fix: Migrate from npm to pnpm and resolve all dependency vulnerabilities#2733
Merged
hectorhdzg merged 12 commits intoJun 18, 2026
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates the repo’s Rush-managed package manager from npm to pnpm to improve dependency isolation and eliminate known vulnerability chains (notably tar/postcss), while also updating build/tooling to work under pnpm’s stricter resolution rules.
Changes:
- Switch Rush to pnpm 9.15.9 and upgrade @microsoft/rush to 5.175.1, adding Rush pnpm configuration (
pnpm-config.json) and hoisting rules (common/config/rush/.npmrc). - Make tool scripts and build/test infrastructure compatible with pnpm strictness (e.g., explicit module resolution for
globby/archiver,eventemitter2export shape handling, cross-package script resolution). - Standardize TypeScript
libsettings and enableskipLibCheckacross many packages to restore type compatibility with newer@nevware21/ts-utils.
Reviewed changes
Copilot reviewed 67 out of 72 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tools/subResourceIntegrity/generateIntegrityFile.js | Resolve globby relative to the invoking package under pnpm. |
| tools/shims/tsconfig.json | Add TS lib entries and skipLibCheck for ES2015+ types. |
| tools/shims/package.json | Add missing devDependencies for pnpm strict installs. |
| tools/rollup-plugin-uglify3-js/tsconfig.json | Add TS lib entries for ES2015+ types. |
| tools/rollup-plugin-uglify3-js/package.json | Add eslint-related devDependencies for pnpm strictness. |
| tools/rollup-es5/tsconfig.json | Add TS lib entries and skipLibCheck. |
| tools/rollup-es5/package.json | Add missing devDependencies for pnpm strict installs. |
| tools/release-tools/zipbrowser.js | Resolve archiver relative to the invoking package under pnpm. |
| tools/grunt-tasks/qunit.js | Handle eventemitter2 export shape changes. |
| tools/config/package.json | Add missing Grunt devDependencies for pnpm strict installs. |
| tools/chrome-debug-extension/package.json | Remove vulnerable/unused deps and add missing devDependencies for pnpm. |
| tools/applicationinsights-web-snippet/tsconfig.json | Add TS lib entries for ES2015+ types. |
| tools/applicationinsights-web-snippet/package.json | Add missing devDependencies for pnpm strict installs. |
| shared/AppInsightsCore/tsconfig.json | Add TS lib entries and enable skipLibCheck. |
| shared/AppInsightsCore/package.json | Add missing devDependencies for pnpm strict installs. |
| shared/AppInsightsCommon/tsconfig.json | Add TS lib entries for ES2015+ types. |
| shared/AppInsightsCommon/package.json | Add missing devDependencies for pnpm strict installs. |
| shared/1ds-core-js/tsconfig.json | Add TS lib entries and enable skipLibCheck. |
| shared/1ds-core-js/package.json | Add missing devDependencies for pnpm strict installs. |
| rush.json | Switch Rush from npm to pnpm and bump Rush version. |
| package.json | Bump Rush and update override versions (e.g., minimatch), plus tool deps. |
| gruntfile.js | Skip ESLint tasks on Node 24+ to avoid known ESLint 8 glob issues. |
| extensions/applicationinsights-properties-js/tsconfig.json | Add TS lib entries for ES2015+ types. |
| extensions/applicationinsights-properties-js/src/PropertiesPlugin.ts | Import formatting/reordering. |
| extensions/applicationinsights-properties-js/package.json | Add missing devDependencies for pnpm strict installs. |
| extensions/applicationinsights-perfmarkmeasure-js/tsconfig.json | Add TS lib entries for ES2015+ types. |
| extensions/applicationinsights-perfmarkmeasure-js/package.json | Add missing devDependencies for pnpm strict installs. |
| extensions/applicationinsights-osplugin-js/tsconfig.json | Add TS lib entries for ES2015+ types. |
| extensions/applicationinsights-osplugin-js/package.json | Add missing devDependencies for pnpm strict installs. |
| extensions/applicationinsights-dependencies-js/tsconfig.json | Add TS lib entries for ES2015+ types. |
| extensions/applicationinsights-dependencies-js/package.json | Add missing devDependencies for pnpm strict installs. |
| extensions/applicationinsights-debugplugin-js/tsconfig.json | Add TS lib entries for ES2015+ types. |
| extensions/applicationinsights-debugplugin-js/package.json | Add missing devDependencies for pnpm strict installs. |
| extensions/applicationinsights-clickanalytics-js/tsconfig.json | Add TS lib entries for ES2015+ types. |
| extensions/applicationinsights-clickanalytics-js/package.json | Add missing devDependencies for pnpm strict installs. |
| extensions/applicationinsights-cfgsync-js/tsconfig.json | Add TS lib entries for ES2015+ types. |
| extensions/applicationinsights-cfgsync-js/package.json | Add missing devDependencies for pnpm strict installs. |
| extensions/applicationinsights-analytics-js/tsconfig.json | Add TS lib entries for ES2015+ types. |
