Skip to content

Override dependency for undici#2073

Merged
conniey merged 2 commits intomicrosoft:mainfrom
conniey:update-vsix
Mar 17, 2026
Merged

Override dependency for undici#2073
conniey merged 2 commits intomicrosoft:mainfrom
conniey:update-vsix

Conversation

@conniey
Copy link
Member

@conniey conniey commented Mar 16, 2026
edited
Loading

What does this PR do?

Update undici 7.24.1 to 7.24.4.

GitHub issue number?

Pre-merge Checklist

  • Required for All PRs
    • Read contribution guidelines
    • PR title clearly describes the change
    • Commit history is clean with descriptive messages (cleanup guide)
    • Added comprehensive tests for new/modified functionality
    • Updated servers/Azure.Mcp.Server/CHANGELOG.md and/or servers/Fabric.Mcp.Server/CHANGELOG.md for product changes (features, bug fixes, UI/UX, updated dependencies)
  • For MCP tool changes:
    • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
    • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
    • Validate README.md changes using script at eng/scripts/Process-PackageReadMe.ps1. See Package README
    • Updated command list in /servers/Azure.Mcp.Server/docs/azmcp-commands.md and/or /docs/fabric-commands.md
    • Run .\eng\scripts\Update-AzCommandsMetadata.ps1 to update tool metadata in azmcp-commands.md (required for CI)
    • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
    • For tools with new names, including new tools or renamed tools, update consolidated-tools.json
    • For renamed tools, follow the Tool Rename Checklist and tag the PR with the breaking-change label
    • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
  • Extra steps for Azure MCP Server tool changes:
    • Updated test prompts in /servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
    • 👉 For Community (non-Microsoft team member) PRs:
      • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
      • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

@conniey conniey requested review from a team as code owners March 16, 2026 23:16
Copilot AI review requested due to automatic review settings March 16, 2026 23:16
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the eng/vsix-tools npm overrides to remediate newly reported undici vulnerabilities impacting the VSIX tooling dependency chain.

Changes:

  • Add an npm override to force undici to ^7.24.4 for @vscode/vsce.
  • Document the new undici override rationale alongside existing yauzl override comments.
  • Update package-lock.json to reflect undici@7.24.4.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File Description
eng/vsix-tools/package.json Adds an undici override (and associated security comment) under @vscode/vsce.
eng/vsix-tools/package-lock.json Bumps the resolved undici package to 7.24.4 to match the override.
Files not reviewed (1)
  • eng/vsix-tools/package-lock.json: Language not supported

You can also share your feedback on Copilot code review. Take the survey.

@conniey
Potential fix for pull request finding
2cb9aa1 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@github-project-automation github-project-automation bot moved this from Untriaged to In Progress in Azure MCP Server Mar 16, 2026
@conniey conniey merged commit 0f224c3 into microsoft:main Mar 17, 2026
15 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Azure MCP Server Mar 17, 2026
@conniey conniey deleted the update-vsix branch March 17, 2026 17:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hallipr hallipr hallipr approved these changes

@joshfree joshfree joshfree approved these changes

@jongio jongio Awaiting requested review from jongio jongio is a code owner automatically assigned from microsoft/azure-mcp

@vukelich vukelich Awaiting requested review from vukelich vukelich is a code owner automatically assigned from microsoft/azure-mcp

@wbreza wbreza Awaiting requested review from wbreza wbreza is a code owner automatically assigned from microsoft/azure-mcp

@KarishmaGhiya KarishmaGhiya Awaiting requested review from KarishmaGhiya KarishmaGhiya is a code owner automatically assigned from microsoft/azure-mcp

@tmeschter tmeschter Awaiting requested review from tmeschter tmeschter is a code owner automatically assigned from microsoft/azure-mcp

@sandeep-sen sandeep-sen Awaiting requested review from sandeep-sen sandeep-sen is a code owner automatically assigned from microsoft/azure-mcp

Assignees

No one assigned

Labels

None yet

Projects

Azure MCP Server
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@conniey @hallipr @joshfree