL: https://snyk-fix-1796a9f5d79c2fcaced.windmill.pages.dev

View logs

@claude

claude Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Claude finished @rubenfiszel's task in 2m 27s —— View job


cc @rubenfiszel

Should address issues before merging: version split breaks the Monaco LSP integration, and the fix is likely ineffective

Do not merge this Snyk upgrade as-is. Bumping the direct vscode-languageclient from 9.0.110.0.0 forks the dependency and puts the code editor's language-client integration at real risk.

  • Analyze the diff and dependency resolution
  • Check how vscode-languageclient / monaco-languageclient are used
  • Post review

The core problem: monaco-languageclient hard-pins v9

frontend/package.json pins monaco-languageclient at 10.6.0, and that package declares (package-lock.json:9440):

"vscode-languageclient": "~9.0.1"

~9.0.1 does not accept 10.x. So after this PR npm keeps two copies:

Consumer vscode-languageclient jsonrpc / protocol
root (direct import) 10.0.0 vscode-jsonrpc 9.0.0, protocol 3.18.0
monaco-languageclient/node_modules/… 9.0.1 (new nested copy) vscode-jsonrpc 8.x, protocol 3.17.5

Before this PR there was a single, deduplicated vscode-languageclient@9.0.1 shared by both. The direct dependency almost certainly exists to pin that shared copy. Bumping it to 10 defeats that and creates the split.

Why the split is a runtime risk (P1)

frontend/src/lib/components/Editor.svelte mixes both copies in a single client instance:

  • Editor.svelte:25MonacoLanguageClient from monaco-languageclient → built against v9 (jsonrpc 8)
  • Editor.svelte:28-29CloseAction, ErrorAction, RequestType, MessageTransports from vscode-languageclient → now resolve to v10 (jsonrpc 9)
  • Editor.svelte:948new MonacoLanguageClient({ messageTransports: transports, … }) feeds a v10 MessageTransports into a v9 client
  • Editor.svelte:470, 1070client.sendRequest(new RequestType('…'), …) passes a v10 RequestType (from vscode-jsonrpc 9) to a v9 connection

ErrorAction/CloseAction are numeric enums and probably survive, but RequestType/MessageTransports are class instances from vscode-jsonrpc, whose reader/writer/RequestType contracts changed between v8 and v9. Crossing them into a v9-based MonacoLanguageClient can break message registration/transport wiring — i.e. LSP autocomplete, formatting (textDocument/formatting), hover, and deno/cache in the editor. This is not covered by any test and would only surface at runtime in the browser.

The upgrade may not even fix the vulnerability

The nested monaco-languageclient/node_modules/vscode-languageclient@9.0.1 still pulls minimatch@5.1.9brace-expansion@2.1.1. So the v9 → minimatch@5 → brace-expansion chain the advisory targets is still present, just relocated under monaco-languageclient. Please confirm with npm audit / the Snyk report that SNYK-JS-BRACEEXPANSION-17706650 is actually resolved after this change — the direct-dep bump only patches the root copy.

Minor: spec mismatch

package.json records ~10.0.0 but package-lock.json records the root dep as ^10.0.0 (package-lock.json:76). A clean npm install will want to reconcile these.

Recommendation

If the brace-expansion transitive is the real concern, prefer a targeted overrides in package.json instead of force-upgrading a major version that monaco-languageclient doesn't support:

"overrides": {
  "brace-expansion": "^2.0.2"
}

Otherwise, keep vscode-languageclient at ~9.0.1 (matching monaco-languageclient@10.6.0) and revisit the v10 upgrade only when monaco-languageclient bumps its own pin. Fix this →

Test coverage

Config/lockfile-only change — no automated tests expected, and the codebase doesn't test the Monaco editor component. Manual verification is essential before any merge: open a script editor (e.g. a Deno/TypeScript or Python script), confirm the language server connects and that autocomplete, hover, go-to-definition, and format-on-save still work, and check the browser console for vscode-jsonrpc/languageclient errors. Given the v9/v10 split above, I'd expect problems there.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Codex Review

Good to merge

Found 0 issues. Checked for bugs, security impact, dependency consistency, and AGENTS.md compliance.

Test coverage

This is a frontend dependency metadata update only; no new automated tests are expected. I validated the lockfile with npm ci --dry-run --ignore-scripts and checked the targeted brace-expansion audit path.

Manual verification: smoke-test the Monaco editor language-server path for a Deno/Python/Go/Shell script and confirm the websocket client starts, completions/signature help work, and the browser console has no new errors.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Pi Review

Should address issues before merging: verify build + editor LSP works after major version bump

The vscode-languageclient upgrade from ~9.0.1 to ~10.0.0 is a major version bump that Snyk itself flags as "Breaking Change Risk: High." There are two copies of vscode-languageclient post-upgrade: v10 at the top level (used by Editor.svelte's direct imports) and v9 nested under monaco-languageclient@10.6.0 (its "vscode-languageclient": "~9.0.1" dependency). The boundary between these versions is exercised at the MonacoLanguageClient constructor call in Editor.svelte.

