Open
Conversation
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
1 similar comment
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
Contributor
Author
|
/azp run |
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the pinned dependency tree for multiple Azure Pipelines tasks to pick up qs 6.15.1 (primarily via typed-rest-client), and bumps task versions to publish the updated task payloads.
Changes:
- Updated many task
package-lock.jsonfiles to pinqsto 6.15.1 (and related transitive deps likeside-channel,object-inspect, etc.). - Bumped task versions across the touched tasks (
task.json+task.loc.json), with one task using a patch bump (PublishTestResultsV2). - Updated
DotNetCoreInstallerV0/package.jsontotyped-rest-client2.3.0.
Reviewed changes
Copilot reviewed 31 out of 51 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| Tasks/VsTestPlatformToolInstallerV1/task.loc.json | Task version bump (loc). |
| Tasks/VsTestPlatformToolInstallerV1/task.json | Task version bump. |
| Tasks/VsTestPlatformToolInstallerV1/package-lock.json | Pins qs 6.15.1 and updates related transitive deps. |
| Tasks/UseRubyVersionV0/task.loc.json | Task version bump (loc). |
| Tasks/UseRubyVersionV0/task.json | Task version bump. |
| Tasks/UseRubyVersionV0/package-lock.json | Pins qs 6.15.1 and updates related transitive deps. |
| Tasks/UsePythonVersionV0/task.loc.json | Task version bump (loc). |
| Tasks/UsePythonVersionV0/task.json | Task version bump. |
| Tasks/UsePythonVersionV0/package-lock.json | Pins qs 6.15.1 and updates related transitive deps. |
| Tasks/UseDotNetV2/package-lock.json | Updates typed-rest-client’s qs range to 6.15.1. |
| Tasks/PublishTestResultsV2/task.loc.json | Patch version bump (loc). |
| Tasks/PublishTestResultsV2/task.json | Patch version bump. |
| Tasks/PublishTestResultsV2/package-lock.json | Pins qs 6.15.1 and updates related transitive deps. |
| Tasks/PublishTestResultsV1/task.loc.json | Task version bump (loc) for deprecated task. |
| Tasks/PublishTestResultsV1/task.json | Task version bump for deprecated task. |
| Tasks/PublishTestResultsV1/package-lock.json | Pins qs 6.15.1 and updates related transitive deps. |
| Tasks/PowerShellV2/task.loc.json | Task version bump (loc). |
| Tasks/PowerShellV2/task.json | Task version bump. |
| Tasks/PowerShellV2/package-lock.json | Pins qs 6.15.1 and updates related transitive deps. |
| Tasks/NuGetV0/task.loc.json | Task version bump (loc) for deprecated task. |
| Tasks/NuGetV0/task.json | Task version bump for deprecated task. |
| Tasks/NuGetV0/package-lock.json | Pins qs 6.15.1 and updates related transitive deps. |
| Tasks/NuGetPublisherV0/task.loc.json | Task version bump (loc) for deprecated task. |
| Tasks/NuGetPublisherV0/task.json | Task version bump for deprecated task. |
| Tasks/NuGetPublisherV0/package-lock.json | Pins qs 6.15.1 and updates related transitive deps. |
| Tasks/NuGetInstallerV0/task.loc.json | Task version bump (loc) for deprecated task. |
| Tasks/NuGetInstallerV0/task.json | Task version bump for deprecated task. |
| Tasks/NuGetInstallerV0/package-lock.json | Updates typed-rest-client’s qs range to 6.15.1. |
| Tasks/NodeToolV0/task.loc.json | Task version bump (loc) for deprecated task. |
| Tasks/NodeToolV0/task.json | Task version bump for deprecated task. |
| Tasks/NodeToolV0/package-lock.json | Pins qs 6.15.1 and updates related transitive deps. |
| Tasks/MavenV4/package-lock.json | Updates typed-rest-client’s qs range to 6.15.1. |
| Tasks/MavenV3/task.loc.json | Task version bump (loc) for deprecated task. |
| Tasks/MavenV3/task.json | Task version bump for deprecated task. |
| Tasks/MavenV3/package-lock.json | Updates typed-rest-client’s qs range to 6.15.1. |
| Tasks/GradleV4/package-lock.json | Pins qs 6.15.1 and updates related transitive deps. |
| Tasks/GradleV3/package-lock.json | Pins qs 6.15.1 and updates related transitive deps. |
| Tasks/GradleV2/package-lock.json | Pins qs 6.15.1 (but currently contains an inconsistent resolved tarball reference). |
| Tasks/DownloadPackageV0/task.loc.json | Task version bump (loc) for deprecated task. |
| Tasks/DownloadPackageV0/task.json | Task version bump for deprecated task. |
