We are trying to update Express to fix a vulnerability.
We would have to update the plugins as well, but since we are no longer
using the plugin system, we can just delete it instead.
* Update Code to 1.94.2
* Convert from yarn to npm
This is to match VS Code. We were already partially using npm for the
releases so this is some nice alignment.
* Update caniuse-lite
This was complaining on every unit test.
* Update eslint
I was having a bunch of dependency conflicts and eslint seemed to be the
culprit so I just removed it and set it up again, since it seems things
have changed quite a bit.
* Update test dependencies
I was getting oom when running the unit tests...updating seems to work.
* Remove package.json `scripts` property in release
The new pre-install script was being included, which is dev-only.
This was always the intent; did not realize jq's merge was recursive.
* Remove jest and devDependencies in release as well
* Update test extension dependencies
This appears to be conflicting with the root dependencies.
* Fix playwright exec
npm does not let you run binaries like yarn does, as far as I know.
* Fix import of server-main.js
* Fix several tests by waiting for selectors
There is a `yarn ci` script which was using audit-ci but this does not
appear to be called anywhere.
The security worflow uses `yarn audit` and `npm audit` which seem fine
enough anyway.
Additionally:
- Update Node to 20.11.1
- Update documentation
- Disable extension signature verification
This works around an issue where the Open VSX is not returning the
expected zip. Verification is skipped later anyway because
@vscode/vsce-sign is missing in the OSS version.
Also remove github.com from the trusted domains. This causes the
browser to block the popup instead (probably because the space between
interaction and popup is too great), which is difficult to notice in
Chromium. Even in Firefox with the extra bar they add at the top it can
be easy to miss.
* Fix building from source on arm
Not building from source causes argon2 to pull the wrong arch, so we
have to build from source.
But building from source is causing the new Kerberos module to fail on
arm64 and keytar to fail on both.
The latter has been very difficult to debug because the GitHub image
provides a different result to containers based on Ubuntu 20.04.
Because of this, use a container instead.
Use debian:buster as the container because it is easier to set up the
architecture sources (no need to modify the sources) and because it
seems to come with glibc 2.28 rather than 2.31.
Also use the exact version of Node (18.15.0) for reproducibility.
* Set owner and group during tar to zero
Otherwise you get IDs that can cause (benign) errors while extracting,
which might be confusing. At the very least, I did not see these errors
from previous tars (although they seem to use 1001).
There is no guarantee what IDs might exist so 0 seems the most
reasonable.
