Bump the npm_and_yarn group across 2 directories with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the /extension directory: ws, @nevware21/ts-utils, fast-uri and qs.
Bumps the npm_and_yarn group with 1 update in the /tests/Aspire.Hosting.CodeGeneration.TypeScript.JsTests directory: vitest.

Updates ws from 8.20.0 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

Commits

• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• See full diff in compare view

Updates @nevware21/ts-utils from 0.13.0 to 0.15.0

Release notes

Sourced from @​nevware21/ts-utils's releases.

0.15.0

Changelog

Features

• #570 Add microtask scheduling helpers with native queueMicrotask, Promise, and timer-backed fallbacks
  • New functions: scheduleMicrotask, hasQueueMicrotask, getQueueMicrotask, setMicroTaskFallbackOptions
  • New public types: ScheduleMicrotaskFn, MicroTaskOptions
  • Extends microtask support by providing cancellable microtasks via ITimerHandler, plus fallback ordering to run microtasks before queued timers when using the timer-backed implementation
  • Provides runtime parity across all supported environments by using native queueMicrotask when present, Promise-backed scheduling when available, and a timer-backed microtask queue otherwise
• #573 Add nextTick scheduling support and new helper exports
  • New timer/runtime functions: scheduleNextTick, getProcessNextTick, hasProcessNextTick, setNextTickFallbackOptions
  • Uses native process.nextTick in Node runtimes when available, while providing equivalent nextTick behavior in browser and worker runtimes via Promise and timer-backed fallbacks
  • Adds shared queue logic and callback-argument support across microtask and nextTick scheduling
  • Adds arrConcat as a dedicated array helper and fnBindArgs as a dedicated function helper
  • Improves function binding typing with exported BoundFunction and updated signatures for fnBind / fnBindArgs
• #574 feat(iterator,array): add iterator collection helpers, split helper modules, and align collection membership semantics
  • Added new iterator helpers: iterMap, iterFilter, iterTake, iterReduce, iterSome, iterEvery, iterToArray, iterUnion, iterIntersection, iterDifference
  • Added arrToMap helper in the array module and moved callback/type declarations into iterator/types
  • Refactored iterator helper implementation/tests into per-function files and updated root exports
  • Added NaN regression coverage and switched iterator set-operation membership checks to arrIncludes semantics for parity with array helpers
• #576 Refactor timer microtask/nextTick shared types and environment helpers, with expanded fallback coverage
  • Moved MicrotaskFn and ScheduleMicrotaskFn to helpers/types and updated timer internals to consume shared type definitions
  • Moved getQueueMicrotask and hasQueueMicrotask to helpers/environment, updated root exports, and aligned scheduleNextTick fallback resolution to prefer queueMicrotask when available
  • Added internal microtaskQueue scheduler helper wiring and expanded tests for queue fallback behavior, Promise ordering, and no-Promise edge cases

Bug Fixes

• #568 Rolldown INVALID_ANNOTATION warnings caused by non-canonical PURE annotation spacing in generated output
  • #569 Add generated-chunk PURE annotation normalization so spaced forms are rewritten to canonical (/*#__PURE__*/ / (/*@__PURE__*/ in rollup output
  • #575 Add packaged artifact validation for PURE annotation spacing and update normalization tolerance, with per-file logging while scanning lib/bundle and lib/dist

New Contributors

• @​hrithik-infinite made their first contribution in nevware21/ts-utils#569

Full Changelog: nevware21/ts-utils@0.14.0...0.15.0

0.14.0

Changelog

Features

• #525 feat(array): add new array helpers and array-like detection
  • New helpers: isArrayLike, arrUnique, arrCompact, arrFlatten, arrGroupBy, arrChunk and export previously missed isArrayLike
• #527 feat(string): add strReplace and strReplaceAll helpers with refactored internal replacements
• #528 feat(string): add strCapitalizeWords helper
• #529 / #530 feat(string): add strTruncate, strCount, strAt, and strMatchAll helpers with shared literal regex helper
• #533 feat(array): add arrFlatMap with ES5 polyfill support
• #535 docs(types): add typing utilities for v0.14.0 and expand TSDoc examples
• #536 feat: add isAsyncIterable and isIntegerInRange type/value inspection helpers

... (truncated)

Changelog

Sourced from @​nevware21/ts-utils's changelog.