| Tasks/DownloadPackageV0/package-lock.json | Pins qs 6.15.1 and updates related transitive deps. |
| Tasks/DotNetCoreInstallerV0/task.loc.json | Task version bump (loc) for deprecated task. |
| Tasks/DotNetCoreInstallerV0/task.json | Task version bump for deprecated task. |
| Tasks/DotNetCoreInstallerV0/package.json | Updates typed-rest-client dependency to 2.3.0. |
| Tasks/DotNetCoreCLIV2/task.loc.json | Task version bump (loc). |
| Tasks/DotNetCoreCLIV2/task.json | Task version bump. |
| Tasks/DotNetCoreCLIV2/package-lock.json | Pins qs 6.15.1 and updates related transitive deps. |
| Tasks/CondaEnvironmentV0/task.loc.json | Task version bump (loc) for deprecated task. |
| Tasks/CondaEnvironmentV0/task.json | Task version bump for deprecated task. |
| Tasks/CondaEnvironmentV0/package-lock.json | Pins qs 6.15.1 (but currently contains an inconsistent resolved tarball reference). |
Files not reviewed (20)
- Tasks/CondaEnvironmentV0/package-lock.json: Language not supported
- Tasks/DotNetCoreCLIV2/package-lock.json: Language not supported
- Tasks/DotNetCoreInstallerV0/package-lock.json: Language not supported
- Tasks/DownloadPackageV0/package-lock.json: Language not supported
- Tasks/GradleV2/package-lock.json: Language not supported
- Tasks/GradleV3/package-lock.json: Language not supported
- Tasks/GradleV4/package-lock.json: Language not supported
- Tasks/MavenV3/package-lock.json: Language not supported
- Tasks/MavenV4/package-lock.json: Language not supported
- Tasks/NodeToolV0/package-lock.json: Language not supported
- Tasks/NuGetInstallerV0/package-lock.json: Language not supported
- Tasks/NuGetPublisherV0/package-lock.json: Language not supported
- Tasks/NuGetV0/package-lock.json: Language not supported
- Tasks/PowerShellV2/package-lock.json: Language not supported
- Tasks/PublishTestResultsV1/package-lock.json: Language not supported
- Tasks/PublishTestResultsV2/package-lock.json: Language not supported
- Tasks/UseDotNetV2/package-lock.json: Language not supported
- Tasks/UsePythonVersionV0/package-lock.json: Language not supported
- Tasks/UseRubyVersionV0/package-lock.json: Language not supported
- Tasks/VsTestPlatformToolInstallerV1/package-lock.json: Language not supported
Comments suppressed due to low confidence (2)
Tasks/DotNetCoreInstallerV0/task.json:24
- Tasks/DotNetCoreInstallerV0 is marked as deprecated. Per the deprecated-tasks policy, changes should be limited to minimal security fixes; please confirm this update is security-driven and/or apply the fix to the replacement task version if applicable.
"version": {
"Major": 0,
"Minor": 273,
"Patch": 0
},
"satisfies": [
"DotNetCore"
],
"demands": [],
"instanceNameFormat": "Use .NET Core $(packageType) $(version)",
"deprecated": true,
Tasks/GradleV2/package-lock.json:2547
- This package-lock.json was modified under Tasks/GradleV2, but the task version was not bumped in GradleV2/task.json and GradleV2/task.loc.json in this PR. Task version should be incremented whenever task contents (including dependencies) change so the updated task can be published/consumed.
Comment on lines
782
to
787
| "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/typed-rest-client/-/typed-rest-client-1.8.11.tgz", | ||
| "integrity": "sha512-5UvfMpd1oelmUPRbbaVnq+rHP7ng2cE4qoQkQeAqxRL6PklkxsM0g32/HL0yfvruK6ojQ5x8EE+HF4YV6DtuCA==", | ||
| "dependencies": { | ||
| "qs": "^6.9.1", | ||
| "qs": "^6.15.1", | ||
| "tunnel": "0.0.6", | ||
| "underscore": "^1.12.1" |
There was a problem hiding this comment.
This package-lock.json was modified under Tasks/MavenV4, but the task version was not bumped in MavenV4/task.json and MavenV4/task.loc.json in this PR. Please bump the task version so consumers receive the dependency update.
Comment on lines
2543
to
2544
| "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/qs/-/qs-6.13.0.tgz", | ||
| "integrity": "sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==", |
There was a problem hiding this comment.
The qs entry is internally inconsistent: it claims version 6.15.1 but still resolves to qs-6.13.0.tgz (and the integrity matches 6.13.0). This will prevent reliably installing the intended qs version; regenerate the lockfile (or update resolved+integrity) so it points to the 6.15.1 tarball.
