fix(agent-os-vscode): pin devDependencies to exact versions

[jackbatzner]

Description

Pin the pre-existing caret version ranges in packages/agent-os-vscode/package.json devDependencies to exact versions so the VS Code package complies with the repo version-pinning policy.

This change only removes ^ from the 14 affected devDependencies. It leaves engines.vscode as ^1.85.0 and keeps already exact-pinned entries unchanged.

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Maintenance (dependency updates, CI/CD, refactoring)
• Security fix

Package(s) Affected

• agent-os-kernel
• agent-mesh
• agent-runtime
• agent-sre
• agent-governance
• docs / root

Additional package affected: packages/agent-os-vscode

Checklist

• My code follows the project style guidelines (ruff check)
• I have added tests that prove my fix/feature works
• All new and existing tests pass (pytest)
• I have updated documentation as needed
• I have signed the Microsoft CLA

Related Issues

Fixes #831

[github-actions]

🤖 AI Agent: security-scanner — Security Analysis of the Pull Request

Security Analysis of the Pull Request

This PR modifies the package.json file for the agent-os-vscode package by pinning devDependencies to exact versions. While this change is primarily a maintenance update and does not directly modify runtime code, it is still important to evaluate its security implications, especially in the context of supply chain risks.

---

Findings

1. Supply Chain Risk: Dependency Pinning

• Risk: Pinning dependencies to exact versions can mitigate some risks associated with supply chain attacks, such as dependency confusion or malicious updates in future versions. However, it also introduces the risk of using outdated dependencies if the pinned versions contain vulnerabilities that are later patched in newer releases.
• Severity: 🟡 MEDIUM
• Attack Vector: If any of the pinned dependencies (e.g., glob, mocha, react, etc.) have known vulnerabilities in the specified versions, they could be exploited by attackers. This is particularly concerning for dependencies like glob and mocha, which are commonly used in build and testing pipelines and could be targeted by attackers to compromise the development environment.
• Recommendation:
  • Perform a security audit of the pinned versions using tools like npm audit or snyk to ensure that none of the pinned versions have known vulnerabilities.
  • Consider implementing a process to periodically review and update pinned dependencies to their latest secure versions.
  • If possible, use a tool like dependabot to automate dependency updates and ensure that security patches are applied promptly.

2. Potential for Dependency Confusion

• Risk: While pinning dependencies to exact versions reduces the risk of accidental upgrades to malicious versions, it does not eliminate the risk of dependency confusion attacks, where an attacker publishes a malicious package with the same name as an internal or private dependency.
• Severity: 🟠 HIGH
• Attack Vector: If any of the dependencies are private or scoped packages (e.g., @types/vscode), an attacker could publish a malicious package with the same name to a public registry. This could lead to the malicious package being installed instead of the intended one.
• Recommendation:
  • Use a private registry for internal dependencies to prevent dependency confusion.
  • Implement namespace restrictions and ensure that all dependencies are fetched from trusted sources.
  • Use tools like npm audit and lockfile-lint to verify the integrity of dependencies.

3. Lack of Verification for Transitive Dependencies

• Risk: While this PR addresses direct dependencies, it does not address transitive dependencies (dependencies of dependencies), which could also introduce vulnerabilities.
• Severity: 🟡 MEDIUM
• Attack Vector: If a transitive dependency contains a vulnerability or is compromised, it could still be exploited, even if the direct dependencies are pinned.
• Recommendation:
  • Use a lockfile (e.g., package-lock.json) to ensure that transitive dependencies are also pinned to specific versions.
  • Regularly audit the lockfile for vulnerabilities using tools like npm audit or snyk.

4. No Changes to engines.vscode

• Risk: The engines.vscode field remains pinned to ^1.85.0, which allows for minor version upgrades. This is inconsistent with the strict version-pinning approach applied to devDependencies.
• Severity: 🔵 LOW
• Attack Vector: While unlikely, a malicious or vulnerable minor version of VS Code could introduce risks. However, this is a low-risk issue since the engines.vscode field is primarily used for compatibility checks and does not directly affect the security of the package.
• Recommendation:
  • Consider pinning the engines.vscode field to an exact version for consistency with the version-pinning policy.