v0.15.0 May 29th, 2026

Changelog

Features

• #570 Add microtask scheduling helpers with native queueMicrotask, Promise, and timer-backed fallbacks
  • New functions: scheduleMicrotask, hasQueueMicrotask, getQueueMicrotask, setMicroTaskFallbackOptions
  • New public types: ScheduleMicrotaskFn, MicroTaskOptions
  • Extends microtask support by providing cancellable microtasks via ITimerHandler, plus fallback ordering to run microtasks before queued timers when using the timer-backed implementation
  • Provides runtime parity across all supported environments by using native queueMicrotask when present, Promise-backed scheduling when available, and a timer-backed microtask queue otherwise
• #573 Add nextTick scheduling support and new helper exports
  • New timer/runtime functions: scheduleNextTick, getProcessNextTick, hasProcessNextTick, setNextTickFallbackOptions
  • Uses native process.nextTick in Node runtimes when available, while providing equivalent nextTick behavior in browser and worker runtimes via Promise and timer-backed fallbacks
  • Adds shared queue logic and callback-argument support across microtask and nextTick scheduling
  • Adds arrConcat as a dedicated array helper and fnBindArgs as a dedicated function helper
  • Improves function binding typing with exported BoundFunction and updated signatures for fnBind / fnBindArgs
• #574 feat(iterator,array): add iterator collection helpers, split helper modules, and align collection membership semantics
  • Added new iterator helpers: iterMap, iterFilter, iterTake, iterReduce, iterSome, iterEvery, iterToArray, iterUnion, iterIntersection, iterDifference
  • Added arrToMap helper in the array module and moved callback/type declarations into iterator/types
  • Refactored iterator helper implementation/tests into per-function files and updated root exports
  • Added NaN regression coverage and switched iterator set-operation membership checks to arrIncludes semantics for parity with array helpers
• #576 Refactor timer microtask/nextTick shared types and environment helpers, with expanded fallback coverage
  • Moved MicrotaskFn and ScheduleMicrotaskFn to helpers/types and updated timer internals to consume shared type definitions
  • Moved getQueueMicrotask and hasQueueMicrotask to helpers/environment, updated root exports, and aligned scheduleNextTick fallback resolution to prefer queueMicrotask when available
  • Added internal microtaskQueue scheduler helper wiring and expanded tests for queue fallback behavior, Promise ordering, and no-Promise edge cases

Bug Fixes

• #568 Rolldown INVALID_ANNOTATION warnings caused by non-canonical PURE annotation spacing in generated output
  • #569 Add generated-chunk PURE annotation normalization so spaced forms are rewritten to canonical (/*#__PURE__*/ / (/*@__PURE__*/ in rollup output
  • #575 Add packaged artifact validation for PURE annotation spacing and update normalization tolerance, with per-file logging while scanning lib/bundle and lib/dist

Full Changelog

v0.14.0 May 18th, 2026

Changelog

Features

• #525 feat(array): add new array helpers and array-like detection
  • New helpers: isArrayLike, arrUnique, arrCompact, arrFlatten, arrGroupBy, arrChunk and export previously missed isArrayLike
• #527 feat(string): add strReplace and strReplaceAll helpers with refactored internal replacements
• #528 feat(string): add strCapitalizeWords helper
• #529 / #530 feat(string): add strTruncate, strCount, strAt, and strMatchAll helpers with shared literal regex helper
• #533 feat(array): add arrFlatMap with ES5 polyfill support
• #535 docs(types): add typing utilities for v0.14.0 and expand TSDoc examples
• #536 feat: add isAsyncIterable and isIntegerInRange type/value inspection helpers
• #543 feat(string): add strStartsWithAny, strEndsWithAny, strWrap, strUnwrap, and strNormalizeNewlines helpers

... (truncated)

Commits

• 66b5fba [Release] Increase version to 0.15.0 (#577)
• 358d5d1 refactor(timer): centralize microtask types and queueMicrotask access; expand...
• 382853e feat(iterator): add iterator collection helpers with docs and tests (#574)
• 87cb303 test(build): validate packaged bundle PURE annotations and improve no… (#575)
• 124d67f feat: add nextTick support, add arrConcat and fnBindArgs helpers (#573)
• 34178c1 Fix #PURE annotations being ignored by Rolldown/Vite 8 (#568) (#569)
• 5b5854b feat(timer): add cancellable microtask scheduling with cross-runtime fallback...
• 45cb369 [Release] Increase version to 0.14.0 (#567)
• 5e887f4 Add new object utility helpers and harden defaults against prototype pollutio...
• 0a486d3 Bug: Falsy thisArg (0, '', false) overridden in arrForEach/iterForOf/objForEa...
• Additional commits viewable in compare view

