Skip to content

Pin @hpcc-js/wasm to 2.30.0 to fix webview CSP error#4378

Merged
cklin merged 1 commit intomainfrom
cklin/hpcc-js-wasm-pin
Apr 28, 2026
Merged

Pin @hpcc-js/wasm to 2.30.0 to fix webview CSP error#4378
cklin merged 1 commit intomainfrom
cklin/hpcc-js-wasm-pin

Conversation

@cklin
Copy link
Copy Markdown
Contributor

@cklin cklin commented Apr 27, 2026

@hpcc-js/wasm v2.31.0 introduced a new Function() call in its Emscripten-generated graphviz.js glue code. This violates the webview Content Security Policy, which allows 'wasm-unsafe-eval' but not 'unsafe-eval'.

Pin to 2.30.0 (the last version without new Function()) via a scoped npm override on d3-graphviz. Version 2.30.0 still satisfies d3-graphviz's ^2.20.0 requirement.

Copilot AI review requested due to automatic review settings April 27, 2026 13:16
@cklin cklin requested a review from a team as a code owner April 27, 2026 13:16
@cklin cklin marked this pull request as draft April 27, 2026 13:16
Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins @hpcc-js/wasm to a pre-new Function() release to avoid violating VS Code webview CSP restrictions introduced by @hpcc-js/wasm@2.31.0, while keeping d3-graphviz functionality working.

Changes:

  • Add an npm scoped overrides entry to force d3-graphviz to use @hpcc-js/wasm@2.30.0.
  • Update package-lock.json to reflect the overridden dependency graph.
Show a summary per file
File Description
extensions/ql-vscode/package.json Adds a scoped npm overrides rule pinning @hpcc-js/wasm under d3-graphviz.
extensions/ql-vscode/package-lock.json Re-locks dependencies so @hpcc-js/wasm@2.30.0 is installed under d3-graphviz rather than at the top level.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files not reviewed (1)
  • extensions/ql-vscode/package-lock.json: Language not supported
  • Files reviewed: 1/2 changed files
  • Comments generated: 1

Comment thread extensions/ql-vscode/package.json
@cklin
Pin @hpcc-js/wasm to 2.30.0 to fix webview CSP error
7491a2b 
@hpcc-js/wasm v2.31.0 introduced a new Function() call in its
Emscripten-generated graphviz.js glue code. This violates the webview
Content Security Policy, which allows 'wasm-unsafe-eval' but not
'unsafe-eval'.

Pin to 2.30.0 (the last version without new Function()) via a scoped
npm override on d3-graphviz. Version 2.30.0 still satisfies
d3-graphviz's ^2.20.0 requirement.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@cklin cklin force-pushed the cklin/hpcc-js-wasm-pin branch from f679b17 to 7491a2b Compare April 27, 2026 13:35
@cklin cklin marked this pull request as ready for review April 27, 2026 13:35
@cklin cklin requested a review from nickrolfe April 27, 2026 16:31
@cklin cklin merged commit 399b06e into main Apr 28, 2026
42 of 43 checks passed
@cklin cklin deleted the cklin/hpcc-js-wasm-pin branch April 28, 2026 17:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@nickrolfe nickrolfe nickrolfe approved these changes

Assignees

@nickrolfe nickrolfe

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cklin @nickrolfe