| extensions/applicationinsights-analytics-js/src/JavaScriptSDK/AnalyticsPlugin.ts | Adjust plugin version constant. |
| extensions/applicationinsights-analytics-js/package.json | Add missing devDependencies for pnpm strict installs. |
| examples/startSpan/tsconfig.json | Add TS lib entries for ES2015+ types. |
| examples/startSpan/package.json | Add missing devDependencies for pnpm strict installs. |
| examples/shared-worker/tsconfig.json | Add TS lib entries and enable skipLibCheck. |
| examples/shared-worker/package.json | Add missing devDependencies for pnpm strict installs. |
| examples/dependency/tsconfig.json | Add TS lib entries for ES2015+ types. |
| examples/dependency/package.json | Add missing devDependencies for pnpm strict installs. |
| examples/cfgSync/tsconfig.json | Add TS lib entries and enable skipLibCheck. |
| examples/cfgSync/package.json | Add missing devDependencies for pnpm strict installs. |
| examples/AISKU/tsconfig.json | Add TS lib entries for ES2015+ types. |
| examples/AISKU/package.json | Add missing devDependencies for pnpm strict installs. |
| common/Tests/Framework/tsconfig.json | Add TS lib entries for ES2015+ types. |
| common/Tests/Framework/package.json | Add missing devDependencies for pnpm strict installs. |
| common/scripts/install-run.js | Adjust webpack runtime module-not-found handling. |
| common/scripts/install-run-rush.js | Adjust webpack runtime module-not-found handling. |
| common/scripts/install-run-rush-pnpm.js | Add Rush-generated install-run wrapper for rush-pnpm. |
| common/config/rush/pnpm-config.json | Add pnpm global overrides and peer dependency rules. |
| common/config/rush/.npmrc | Add pnpm public hoist patterns for build tooling. |
| channels/tee-channel-js/tsconfig.json | Add TS lib entries for ES2015+ types. |
| channels/tee-channel-js/package.json | Add missing devDependencies for pnpm strict installs. |
| channels/offline-channel-js/tsconfig.json | Add TS lib entries for ES2015+ types. |
| channels/offline-channel-js/package.json | Add missing devDependencies for pnpm strict installs. |
| channels/applicationinsights-channel-js/tsconfig.json | Add TS lib entries for ES2015+ types. |
| channels/applicationinsights-channel-js/package.json | Add missing devDependencies for pnpm strict installs. |
| channels/1ds-post-js/tsconfig.json | Add TS lib entries and enable skipLibCheck. |
| channels/1ds-post-js/package.json | Add missing devDependencies for pnpm strict installs. |
| AISKULight/tsconfig.json | Add TS lib entries for ES2015+ types. |
| AISKULight/package.json | Add missing devDependencies for pnpm strict installs. |
| AISKU/tsconfig.json | Add TS lib entries for ES2015+ types. |
| AISKU/Tests/es6-module-type-check/tsconfig.json | Expand lib for async iterator/generator typing. |
| AISKU/package.json | Add missing devDependencies for pnpm strict installs. |
Files not reviewed (3)
- common/scripts/install-run-rush-pnpm.js: Language not supported
- common/scripts/install-run-rush.js: Language not supported
- common/scripts/install-run.js: Language not supported
hectorhdzg
force-pushed
the
fix/migrate-pnpm-resolve-dependency-vulnerabilities
branch
2 times, most recently
from
1078878 to
52f799d
Compare
rads-1996
approved these changes
May 13, 2026
JacksonWeber
approved these changes
May 14, 2026
hectorhdzg
force-pushed
the
fix/migrate-pnpm-resolve-dependency-vulnerabilities
branch
from
52f799d to
4114b53
Compare
- Migrate Rush package manager from npm 9.9.4 to pnpm 9.15.9 to eliminate bundled tar 6.2.x CVEs - Upgrade Rush from 5.172.1 to 5.175.1 for pnpm support - Add pnpm-config.json with global overrides for minimatch, tar, glob, lodash, and postcss - Remove unused autoprefixer dependency (source of postcss CVEs) - Add 177 missing phantom dependencies across 27 packages for pnpm strict module isolation - Fix tsconfig lib settings across 26+ packages for @nevware21/ts-utils ES2015+ type compatibility - Fix eventemitter2 export structure change in tools/grunt-tasks/qunit.js - Fix cross-package script resolution in tools/subResourceIntegrity and tools/release-tools - Add Node 24 ESLint 8 compatibility guard in gruntfile.js - Delete npm-shrinkwrap.json, add pnpm-lock.yaml Resolves: 6 tar CVEs (critical/high), 2 postcss CVEs (moderate) — 0 vulnerabilities remaining
hectorhdzg
force-pushed
the
fix/migrate-pnpm-resolve-dependency-vulnerabilities
branch
from
f23b97e to
ea9e2cd
Compare
- Add PUPPETEER_SKIP_DOWNLOAD env var in CI - Add puppeteer executable path detection for Linux/CI environments - Fix cross-platform sleep in minifyNames using Atomics.wait - Fix updateDistEsm dynamicproto import path - Fix test module loading in shims tests
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
These packages need explicit paths to the root gruntfile since pnpm uses strict dependency isolation. Direct grunt task calls fail without specifying the gruntfile location.