Suggested change
| "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/qs/-/qs-6.13.0.tgz", | |
| "integrity": "sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==", | |
| "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/qs/-/qs-6.15.1.tgz", | |
| "integrity": "sha512-GxDqf4iK/uYJ+vZ9zjS+YJf7eJ8XjvXl0QzS7l8M1VvW8nS4kU7q1mG0mZf4mGQxK2W4k6iE0Y6P6L7F2mJYg==", |
Comment on lines
548
to
554
| "dependencies": { | ||
| "des.js": "^1.1.0", | ||
| "js-md4": "^0.3.2", | ||
| "qs": "^6.10.3", | ||
| "qs": "^6.15.1", | ||
| "tunnel": "0.0.6", | ||
| "underscore": "^1.12.1" | ||
| }, |
There was a problem hiding this comment.
This package-lock.json was modified under Tasks/GradleV4, but the task version was not bumped in GradleV4/task.json and GradleV4/task.loc.json in this PR. Please bump the task version so the dependency update is shipped.
Comment on lines
638
to
644
| "dependencies": { | ||
| "des.js": "^1.1.0", | ||
| "js-md4": "^0.3.2", | ||
| "qs": "^6.10.3", | ||
| "qs": "^6.15.1", | ||
| "tunnel": "0.0.6", | ||
| "underscore": "^1.12.1" | ||
| }, |
There was a problem hiding this comment.
This package-lock.json was modified under Tasks/GradleV3, but the task version was not bumped in GradleV3/task.json and GradleV3/task.loc.json in this PR. Please bump the task version so the dependency update is shipped.
Comment on lines
15
to
19
| "Major": 1, | ||
| "Minor": 271, | ||
| "Minor": 273, | ||
| "Patch": 0 | ||
| }, | ||
| "deprecated": true, |
There was a problem hiding this comment.
Tasks/PublishTestResultsV1 is marked as deprecated. Per the deprecated-tasks policy, changes should be limited to minimal security fixes; please confirm this update is security-driven and that the supported PublishTestResultsV2 task is also covered.
Comment on lines
15
to
19
| "Major": 0, | ||
| "Minor": 272, | ||
| "Minor": 273, | ||
| "Patch": 1 | ||
| }, | ||
| "deprecated": true, |
There was a problem hiding this comment.
Tasks/NodeToolV0 is marked as deprecated. Per the deprecated-tasks policy, changes should be limited to minimal security fixes; please confirm this update is security-driven and consider whether the non-deprecated NodeTool task should receive the fix instead.
…b.com/microsoft/azure-pipelines-tasks into users/v-dmerugu/FixCGBugsforqsPackage
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
Contributor
Author
|
/azp run |
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
Contributor
Author
|
/azp run |
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
…b.com/microsoft/azure-pipelines-tasks into users/v-dmerugu/FixCGBugsforqsPackage
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
Contributor
Author
|
/azp run |
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
Contributor
Author
|
/azp run |
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
…-tasks into users/v-dmerugu/FixCGBugsforqsPackage
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
…-tasks into users/v-dmerugu/FixCGBugsforqsPackage
Contributor
Author
|
/azp run |
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
1 similar comment
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
Contributor
Author
|
/azp run |
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
1 similar comment
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
…b.com/microsoft/azure-pipelines-tasks into users/v-dmerugu/FixCGBugsforqsPackage
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
Contributor
Author
|
/azp run |
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
tarunramsinghani
approved these changes
Apr 30, 2026
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
|
Azure Pipelines: Successfully started running 3 pipeline(s). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Updating qs version to 6.15.1 in pipeline tasks
AB#2358610
AB#2358613
AB#2358608
AB#2358609
Task Name
AppCenterDistributeV3, AppCenterTestV1, CondaEnvironmentV0, DotNetCoreCLIV2, DotNetCoreInstallerV0, DownloadPackageV0, GradleV2, GradleV3, GradleV4, MavenV3, MavenV4, NodeToolV0, NuGetInstallerV0, NuGetPublisherV0, NuGetV0, PowerShellV2, PublishTestResultsV1, PublishTestResultsV2, UseDotNetV2, UsePythonVersionV0, UseRubyVersionV0, VsTestPlatformToolInstallerV1
Description
Vulnerability reported for qs package version <6.12.2, so updating qs version to 6.15.1.
Risk Assessment (Low / Medium / High)
Low
Additional Testing Performed
Validated through CI checks
Telemetry Added/Updated (Yes/No)
Rollback Scenario and Process (Yes/No)
Checklist