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

• Fix for GHSA-v39h-62p7-jpjc

What's Changed

• Handle malformed fragment decoding as a parse error by @​mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

• Fix for GHSA-q3j6-qgpj-74h6

What's Changed

• build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @​dependabot[bot] in fastify/fast-uri#148
• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#149
• chore(.npmrc): ignore scripts by @​Fdawgs in fastify/fast-uri#150
• build(deps-dev): remove @​fastify/pre-commit by @​Fdawgs in fastify/fast-uri#151
• build(deps): bump actions/setup-node from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#152
• ci(ci): add concurrency config by @​Fdawgs in fastify/fast-uri#153
• build(deps): bump actions/setup-node from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#154
• build(deps): bump actions/checkout from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#156
• chore(license): standardise license notice by @​Fdawgs in fastify/fast-uri#159
• style: remove trailing whitespace by @​Fdawgs in fastify/fast-uri#161
• ci: remove unused github files by @​Tony133 in fastify/fast-uri#162
• chore: update readme by @​Tony133 in fastify/fast-uri#164
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#165
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#166
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in fastify/fast-uri#167
• ci: add lock-threads workflow by @​Fdawgs in fastify/fast-uri#169

New Contributors

• @​Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

• 919dd8e Bumped v3.1.2
• c65ba57 fixup: linting
• 6c86c17 Merge commit from fork
• a95158a Handle malformed fragment decoding without throwing (#171)
• cea547c Bumped v3.1.1
• 876ce79 Merge commit from fork
• dcdf690 ci: add lock-threads workflow (#169)
• c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
• 9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
• 85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
• Additional commits viewable in compare view

Updates qs from 6.15.0 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

• [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
• [Fix] stringify: use configured delimiter after charsetSentinel (#555)
• [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
• [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
• [Fix] parse: handle nested bracket groups and add regression tests (#530)
• [readme] fix grammar (#550)
• [Dev Deps] update @ljharb/eslint-config
• [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

• [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
• [Deps] update @ljharb/eslint-config
• [Dev Deps] update @ljharb/eslint-config, iconv-lite
• [Tests] increase coverage

Commits

• 9aca407 v6.15.2
• 5e33d33 [Dev Deps] update @ljharb/eslint-config
• 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
• a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
• e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
• 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
• 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
• 96755ab [readme] fix grammar
• a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
• 3f5e1c5 v6.15.1
• Additional commits viewable in compare view

Updates vitest from 3.2.4 to 4.1.0

Release notes

Sourced from vitest's releases.

v4.1.0

Vitest 4.1 is out!

This release page lists all changes made to the project during the 4.1 beta. To get a review of all the new features, read our blog post.