P1 — Untested major-version dependency upgrade with dual-version coexistence

File: frontend/package.json line 154

vscode-languageclient is bumped from ~9.0.1 to ~10.0.0. monaco-languageclient@10.6.0 has its own pinned vscode-languageclient@~9.0.1 (see lockfile node_modules/monaco-languageclient dependencies). This creates two copies:

  • v10 (top-level) → used by Editor.svelte's direct imports: CloseAction, ErrorAction, RequestType, DocumentUri, MessageTransports (lines 28–29)
  • v9 (nested) → used internally by MonacoLanguageClient from monaco-languageclient

Editor.svelte passes v10-imported values into new MonacoLanguageClient({...}) (line 947):

  • ErrorAction.Continue (line 955) and CloseAction.Restart (line 958) — these are numeric enums; the runtime values (1, 2) are the same across versions, so equality checks should work at runtime.
  • MessageTransports typed parameter (line 943) — the structural shape ({reader, writer}) appears identical across v9/v10.
  • outputChannel (line 911, passed at line 952) — a custom object mimicking OutputChannel. In v10, the clientOptions type changed from OutputChannel to LogOutputChannel. Since monaco-languageclient uses v9 internally, it expects v9's OutputChannel shape, which the custom object was written for. The v10 TypeScript types may not flag this, but the mismatch between the v10 type declaration and v9 runtime expectation is untested.

These all appear likely to work, but nothing in CI actually exercises the Monaco editor with an LSP connection (the editor is a browser-only component). The upgrade should be verified by running npm run check (per docs/validation.md) and manually testing that LSP features (diagnostics, formatting, code completion via Deno/Python LSP) work in the browser editor after the upgrade.

Test coverage

  • Frontend dependency upgrade — no automated tests expected for package.json changes. The standard validation path is npm run check:fast (during iteration) and npm run check (final per docs/validation.md).

Manual verification needed before merge: Run npm run check (or npm run check:fast) to confirm the TypeScript compilation passes with the new types. Then, in a running dev environment, open any script in the Windmill editor and verify that LSP-based features — diagnostics (error/warning squiggles), code formatting (Format Code or format-on-save), and completions — still function correctly with both the Deno and Python LSP backends. If any of these features are broken, the upgrade should be reverted and the vulnerability fixed via an alternative path (e.g., patching brace-expansion directly, or waiting for a monaco-languageclient release that upgrades to vscode-languageclient v10).

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 issues found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="frontend/package-lock.json">

<violation number="1" location="frontend/package-lock.json:79">
P2: Version specifier mismatch: `package.json` declares `~10.0.0` (tilde — only patch updates) but `package-lock.json` records `^10.0.0` (caret — minor + patch updates) for the same dependency. This inconsistency means a clean `npm install` may produce a different lockfile, causing CI/CD or teammate reproducibility issues.</violation>

<violation number="2" location="frontend/package-lock.json:9455">
P1: The vulnerability this PR intends to fix (`SNYK-JS-BRACEEXPANSION-17706650`) may still be present. The nested `monaco-languageclient/node_modules/vscode-languageclient@9.0.1` still pulls `minimatch@5.1.9` → `brace-expansion@2.1.1` (visible in the lockfile). The major version bump only patches the *root* copy's transitive chain; the nested copy retains the vulnerable path. Please verify with `npm audit` that the advisory is actually resolved after this change.</violation>
</file>

<file name="frontend/package.json">

<violation number="1" location="frontend/package.json:154">
P1: Upgrading `vscode-languageclient` to 10.0.0 while `monaco-languageclient@10.6.0` pins `~9.0.1` creates a dependency fork: npm installs both v10 at the root and a nested v9.0.1 under `monaco-languageclient/node_modules/`. The frontend's `Editor.svelte` imports `MonacoLanguageClient` (which internally uses jsonrpc 8.x from the nested v9 copy) alongside `RequestType` and `MessageTransports` (which now resolve to jsonrpc 9.x from the root v10 copy). Passing v10 class instances into a v9-based client can break LSP transport wiring at runtime — autocomplete, hover, formatting, and similar language features would silently fail.

Consider keeping `vscode-languageclient` at `~9.0.1` to match what `monaco-languageclient` expects, and instead use an npm `overrides` entry to patch the transitive `brace-expansion` vulnerability:
```json
"overrides": {
  "brace-expansion": "^2.0.2"
}
```</violation>
</file>

Heads up: you’re close to your included review allowance. Set a flex budget so reviews don’t pause.