---

Summary of Findings

Finding	Severity	Recommendation
Supply chain risk: Dependency pinning	🟡 MEDIUM	Audit pinned versions for vulnerabilities and implement a process for updates.
Potential for dependency confusion	🟠 HIGH	Use private registries, namespace restrictions, and dependency integrity tools.
Lack of verification for transitive dependencies	🟡 MEDIUM	Use a lockfile and audit transitive dependencies regularly.
Inconsistent version pinning for engines.vscode	🔵 LOW	Consider pinning engines.vscode to an exact version for consistency.

---

Final Recommendation

While this PR improves the security posture of the agent-os-vscode package by pinning devDependencies to exact versions, it introduces potential risks if the pinned versions contain vulnerabilities or if transitive dependencies are not audited. Additionally, the risk of dependency confusion remains unaddressed.

To fully secure the supply chain:

1. Audit the pinned versions for known vulnerabilities.
2. Use a lockfile to pin transitive dependencies.
3. Implement tools and processes to monitor and update dependencies regularly.
4. Consider pinning engines.vscode to an exact version for consistency.

With these additional measures in place, the changes in this PR can be considered safe.

[github-actions]

🤖 AI Agent: code-reviewer

Review Feedback for Pull Request: fix(agent-os-vscode): pin devDependencies to exact versions

---

🔴 CRITICAL

No critical issues identified in this pull request.

---

🟡 WARNING

1. Potential Breaking Changes in Development Workflow:
   • Pinning devDependencies to exact versions can lead to compatibility issues in the future if newer versions of these dependencies introduce bug fixes or security patches. While this aligns with the repo's version-pinning policy, it may require frequent updates to keep dependencies secure and compatible.
   • Suggestion: Consider implementing a process to periodically review and update pinned versions to avoid stagnation.

---

💡 SUGGESTION

1. Documentation Update:

   • The pull request does not include updates to the documentation regarding the version-pinning policy. It would be helpful to add a note in the CONTRIBUTING.md or similar file to inform contributors about the policy and its rationale.

2. Automated Dependency Management:

   • To streamline updates to pinned versions, consider integrating a tool like Renovate or Dependabot. These tools can automatically create pull requests to update dependencies when new versions are released.

3. Testing Coverage:

   • While this change primarily affects development dependencies, ensure that the testing pipeline (pytest) is robust enough to catch any issues arising from these pinned versions.

4. Backward Compatibility:

   • Although this change does not directly affect runtime dependencies, it would be prudent to verify that the pinned versions of devDependencies do not introduce any incompatibilities with the project's runtime or build process.

---

Summary

This pull request aligns with the repository's version-pinning policy by converting caret ranges to exact versions for devDependencies. While this change is non-breaking, it introduces potential maintenance overhead and risks related to dependency stagnation. Addressing these concerns through documentation updates and automated dependency management tools would improve the long-term sustainability of this approach.

[imran-siddique]

Review: APPROVED ✅

Diff reviewed — this PR correctly removes caret (^) prefixes from 14 devDependencies in packages/agent-os-vscode/package.json, pinning them to exact versions. This directly implements the repo supply chain security policy (Version Locking: exact versions only, prohibit ^ or ~ ranges).

Checklist:

• Diff read — 14 additions / 14 deletions, single file, scope matches description
• Dependency confusion scan — all packages are well-known npm packages (@types/*, react, esbuild, etc.)
• No hardcoded secrets
• No new source files (no license header needed)
• Additions > 0 (14 additions)

Note: The check-version-pinning CI check failure appears to be flagging pre-existing violations in other files, not regressions from this PR.

Fixes #831. Clean, policy-aligned maintenance fix.