   🚀 Features

• Return a disposable from doMock()  -  by @​kirkwaiblinger in vitest-dev/vitest#9332 (e3e65)
• Added chai style assertions  -  by @​ronnakamoto and @​sheremet-va in vitest-dev/vitest#8842 (841df)
• Update to sinon/fake-timers v15 and add setTickMode to timer controls  -  by @​atscott and @​sheremet-va in vitest-dev/vitest#8726 (4b480)
• Expose matcher types  -  by @​sheremet-va in vitest-dev/vitest#9448 (3e4b9)
• Add toTestSpecification to reported tasks  -  by @​sheremet-va in vitest-dev/vitest#9464 (1a470)
• Show a warning if vi.mock or vi.hoisted are declared outside of top level of the module  -  by @​sheremet-va in vitest-dev/vitest#9387 (5db54)
• Track and display expectedly failed tests (.fails) in UI and CLI  -  by @​Copilot, sheremet-va and @​sheremet-va in vitest-dev/vitest#9476 (77d75)
• Support tags  -  by @​sheremet-va in vitest-dev/vitest#9478 (de7c8)
• Implement aroundEach and aroundAll hooks  -  by @​sheremet-va in vitest-dev/vitest#9450 (2a8cb)
• Stabilize experimental features  -  by @​sheremet-va in vitest-dev/vitest#9529 (b5fd2)
• Accept new or all in --update flag  -  by @​sheremet-va in vitest-dev/vitest#9543 (a5acf)
• Support meta in test options  -  by @​sheremet-va in vitest-dev/vitest#9535 (7d622)
• Support type inference with a new test.extend syntax  -  by @​sheremet-va in vitest-dev/vitest#9550 (e5385)
• Support vite 8 beta, fix type issues in the config with different vite versions  -  by @​sheremet-va in vitest-dev/vitest#9587 (99028)
• Add assertion helper to hide internal stack traces  -  by @​hi-ogawa and Claude Opus 4.6 in vitest-dev/vitest#9594 (eeb0a)
• Store failure screenshots using artifacts API  -  by @​macarie in vitest-dev/vitest#9588 (24603)
• Allow vitest list to statically collect tests instead of running files to collect them  -  by @​sheremet-va in vitest-dev/vitest#9630 (7a8e7)
• Add --detect-async-leaks  -  by @​AriPerkkio in vitest-dev/vitest#9528 (c594d)
• Implement mockThrow and mockThrowOnce  -  by @​thor-juhasz and @​sheremet-va in vitest-dev/vitest#9512 (61917)
• Support update: "none" and add docs about snapshots behavior on CI  -  by @​hi-ogawa in vitest-dev/vitest#9700 (05f18)
• Support playwright launchOptions with connectOptions  -  by @​hi-ogawa in vitest-dev/vitest#9702 (f0ff1)
• Add page/locator.mark API to enhance playwright trace  -  by @​hi-ogawa in vitest-dev/vitest#9652 (d0ee5)
• api:
  • Support tests starting or ending with test in experimental_parseSpecification  -  by @​jgillick and Jeremy Gillick in vitest-dev/vitest#9235 (2f367)
  • Add filters to createSpecification  -  by @​sheremet-va in vitest-dev/vitest#9336 (c8e6c)
  • Expose runTestFiles as alternative to runTestSpecifications  -  by @​sheremet-va in vitest-dev/vitest#9443 (43d76)
  • Add allowWrite and allowExec options to api  -  by @​sheremet-va in vitest-dev/vitest#9350 (20e00)
  • Allow passing down test cases to toTestSpecification  -  by @​sheremet-va in vitest-dev/vitest#9627 (6f17d)
• browser:
  • Add userEvent.wheel API  -  by @​macarie in vitest-dev/vitest#9188 (66080)
  • Add filterNode option to prettyDOM for filtering browser assertion error output  -  by @​Copilot, sheremet-va and @​sheremet-va in vitest-dev/vitest#9475 (d3220)
  • Support playwright persistent context  -  by @​hi-ogawa, Claude Opus 4.6 and @​sheremet-va in vitest-dev/vitest#9229 (f865d)
  • Added detailsPanelPosition option and button  -  by @​shairez in vitest-dev/vitest#9525 (c8a31)
  • Use BlazeDiff instead of pixelmatch  -  by @​macarie in vitest-dev/vitest#9514 (30936)
  • Add findElement and enable strict mode in webdriverio and preview  -  by @​sheremet-va in vitest-dev/vitest#9677 (c3f37)
• cli:
  • Add @​bomb.sh/tab completions  -  by @​AmirSa12 and @​sheremet-va in vitest-dev/vitest#8639 (200f3)
• coverage:
  • Support ignore start/stop ignore hints  -  by @​AriPerkkio in vitest-dev/vitest#9204 (e59c9)
  • Add coverage.changed option to report only changed files  -  by @​kykim00 and @​AriPerkkio in vitest-dev/vitest#9521 (1d939)
• experimental:
  • Add onModuleRunner hook to worker.init  -  by @​sheremet-va in vitest-dev/vitest#9286 (e977f)
  • Option to disable the module runner  -  by @​sheremet-va and @​AriPerkkio in vitest-dev/vitest#9210 (9be61)

... (truncated)