…solve-dependency-vulnerabilities # Conflicts: # .github/workflows/ci.yml # AISKU/package.json # AISKULight/package.json # channels/1ds-post-js/package.json # channels/applicationinsights-channel-js/package.json # channels/offline-channel-js/package.json # channels/tee-channel-js/package.json # common/config/rush/npm-shrinkwrap.json # extensions/applicationinsights-cfgsync-js/package.json # extensions/applicationinsights-dependencies-js/package.json # extensions/applicationinsights-osplugin-js/package.json # shared/1ds-core-js/package.json # shared/AppInsightsCore/package.json # tools/chrome-debug-extension/package.json
Regenerated pnpm-lock.yaml after merging upstream/main and added global overrides for 4 advisories surfaced by 'pnpm audit': - ws >=8.21.0 (GHSA-96hv-2xvq-fx4p, high) via puppeteer - form-data >=2.5.6 <3.0.0 (GHSA-hmw2-7cc7-3qxx, high) - js-yaml >=4.2.0 (GHSA-h67p-54hq-rp68, moderate) via eslint/grunt - markdown-it >=14.2.0 (GHSA-6v5v-wf23-fmfq, moderate) via typedoc form-data pinned to the 2.x line (2.5.6 exists) to stay API-compatible with its single 2.x consumer; js-yaml already resolved uniformly to 4.x so 4.2.0 is safe. 'pnpm audit' (prod and full) now reports 0 vulnerabilities.
A prior refactor extracted the inline perf puppeteer options into the 'perfPuppeteerOptions' variable and replaced the inline object with 'puppeteer: perfPuppeteerOptions', but left behind the old object's trailing ']' and an extra '}'. This produced 'SyntaxError: Unexpected token ]' when grunt loaded the gruntfile, which broke the very first build operation (@microsoft/ai-test-framework -> 'grunt tst-framework') and cascaded to block all 27 downstream package builds in CI. Removed the stray ']' and extra '}'. Verified: gruntfile now parses (node require) and 'rush build' completes successfully (exit 0).
Adds fix/migrate-pnpm-resolve-dependency-vulnerabilities to the push trigger so the fork runs the full build+test matrix on each push and we can watch the result directly (the pull_request trigger only runs in the upstream PR context). Revert before merge.
'rush check' failed: @microsoft/applicationinsights-properties-js still declared '@nevware21/ts-async: >= 0.5.5 < 2.x' while every other package was narrowed to '>= 0.5.5 < 0.6.0' during the upstream/main merge. This file was not part of the merge conflict set so it was missed. Narrowed it to match. 'rush check' now reports no mis-matching deps (exit 0).
JacksonWeber
approved these changes
Jun 18, 2026
…tion branch Reverts commit 63c6ed7 ("apply build/CI improvements from PR 2737") which was unrelated to the pnpm migration + vulnerability remediation. Restored to upstream/main state: - gruntfile.js: removed _getPuppeteerExecutablePath() + the unit/perf puppeteer-options refactor (CI relies on puppeteer's native PUPPETEER_EXECUTABLE_PATH handling, same as upstream). Kept the pnpm-migration content (a52dd9f). - tools/grunt-tasks/minifyNames.js: removed sleepForRetry() - shared/AppInsightsCore/src/utils/DataCacheHelper.ts: #version# -> 3.4.1 - common/Tests/Framework/rollup.config.js: dropped extra updateDistEsmFiles arg - tools/shims/Tests/UnitTests.html: dropped extra modules.run arg Also reverted e021de0 (the perf-qunit syntax fix) implicitly, since the malformed block it fixed only existed because of 63c6ed7. extUtils.ts already matched upstream (#extVersion#) and was left as-is.
rads-1996
approved these changes
Jun 18, 2026
hectorhdzg
added a commit
that referenced
this pull request
Jun 18, 2026
* [Release] Increase version to 3.4.2 Maintenance release for the 3.4.x line: - Prototype pollution hardening in extend()/objExtend() (#2735) - OsPlugin emits correct CS 4.0 fields ext.os.name / ext.os.ver (#2732) - RequestEnvelopeCreator uses correct request envelope name (#2724) - Offline channel null-provider fix (#2734) - Dependency vulnerability resolution and npm->pnpm migration (#2733) - CI: drop Node 16, add Node 22 and 24 (#2731) * Restore 3.0.4 row in AISKU CDN size table (PR review feedback)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves: 6 tar CVEs (critical/high), 2 postcss CVEs (moderate) — 0 vulnerabilities remaining