Skip to content

Also check package name validity in InstallPackageRequest#63401

Merged
RyanCavanaugh merged 1 commit intomicrosoft:mainfrom
jakebailey:harden-InstallPackageRequest
Apr 15, 2026
Merged

Also check package name validity in InstallPackageRequest#63401
RyanCavanaugh merged 1 commit intomicrosoft:mainfrom
jakebailey:harden-InstallPackageRequest

Conversation

@jakebailey
Copy link
Copy Markdown
Member

@jakebailey jakebailey commented Apr 14, 2026

Extends #63368 to the code action.

This is still not a security boundary; any client that can send these args can already run commands locally.

@github-project-automation github-project-automation bot moved this to Not started in PR Backlog Apr 14, 2026
@typescript-bot typescript-bot added Author: Team For Uncommitted Bug PR for untriaged, rejected, closed or missing bug labels Apr 14, 2026
@github-project-automation github-project-automation bot moved this from Not started to Needs merge in PR Backlog Apr 14, 2026
@jakebailey jakebailey enabled auto-merge April 14, 2026 21:25
Copilot AI reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds package-name validation to the typings installer’s installPackage request path (code actions), and introduces a new tsserver baseline + unit test to ensure invalid package names are rejected.

Changes:

  • Validate InstallPackageRequest.packageName and return a failure response for invalid names.
  • Add a unit test that sends crafted applyCodeActionCommand requests with invalid package names.
  • Add a new reference baseline capturing the expected rejection behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
tests/baselines/reference/tsserver/codeFix/install-package-rejects-invalid-package-names.js New baseline verifying invalid package names are rejected during code action application.
src/typingsInstallerCore/typingsInstaller.ts Adds early package-name validation and returns an error response instead of attempting install.
src/testRunner/unittests/tsserver/codeFix.ts Adds a unit test to exercise the new validation via applyCodeActionCommand.

Comment thread src/testRunner/unittests/tsserver/codeFix.ts
Comment thread src/testRunner/unittests/tsserver/codeFix.ts
@jakebailey jakebailey added this pull request to the merge queue Apr 15, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Apr 15, 2026
@jakebailey jakebailey added this pull request to the merge queue Apr 15, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Apr 15, 2026
@jakebailey jakebailey added this pull request to the merge queue Apr 15, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Apr 15, 2026
@jakebailey jakebailey added this pull request to the merge queue Apr 15, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Apr 15, 2026
@RyanCavanaugh RyanCavanaugh added this pull request to the merge queue Apr 15, 2026
Merged via the queue into microsoft:main with commit f1a9288 Apr 15, 2026
27 checks passed
@github-project-automation github-project-automation bot moved this from Needs merge to Done in PR Backlog Apr 15, 2026
@jakebailey
Copy link
Copy Markdown
Member Author

jakebailey commented Apr 15, 2026

@typescript-bot cherry-pick this to release-6.0

@typescript-bot
Copy link
Copy Markdown
Collaborator

typescript-bot commented Apr 15, 2026
edited
Loading

Starting jobs; this comment will be updated as builds start and complete.

Command Status Results
cherry-pick this to release-6.0 ✅ Started ✅ Results

@jakebailey jakebailey deleted the harden-InstallPackageRequest branch April 15, 2026 18:48
typescript-bot pushed a commit that referenced this pull request Apr 15, 2026
@jakebailey @typescript-bot
Also check package name validity in InstallPackageRequest (#63401)
e6c0e2a
@typescript-bot typescript-bot mentioned this pull request Apr 15, 2026
Merged
@typescript-bot
Copy link
Copy Markdown
Collaborator

typescript-bot commented Apr 15, 2026

Hey, @jakebailey! I've created #63407 for you.

jakebailey added a commit that referenced this pull request Apr 15, 2026
@typescript-bot @jakebailey
🤖 Pick PR #63401 (Also check package name validity in...) into releas…
eeae9dd 
…e-6.0 (#63407)

Co-authored-by: Jake Bailey <5341706+jakebailey@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@DanielRosenwasser DanielRosenwasser DanielRosenwasser approved these changes

@RyanCavanaugh RyanCavanaugh RyanCavanaugh approved these changes

Assignees

@jakebailey jakebailey

Labels

Author: Team For Uncommitted Bug PR for untriaged, rejected, closed or missing bug

Projects

PR Backlog
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jakebailey @typescript-bot @DanielRosenwasser @RyanCavanaugh