Commits

• 4150b91 chore: release v4.1.0
• 1de0aa2 fix: correctly identify concurrent test during static analysis (#9846)
• c3cac1c fix: use isAgent check, not just TTY, for watch mode (#9841)
• eab68ba chore(deps): update all non-major dependencies (#9824)
• 031f02a fix: allow catch/finally for async assertion (#9827)
• 3e9e096 feat(reporters): add agent reporter to reduce ai agent token usage (#9779)
• 0c2c013 chore: release v4.1.0-beta.6
• 8181e06 fix: hideSkippedTests should not hide test.todo (fix #9562) (#9781)
• a8216b0 fix: manual and redirect mock shouldn't load or transform original module...
• 689a22a fix(browser): types of getCDPSession and cdp() (#9716)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17854

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17854"

[IEvangelist]

Did a fresh re-run of the failing CI jobs (gh run rerun --failed 26850781103). All four originally-failing jobs failed again with the same root causes - they are not transient, so I'm unable to approve this PR as-is. Below are the specific diagnostics so the next push can address them.

1. Tests / Validate VS Code extension bootstrap (Linux) and Tests / Run VS Code extension unit tests (Windows)

Both fail in the yarn install step with:

error Error: https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/registry/@nevware21/ts-utils/-/ts-utils-0.15.0.tgz: Request failed "401 Unauthorized"

I confirmed against the internal mirror directly:

Version	HEAD from internal feed
@nevware21/ts-utils@0.13.0	303 (available)
@nevware21/ts-utils@0.14.0	303 (available, and is the first patched version for GHSA #1161)
@nevware21/ts-utils@0.15.0	401 (not mirrored)

The advisory only requires >= 0.14.0. Dropping the resolution to 0.14.0 (or asking the mirror to ingest 0.15.0) should unblock both jobs.

2. Tests / TypeScript SDK Unit Tests / TypeScript SDK Tests Job

Fails in npm ci with:

npm error Invalid Version:

The regenerated tests/Aspire.Hosting.CodeGeneration.TypeScript.JsTests/package-lock.json contains a number of optional native-binary entries (added when vitest jumped 3.2.4 -> 4.1.0) that have no version field, e.g.:

"node_modules/lightningcss/node_modules/lightningcss-linux-x64-gnu": {
  "dev": true,
  "optional": true
}

I counted 22 such stub entries across lightningcss/* and @rolldown/binding-*. npm ci on npm 10.9.8 (the version used by actions/setup-node@v5 with node-version: 22) rejects these because version is required for the npm ci integrity check. A fresh npm install against the internal feed (or @dependabot recreate once the ts-utils issue above is resolved) should produce a clean lockfile.

3. Tests / Cli.EndToEnd-KubernetesDeployWithMongoDBTests

This one looks unrelated to the PR - the kind binary was missing during cleanup (Failed to delete KinD cluster ... No such file or directory). Likely a flaky infra issue; should pass on a clean re-run once #1 and #2 are fixed.

---

Other open Dependabot alerts

I opened #17868 to address the three remaining undici alerts (#1182 high, #1180 high, #1179 medium) that aren't in scope for this group bump, so once this PR lands the security tab should be empty.

cc @microsoft/aspire-vscode

[IEvangelist]

Triggered a re-run of the failed checks (attempt 3). The failures from the previous run look like they could be a mix of feed mirroring lag and a real lockfile issue — flagging here so it's not lost while we wait for CI:

1. Validate VS Code extension bootstrap (Linux) and Run VS Code extension unit tests (Windows)

Both failed on corepack yarn install --frozen-lockfile with:

error Error: https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/registry/@nevware21/ts-utils/-/ts-utils-0.15.0.tgz: Request failed "401 Unauthorized"

This PR bumps @nevware21/ts-utils to 0.15.0 in extension/yarn.lock, but 0.15.0 does not appear to be mirrored to the internal dotnet-public-npm feed yet (the upstream validator in the workflow requires every resolved entry to come from that feed). The Dependabot alert (#1161, GHSA-x7j8-49r8-mr43) is satisfied by >= 0.14.0, so if 0.15.0 cannot be mirrored quickly, pinning to 0.14.0 (the minimum patched version) would still close the alert and might be available in the feed.

2. TypeScript SDK Unit Tests

Failed on npm ci against tests/Aspire.Hosting.CodeGeneration.TypeScript.JsTests with:

npm error Invalid Version:

This is the directory where vitest was bumped to 4.1.0. Invalid Version: from npm ci is usually a malformed SemVer in package-lock.json. Worth re-resolving the lockfile (rm package-lock.json && npm install) to confirm Dependabot didn't write a non-SemVer-compliant entry.