Fix all with cubic | Re-trigger cubic

"integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
"license": "MIT"
},
"node_modules/monaco-languageclient/node_modules/brace-expansion": {

@cubic-dev-ai cubic-dev-ai Bot Jul 3, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: The vulnerability this PR intends to fix (SNYK-JS-BRACEEXPANSION-17706650) may still be present. The nested monaco-languageclient/node_modules/vscode-languageclient@9.0.1 still pulls minimatch@5.1.9brace-expansion@2.1.1 (visible in the lockfile). The major version bump only patches the root copy's transitive chain; the nested copy retains the vulnerable path. Please verify with npm audit that the advisory is actually resolved after this change.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At frontend/package-lock.json, line 9455:

<comment>The vulnerability this PR intends to fix (`SNYK-JS-BRACEEXPANSION-17706650`) may still be present. The nested `monaco-languageclient/node_modules/vscode-languageclient@9.0.1` still pulls `minimatch@5.1.9` → `brace-expansion@2.1.1` (visible in the lockfile). The major version bump only patches the *root* copy's transitive chain; the nested copy retains the vulnerable path. Please verify with `npm audit` that the advisory is actually resolved after this change.</comment>

<file context>
@@ -9446,6 +9446,47 @@
+			"integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+			"license": "MIT"
+		},
+		"node_modules/monaco-languageclient/node_modules/brace-expansion": {
+			"version": "2.1.1",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.1.tgz",
</file context>
Fix with cubic

Comment thread frontend/package.json
"unist-util-visit": "^5.0.0",
"vscode": "npm:@codingame/monaco-vscode-extension-api@=25.0.0",
"vscode-languageclient": "~9.0.1",
"vscode-languageclient": "~10.0.0",

@cubic-dev-ai cubic-dev-ai Bot Jul 3, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Upgrading vscode-languageclient to 10.0.0 while monaco-languageclient@10.6.0 pins ~9.0.1 creates a dependency fork: npm installs both v10 at the root and a nested v9.0.1 under monaco-languageclient/node_modules/. The frontend's Editor.svelte imports MonacoLanguageClient (which internally uses jsonrpc 8.x from the nested v9 copy) alongside RequestType and MessageTransports (which now resolve to jsonrpc 9.x from the root v10 copy). Passing v10 class instances into a v9-based client can break LSP transport wiring at runtime — autocomplete, hover, formatting, and similar language features would silently fail.

Consider keeping vscode-languageclient at ~9.0.1 to match what monaco-languageclient expects, and instead use an npm overrides entry to patch the transitive brace-expansion vulnerability:

"overrides": {
  "brace-expansion": "^2.0.2"
}
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At frontend/package.json, line 154:

<comment>Upgrading `vscode-languageclient` to 10.0.0 while `monaco-languageclient@10.6.0` pins `~9.0.1` creates a dependency fork: npm installs both v10 at the root and a nested v9.0.1 under `monaco-languageclient/node_modules/`. The frontend's `Editor.svelte` imports `MonacoLanguageClient` (which internally uses jsonrpc 8.x from the nested v9 copy) alongside `RequestType` and `MessageTransports` (which now resolve to jsonrpc 9.x from the root v10 copy). Passing v10 class instances into a v9-based client can break LSP transport wiring at runtime — autocomplete, hover, formatting, and similar language features would silently fail.

Consider keeping `vscode-languageclient` at `~9.0.1` to match what `monaco-languageclient` expects, and instead use an npm `overrides` entry to patch the transitive `brace-expansion` vulnerability:
```json
"overrides": {
  "brace-expansion": "^2.0.2"
}
```</comment>

<file context>
@@ -151,7 +151,7 @@
 		"unist-util-visit": "^5.0.0",
 		"vscode": "npm:@codingame/monaco-vscode-extension-api@=25.0.0",
-		"vscode-languageclient": "~9.0.1",
+		"vscode-languageclient": "~10.0.0",
 		"vscode-uri": "~3.1.0",
 		"vscode-ws-jsonrpc": "~3.5.0",
</file context>
Suggested change
"vscode-languageclient": "~10.0.0",
"vscode-languageclient": "~9.0.1",
Fix with cubic

"unist-util-visit": "^5.0.0",
"vscode": "npm:@codingame/monaco-vscode-extension-api@=25.0.0",
"vscode-languageclient": "~9.0.1",
"vscode-languageclient": "^10.0.0",

@cubic-dev-ai cubic-dev-ai Bot Jul 3, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Version specifier mismatch: package.json declares ~10.0.0 (tilde — only patch updates) but package-lock.json records ^10.0.0 (caret — minor + patch updates) for the same dependency. This inconsistency means a clean npm install may produce a different lockfile, causing CI/CD or teammate reproducibility issues.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At frontend/package-lock.json, line 79:

<comment>Version specifier mismatch: `package.json` declares `~10.0.0` (tilde — only patch updates) but `package-lock.json` records `^10.0.0` (caret — minor + patch updates) for the same dependency. This inconsistency means a clean `npm install` may produce a different lockfile, causing CI/CD or teammate reproducibility issues.</comment>

<file context>
@@ -76,7 +76,7 @@
 				"unist-util-visit": "^5.0.0",
 				"vscode": "npm:@codingame/monaco-vscode-extension-api@=25.0.0",
-				"vscode-languageclient": "~9.0.1",
+				"vscode-languageclient": "^10.0.0",
 				"vscode-uri": "~3.1.0",
 				"vscode-ws-jsonrpc": "~3.5.0",
</file context>
Suggested change
"vscode-languageclient": "^10.0.0",
"vscode-languageclient": "~10.0.0",
Fix with cubic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants