fix(vscode): Update package.json to restrict a few more config options.#18270
Merged
fix(vscode): Update package.json to restrict a few more config options.#18270
Conversation
github-actions
bot
added
A-editor
Contributor
There was a problem hiding this comment.
Pull request overview
This PR enhances security for untrusted workspaces by restricting two additional path configuration options (oxc.path.tsgolint and oxc.path.node) that could be used to execute arbitrary binaries.
Changes:
- Added
oxc.path.tsgolintto therestrictedConfigurationsarray - Added
oxc.path.nodeto therestrictedConfigurationsarray
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Member
|
These are environment variables for
Nice catch. The extension will always auto search for the node_modules binary. |
Member
Author
I don't follow, should we not mark these options as restricted for untrusted workspaces? |
Member
|
I personally see not the need for this, unless there is a good argument from your side. |
Member
Author
We pass the tsgolint path into oxlint and run that executable as well, so this would also be something we should avoid running on untrusted workspaces if a malicious repository had set a path for either of these executables that was malicious: And ditto for the node path. |
Member
|
I would say this should be done on the |
Member
Author
Sure, but I think that's less likely (or at least, more out-of-our-hands). I'm not really sure that there's any realistic way for us to restrict the binary used for tsgolint/node (other than verifying it's signed somehow, but I don't know that we can really do that with the node binary anyway?). If we can, I think we should probably do both, but this seems like a much easier, simpler route to start with. |
Member
|
This PR is revertible, let's move forward. |
overlookmotel
pushed a commit
that referenced
this pull request
Jan 26, 2026
# Oxlint ### 💥 BREAKING CHANGES - 777fc40 ast: [**BREAKING**] Add `Ident` type (#18354) (Boshen) ### 🚀 Features - 34c3ec3 linter/prefer-logical-operator-over-ternary: Implement fixer (#18545) (camc314) - 019e0aa linter/valid-typeof: Add suggestions if type is misspelled (#18543) (camchenry) - 704c8eb linter/use-isnan: Add more specific error message for equality/inequality (#18542) (camchenry) - 1e99ace linter/use-isnan: Support more `indexOf` cases and improve diagnostic messages (#18537) (camchenry) - bffd134 linter/text-encoding-identifier-case: Add `withDash` option (#18533) (camc314) - 993fd2b parser: Parse unambiguous await with better error messages (#18480) (Boshen) - b4b6247 linter/plugins: `RuleTester` support settings (#18445) (overlookmotel) - 15d69dc linter: Implement react/display-name rule (#18426) (camchenry) - 2fbceae linter: Implement rule docs and config support for rules with tuple config options. (#18372) (connorshea) - 8db0e78 linter/plugins: Handle BOMs (#18376) (overlookmotel) - 6ac09e2 linter/plugins: Support source text not being at start of buffer (#18375) (overlookmotel) - fc3c86b linter: Update 125 rules to raise errors when provided with invalid config options. (#18104) (connorshea) - 2cc6ad2 linter/plugins: Add `ecmaFeatures` to `parserOptions` (#18313) (overlookmotel) ### 🐛 Bug Fixes - 2acf568 linter/plugins: Keep `Infinity` in rule default options (#18550) (overlookmotel) - 332d2ef linter/plugins: Add `jsx` property to `parserOptions.ecmaFeatures` (#18549) (overlookmotel) - 7d9bb1b linter: Update `eslint/func-names` to error on invalid rule config options, improve docs. (#18510) (connorshea) - 9c67974 linter: Improve the jsx-a11y/no-noninteractive-tabindex rule to match original rule logic better (#17848) (connorshea) - 75e7163 vscode: Support json5 for oxfmt (#18502) (Sysix) - c205b0d ast: Remove `ThisExpression` from `TSModuleReference` (#18489) (Boshen) - c51339a oxlint/lsp: Respect code action `source.fixAll` as an alias for `source.fixAll.oxc` (#18366) (Sysix) - 3c0e9b9 oxlint/lsp: Skip dangerous fixes/suggestions for "fix all" code action and command (#18364) (Sysix) - c44c093 linter: Fix behavior of unicorn/catch-error-name to match original rule (#18209) (connorshea) - 9c65aff linter/jsx-a11y: Change `no-autofocus` autofix to suggestion (#18155) (Ben Lowery) - 235c820 linter/unicorn: Fix `prefer-array-some` autofix for `.filter().length` pattern (#18153) (Ben Lowery) - a9925dc linter: Mark fixes in `unicorn/no-null` rule as dangerous. (#18436) (connorshea) - cee29b4 linter: Remove confusing scope from `react/only-export-components` rule diagnostics. (#18434) (connorshea) - aed3669 parser: Parse HTML-like comments in unambiguous mode (#18442) (Boshen) - b8a371d linter: Fix the path used in the gitlab format output (#18165) (connorshea) - e046ea6 linter: `vue/no-lifecycle-after-await` skip looking into arrow functions (#18302) (Sysix) - a9bfbcf linter: Compatibility issue with `DiagnosticData` type in ESLint (#18396) (루밀LuMir) - 10ab424 linter: `react/no_array_index_key` continue search for other attributes (#18409) (Lonami) - 9d776d4 linter: Update `import/no-cycle` rule to error on invalid config options. (#18330) (connorshea) - c163231 linter: Update eslint/sort-imports to validate options. (#18378) (connorshea) - 79bbcff linter: Update `eslint/func-style` to error on invalid configuration options. (#18390) (connorshea) - b871235 linter/plugins: Fix identifying "use strict" directives in scope analysis (#18402) (overlookmotel) - 5985141 linter: Update `jest/prefer-lowercase-title` rule to error on invalid config options. (#18332) (connorshea) - faca4b5 linter/plugins: Tokenize `let`, `static` and `yield` as `Keyword`s (#18368) (overlookmotel) - a3914fd linter/plugins: Allow line number passed to `report` to be 1 over line count (#18341) (overlookmotel) - 88e0896 linter: Update `typescript/no-restricted-types` rule to error on invalid config options. (#18329) (connorshea) - 9eec600 linter: Update `react/jsx-fragments` rule to raise an error on invalid configuration options (#18111) (connorshea) - 0fa969d linter: Update `react/no-will-update-set-state` to error on invalid config options (#18112) (connorshea) - 70e7be4 linter: Update `import/no-unassigned-import` to raise an error when passed invalid config options. (#18108) (connorshea) - 496cac7 linter: Update `unicorn/explicit-length-check` to raise an error when passed invalid config options. (#18107) (connorshea) - 080b1ec linter: Update 5 more rules to error on invalid config options. (#18113) (connorshea) - c5d05dd linter: Update 11 rules to raise an error on invalid config options. (#18109) (connorshea) - 9e359d4 linter/plugins: Set all properties on global vars objects (#18317) (overlookmotel) - 39c7f32 linter/plugins: Set `writeable` flag on variables where defined as globals (#18316) (overlookmotel) - a570693 linter/plugins: Fix `CatchClause` scopes (#18312) (overlookmotel) - 8c98e69 linter: `vitest/prefer-describe-function-title`: Check earlier to avoid false positive (#18177) (Jovi De Croock) - 44be0eb linter/plugins: Set scope analyse settings based on source type (#18306) (overlookmotel) - b9a14fd vscode: Update package.json to restrict a few more config options. (#18270) (Connor Shea) - c1260cb vscode: Update version info formatting. (#18274) (connorshea) - 2f68dc6 vscode: Update notification for client restart to specify tool. (#18273) (connorshea) ### ⚡ Performance - dc931ba linter/no-inner-declarations: Skip scope flags lookup in modules (#18249) (overlookmotel) - 07618a7 linter: Turn off `scope_build_child_ids` for SemanticBuilder (#18360) (Dunqing) - 1aac079 linter/exhaustive-deps: Simplify the logic of checking if the identifier it is a dependency of hook (#18350) (Dunqing) - 591d522 linter/block-scoped-var: Avoid `iter_all_scope_child_ids` by walking references/redeclarations scope ancestors (#18335) (Dunqing) - 2eefd6d linter/plugins: Remove branch from token parsing (#18369) (overlookmotel) ### 📚 Documentation - 698c21d linter: Modernize docs for various React rules (#18559) (connorshea) - 314a47c linter: Clarify the `no-find-dom-node` rule with a note that the method was removed in React 19. (#18556) (connorshea) - 5eff704 linter: Update `no-inner-declarations` to fix config option docs (#18511) (connorshea) - dd5d2f6 linter: Improve diagnostic message in `valid_typeof` rule. (#18507) (connorshea) - 8ccd853 npm: Update package homepage URLs and add keywords (#18509) (Boshen) - 4958233 linter: Add missing "What it does" section in prefer-reflect-apply rule. (#18475) (connorshea) - 2fa83a4 linter: Improve the docs for import/unambiguous. (#18474) (connorshea) - 7b1505c linter: Improve docs for `oxc/only-used-in-recursion` rule. (#18473) (connorshea) - ab506d6 linter/plugins: Correct comment (#18456) (overlookmotel) - 4565c73 linter: `react/display-name`: add docs for config options (#18430) (camchenry) - b95a89f linter: Fix docs for the curly rule. (#18374) (connorshea) - f675eb4 linter: Fix the `react/only-export-components` rule docs. (#18319) (connorshea) - 704db95 linter: "no-unused-vars" extend ignored files section for svelte and astro files (#18304) (Sysix) - 3af4a88 linter: Add "Examples" headers to rules missing them (#18266) (connorshea) # Oxfmt ### 💥 BREAKING CHANGES - 777fc40 ast: [**BREAKING**] Add `Ident` type (#18354) (Boshen) ### 🚀 Features - d71c15d oxfmt: Enable tailwind sort inside xxx-in-js (#18417) (leaysgur) - 52b5003 formatter,oxfmt: Support Angular `@Component({ template, styles })` (#18324) (leaysgur) ### 🐛 Bug Fixes - 224140c oxfmt: Canonicalize `..` component in config path (#18570) (leaysgur) - 30b467e formatter: Preserve trailing comments before the semicolon in class methods without a body (#18446) (Dunqing) - c205b0d ast: Remove `ThisExpression` from `TSModuleReference` (#18489) (Boshen) - 164bbd7 formatter: Preserve trailing comments inside ternary alternate branch (#18433) (Dunqing) - 1c50800 formatter: Use HTML entity escaping for JSX attribute strings (#18385) (Boshen) - 4e156d2 formatter: Preserve parentheses for `in` expressions in arrow function block bodies (#18352) (Boshen) - 7e6c15b oxfmt: Increase Tailwind CSS test timeout for Windows CI (#18339) (Boshen) - 29966eb formatter/dead-code-removal: Handle tailwind sorting (#18321) (leaysgur) - 29f41be formatter: Only expand mapped types when newline immediately follows opening brace (#18087) (Boshen) - 2194552 formatter: Relocate leading comments for single-element union/intersection types (#18083) (Boshen) ### ⚡ Performance - 85ab400 formatter: Store `AstNodes` itself instead of `&'a AstNodes` as the `parent` field of `AstNode` (#18428) (Dunqing) - 194d384 formatter: Reduce AstNode size by 8 bytes using following_span_start (#18347) (Dunqing) - b2df8fb oxfmt: Enable tailwind plugin only for relevant parser (#18418) (leaysgur) ### 📚 Documentation - 8ccd853 npm: Update package homepage URLs and add keywords (#18509) (Boshen) Co-authored-by: Boshen <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As an aside, the extension's description for this configuration says "The Extension will always use the Language Server shipped with the Extension.", is that still true / should we revise the way the extension works for untrusted workspaces? (we could possibly just say "it doesn't work in untrusted workspaces", basically)