Status

I will not approve while CI is red, but I'll re-evaluate after the re-run completes. Posting a complementary PR (#17902) for the two remaining aiohttp alerts that this PR doesn't cover.

[IEvangelist]

Re-run completed (attempt 3) and failed with the exact same three jobs in the same way:

• Validate VS Code extension bootstrap (Linux) → @nevware21/ts-utils@0.15.0 still 401 Unauthorized from the internal feed (log)
• Run VS Code extension unit tests (Windows) → same ts-utils@0.15.0 401 (log)
• TypeScript SDK Unit Tests → npm ci still fails with Invalid Version: (log)

So both blockers are real, not transient. Not approving while CI is red. Likely fixes:

1. Downgrade the @nevware21/ts-utils bump to 0.14.0 (the minimum patched version per GHSA-x7j8-49r8-mr43) until 0.15.0 is mirrored to dotnet-public-npm, or have the feed mirror 0.15.0.
2. Regenerate tests/Aspire.Hosting.CodeGeneration.TypeScript.JsTests/package-lock.json from scratch to clear the Invalid Version: error introduced by the vitest 4.1.0 bump.

[github-actions]

❌ CLI E2E Tests failed — 109 passed, 1 failed, 2 unknown (commit 5c2c101)

❌ Failed Tests

-	Test	Detail
❌	DeployK8sWithMongoDB	Recording · Job · CLI logs

View all recordings

-	Test	Detail
✅	AddPackageInteractiveWhileAppHostRunningDetached	Recording · Job · CLI logs
✅	AddPackageWhileAppHostRunningDetached	Recording · Job · CLI logs
✅	AgentCommands_AllHelpOutputs_AreCorrect	Recording · Job · CLI logs
✅	AgentInitCommand_DefaultSelection_InstallsDefaultSkills	Recording · Job · CLI logs
✅	AgentInitCommand_MigratesDeprecatedConfig	Recording · Job · CLI logs
✅	AgentInit_NonInteractive_BundleOnlySkillsNotInCatalog	Recording · Job · CLI logs
✅	AgentMcpListStructuredLogsReturnsLogsFromStarterApp	Recording · Job · CLI logs
✅	AgentMcpListStructuredLogsReturnsLogsFromStarterApp_DevLocalhost	Recording · Job · CLI logs
✅	AgentMcpListStructuredLogsReturnsLogsFromStarterApp_Isolated	Recording · Job · CLI logs
✅	AllPublishMethodsBuildDockerImages	Recording · Job · CLI logs
✅	AspireAddAndStartWorkAgainstLegacyAppHostTs	Recording · Job · CLI logs
✅	AspireAddPackageVersionToDirectoryPackagesProps	Recording · Job · CLI logs
✅	AspireInitSingleFileAppHostRunsViaDotnetRunAppHost	Recording · Job · CLI logs
✅	AspireInit_ExistingAppHostDir_RecreatesNuGetConfigKeepsFiles	Recording · Job · CLI logs
❔	AspireInit_SolutionFile_BuildsAgainstChannelHive	Recording · Job · CLI logs
✅	AspireStartUpdatesStaleTypeScriptAppHostPath	Recording · Job · CLI logs
✅	AspireUpdateRemovesAppHostPackageVersionFromDirectoryPackagesProps	Recording · Job · CLI logs
✅	AspireUpdateRemovesOrphanAppHostPackageVersionWhenSdkAlreadyCurrent	Recording · Job · CLI logs
✅	Banner_DisplayedOnFirstRun	Recording · Job · CLI logs
✅	Banner_DisplayedWithExplicitFlag	Recording · Job · CLI logs
✅	Banner_NotDisplayedWithNoLogoFlag	Recording · Job · CLI logs
✅	CertificatesClean_RemovesCertificates	Recording · Job · CLI logs
✅	CertificatesTrust_WithNoCert_CreatesAndTrustsCertificate	Recording · Job · CLI logs
✅	CertificatesTrust_WithUntrustedCert_TrustsCertificate	Recording · Job · CLI logs
✅	ConfigSetGet_CreatesNestedJsonFormat	Recording · Job · CLI logs
✅	CreateAndRunAspireStarterProject	Recording · Job · CLI logs
✅	CreateAndRunAspireStarterProjectWithBundle	Recording · Job · CLI logs
✅	CreateAndRunEmptyAppHostProject	Recording · Job · CLI logs
✅	CreateAndRunJavaEmptyAppHostProject	Recording · Job · CLI logs
✅	CreateAndRunJsReactProject	Recording · Job · CLI logs
✅	CreateAndRunPolyglotAppHostWithDevLocalhostUrls	Recording · Job · CLI logs
✅	CreateAndRunPythonReactProject	Recording · Job · CLI logs
✅	CreateAndRunTypeScriptEmptyAppHostProject	Recording · Job · CLI logs
✅	CreateAndRunTypeScriptStarterProject	Recording · Job · CLI logs
✅	CreateJavaAppHostWithViteApp	Recording · Job · CLI logs
✅	CreateTypeScriptAppHostWithViteApp_UsesConfiguredToolchain	Recording · Job · CLI logs
✅	DashboardRunWithAgentMcpListTracesReturnsNoTraces	Recording · Job · CLI logs
✅	DashboardRunWithAgentMcpListTracesReturnsNoTraces_DevLocalhost	Recording · Job · CLI logs
✅	DashboardRunWithOtelTracesReturnsNoTraces	Recording · Job · CLI logs
✅	DashboardRunWithOtelTracesReturnsNoTraces_DevLocalhost	Recording · Job · CLI logs
✅	DeployK8sBasicApiService	Recording · Job · CLI logs
✅	DeployK8sWithExternalHelmChart	Recording · Job · CLI logs
✅	DeployK8sWithGarnet	Recording · Job · CLI logs
❌	DeployK8sWithMongoDB	Recording · Job · CLI logs
✅	DeployK8sWithMySql	Recording · Job · CLI logs
✅	DeployK8sWithPostgres	Recording · Job · CLI logs
✅	DeployK8sWithRabbitMQ	Recording · Job · CLI logs
✅	DeployK8sWithRedis	Recording · Job · CLI logs
✅	DeployK8sWithSqlServer	Recording · Job · CLI logs
✅	DeployK8sWithValkey	Recording · Job · CLI logs
✅	DeployTypeScriptAppToKubernetes	Recording · Job · CLI logs
✅	DescribeCommandResolvesReplicaNames	Recording · Job · CLI logs
✅	DescribeCommandShowsRunningResources	Recording · Job · CLI logs
✅	DetachFormatJsonProducesValidJson	Recording · Job · CLI logs
✅	DetachFormatJsonProducesValidJsonWhenRestartingExistingInstance	Recording · Job · CLI logs
✅	DoPublishAndDeployListStepsWork	Recording · Job · CLI logs
✅	DocsCommand_RendersInteractiveMarkdownFromLocalSource	Recording · Job · CLI logs
✅	DoctorCommand_DetectsDeprecatedAgentConfig	Recording · Job · CLI logs
✅	DoctorCommand_TypeScriptAppHostReportsMissingConfiguredToolchain	Recording · Job · CLI logs
✅	DoctorCommand_WithSslCertDir_ShowsTrusted	Recording · Job · CLI logs
✅	DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted	Recording · Job · CLI logs
✅	GatewayWithoutExternalEndpoint_FailsPublishWithGuidance	Recording · Job · CLI logs
✅	GeneratedAspireDevScript_StartsWatchMode_WithConfiguredToolchain	Recording · Job · CLI logs
✅	GlobalMigration_HandlesCommentsAndTrailingCommas	Recording · Job · CLI logs
✅	GlobalMigration_HandlesMalformedLegacyJson	Recording · Job · CLI logs
✅	GlobalMigration_PreservesAllValueTypes	Recording · Job · CLI logs
✅	GlobalMigration_SkipsWhenNewConfigExists	Recording · Job · CLI logs
✅	GlobalSettings_MigratedFromLegacyFormat	Recording · Job · CLI logs
✅	IngressWithoutExternalEndpoint_FailsPublishWithGuidance	Recording · Job · CLI logs
✅	InitTypeScriptAppHost_AugmentsExistingViteRepoInWorkspaceSubdirectory	Recording · Job · CLI logs
✅	InteractiveCSharpInitCreatesExpectedFiles	Recording · Job · CLI logs
✅	InvalidAppHostPathWithComments_IsHealedOnRun	Recording · Job · CLI logs
✅	JavaScriptHostingApisRunFromTypeScriptAppHost	Recording · Job · CLI logs
✅	LatestCliCanStartStableChannelAppHost	Recording · Job · CLI logs
✅	LatestCliCanStartStableChannelTypeScriptAppHost	Recording · Job · CLI logs
✅	LegacySettingsMigration_AdjustsRelativeAppHostPath	Recording · Job · CLI logs
✅	LogsCommandShowsResourceLogs	Recording · Job · CLI logs
✅	OtelLogsReturnsStructuredLogsFromStarterApp	Recording · Job · CLI logs
✅	OtelLogsReturnsStructuredLogsFromStarterAppIsolated	Recording · Job · CLI logs
✅	PsCommandListsRunningAppHost	Recording · Job · CLI logs
✅	PsFormatJsonOutputsOnlyJsonToStdout	Recording · Job · CLI logs
✅	PublishJavaScriptPatternsGeneratesExpectedDockerComposeArtifacts	Recording · Job · CLI logs
✅	PublishWithConfigureEnvFileUpdatesEnvOutput	Recording · Job · CLI logs
✅	PublishWithDockerComposeServiceCallbackSucceeds	Recording · Job · CLI logs
✅	PublishWithoutOutputPathUsesAppHostDirectoryDefault	Recording · Job · CLI logs
✅	ResourceCommand_FailedExec_ShowsLogPathAndLogHasEntries	Recording · Job · CLI logs
✅	ResourceCommand_SetAndDeleteParameterUpdatesDescribeOutput	Recording · Job · CLI logs
✅	RestoreGeneratesSdkFiles	Recording · Job · CLI logs
✅	RestoreGeneratesSdkFiles_WithConfiguredToolchain	Recording · Job · CLI logs
✅	RestoreRefreshesGeneratedSdkAfterAddingIntegration	Recording · Job · CLI logs
✅	RestoreSupportsConfigOnlyHelperPackageAndCrossPackageTypes	Recording · Job · CLI logs
✅	RunFromParentDirectory_UsesExistingConfigNearAppHost	Recording · Job · CLI logs
✅	RunReportsSyntaxErrorsForDotNetAppHost	Recording · Job · CLI logs
✅	RunReportsSyntaxErrorsForTypeScriptAppHost	Recording · Job · CLI logs
✅	SecretCrudOnDotNetAppHost	Recording · Job · CLI logs
✅	SecretCrudOnTypeScriptAppHost	Recording · Job · CLI logs
✅	StagingChannel_ConfigureAndVerifySettings_ThenSwitchChannels	Recording · Job · CLI logs
✅	StartAndWaitForTypeScriptSqlServerAppHostWithNativeAssets	Recording · Job · CLI logs
✅	StartReportsSyntaxErrorsForDotNetAppHost	Recording · Job · CLI logs
✅	StartReportsSyntaxErrorsForTypeScriptAppHost	Recording · Job · CLI logs
✅	StopAllAppHostsFromAppHostDirectory	Recording · Job · CLI logs
✅	StopJavaPolyglotAppHostUsingApphostDirectory	Recording · Job · CLI logs
✅	StopNonInteractiveSingleAppHost	Recording · Job · CLI logs
✅	StopTypeScriptPolyglotAppHostUsingApphostDirectory	Recording · Job · CLI logs
✅	StopWithNoRunningAppHostExitsSuccessfully	Recording · Job · CLI logs
✅	TypeScriptAppHostRunDoesNotDeadlockWhenLazyOptionsInvokeAsyncCallback	Recording · Job · CLI logs
✅	TypeScriptAppHostWithVite_AllowsDifferentGuestPkgManager	Recording · Job · CLI logs
✅	UnAwaitedChainsCompileWithAutoResolvePromises	Recording · Job · CLI logs
❔	UpdateToStable_CSharpEmptyAppHost_KeepsConfigChannel	Recording · Job · CLI logs
✅	UpdateToStable_CSharpSingleFileInit_KeepsConfigChannel	Recording · Job · CLI logs
✅	UpdateToStable_TypeScriptSingleFileInit_KeepsConfigChannel	Recording · Job · CLI logs
✅	UpdateToStable_TypeScript_PreviewsStablePkgsAndKeepsChannel	Recording · Job · CLI logs

---

_{📹 Recordings uploaded automatically from CI run #26850781103}