Palette ux aria label accept suggestion 7832725668674833841#4285
Open
mexicodxnmexico-create wants to merge 48 commits intomicrosoft:mainfrom
Open
Conversation
Replaces complex regex with lookarounds in `splitTerms` with a faster scanning loop using simple regexes. Benchmarks show ~37% performance improvement. - Extracted regex patterns to module constants for readability. - Replaced `matchAll` with `exec` loop. - Added early exit checks for common cases. - Handled edge cases like camelCase, snake_case, and digit suffixes explicitly. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
…ation-7114890394492771705 ⚡ Bolt: Optimize TF-IDF tokenization
This change integrates a new set of principles into the GitHub Copilot Chat agent prompts, transitioning toward a 'Builder AI' (IA constructora) architecture. Key improvements: - Added `BuilderAgentInstructions` component based on 10 core principles. - Enhanced instructions for contextual memory, purpose orientation, and real execution. - Strengthened critical thinking rules to proactively signal risks and suggest better alternatives. - Updated agent prompt snapshots to reflect new system instructions. Aligned with the vision of prioritizing impact and functional systems over conversational output. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
…phy-9786023644928653144 Implement 'Builder AI' philosophy in agent prompts
… Panel (#31) * Improve citation accessibility and security in Suggestions Panel - Add `rel="noopener noreferrer"` to citation links to prevent Reverse Tabnabbing. - Make warning label accessible by removing `aria-hidden="true"` and using `<strong>` for emphasis. - Add warning icon (⚠) to the warning label. - Add unit test for suggestions panel rendering logic. - Document UX learning in `.Jules/palette.md`. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com> * Fix CI failure by updating package-lock.json The previous commit added `jsdom` and `@typescript-eslint/utils` using `pnpm`, but the CI workflow uses `npm ci` which relies on `package-lock.json`. This commit updates `package-lock.json` to be in sync with `package.json`, resolving the "EUSAGE" error in the CI pipeline. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com> --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
…10) This change fixes a potential command injection vulnerability in `openVscodeUri` on Windows by removing the use of `shell: true` and manually quoted arguments. Instead, it relies on `child_process.spawn`'s default behavior (shell: false) to safely escape arguments for `cmd /c start`. The vulnerability allowed execution of arbitrary commands if `uri` contained double quotes (e.g., `" & calc.exe & "`). Verification: - Added `open.spec.ts` to verify that `spawn` is called with `shell: false` (or implicit default) and unquoted `uri`. - Verified that `spawn` behaves correctly with `shell: false`. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
🚨 Severity: HIGH 💡 Vulnerability: Cross-Site Scripting (XSS) in citation URL rendering. The `suggestionsPanelWebview.ts` interpolated the `citation.url` directly into the `href` attribute. While `DOMPurify.sanitize` was used, it does not prevent `javascript:` protocol attacks when sanitizing URL strings in isolation. A malicious URL like `javascript:alert(1)` could execute arbitrary JavaScript within the webview context. 🎯 Impact: An attacker could potentially inject malicious scripts if they can control the citation URL, leading to arbitrary code execution in the webview. 🔧 Fix: Implemented strict URL validation using `isValidUrl` helper function that enforces `http:` and `https:` protocols. Invalid URLs are replaced with `#` as a safe fallback. ✅ Verification: - Added a new test case in `suggestionsPanelWebview.spec.ts` that injects a malicious URL and asserts that the rendered `href` is sanitized to `#`. - Verified that existing tests pass. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
🚨 Severity: CRITICAL
💡 Vulnerability: Cross-Site Scripting (XSS) via Attribute Injection in citation URLs.
The `suggestionsPanelWebview.ts` interpolated citation URLs directly into HTML `href` attributes. While `DOMPurify` was used, it did not fully prevent Attribute Injection when handling raw URL strings containing malicious characters (like quotes). A malicious URL could break out of the `href` attribute and inject event handlers (e.g., `onclick`), leading to arbitrary code execution.
🎯 Impact: An attacker could execute arbitrary JavaScript within the webview context by controlling the citation URL.
🔧 Fix:
- Implemented strict URL validation and normalization using `new URL()`.
- Used the `parsed.href` property (which is properly encoded) instead of the raw input string, neutralizing attribute injection attacks.
- Updated CI configuration (`.github/workflows/webpack.yml`) to use Node.js 22.x, fixing build failures caused by incompatibility with `package.json` engines requirements.
✅ Verification:
- Added comprehensive test cases in `suggestionsPanelWebview.spec.ts` covering:
- Malicious `javascript:` protocol (blocked).
- Attribute injection attempts (neutralized).
- Valid URL rendering (normalized).
- Verified that CI build failure is resolved by updating Node version matrix.
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
…ixes
🚨 Severity: CRITICAL
💡 Vulnerability: Cross-Site Scripting (XSS) via Attribute Injection in citation URLs.
The `suggestionsPanelWebview.ts` previously interpolated citation URLs directly into HTML `href` attributes. While `DOMPurify` was used, it did not fully prevent Attribute Injection when handling raw URL strings containing malicious characters (like quotes).
🎯 Impact: An attacker could execute arbitrary JavaScript within the webview context by controlling the citation URL.
🔧 Fix:
- Implemented strict URL validation and normalization using `new URL()`.
- Used the `parsed.href` property (properly encoded) instead of the raw string to neutralize attribute injection.
- Fixed CI Build:
- Updated `.github/workflows/webpack.yml` to use Node.js 22.x (required by `engines`).
- Replaced incorrect `npx webpack` command with `npm run build` (project uses `esbuild`).
✅ Verification:
- Added tests in `suggestionsPanelWebview.spec.ts` covering malicious protocols and attribute injection.
- Verified locally that the new URL handling produces safe outputs.
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
- Added `rel="noopener noreferrer"` to external links in suggestions panel webview. - Configured `DOMPurify` to allow `target` attribute to ensure links open in new tab/window as intended. - Created `.jules/sentinel.md` for security journal. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
- Wrap decorative warning icon `⚠` in `<span aria-hidden="true">` to prevent redundant screen reader announcements (e.g., "Warning sign Warning"). - Add `tabIndex="0"` to code blocks (`pre` elements) in the suggestions panel to ensure they are keyboard accessible and scrollable. - Update unit tests to reflect these changes. - Add journal entry in `.Jules/palette.md`. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
…#42) Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
…x-hoist-7229017435347597392 ⚡ Optimize findWordInReferences by hoisting RegExp compilation
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
…has-session-14196351824628684238 Remove deprecated hasSession method from vscode simulation fixture
…rocesses (#68) Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
* Revert "cli - do not trust empty changes (microsoft/vscode#297975) (microsoft#4036)" (microsoft#4063) This reverts commit 420c26f. * Run command tool should include command result (microsoft#4061) * Run command tool should include command result Part of microsoft/vscode#298181 * CCR feedback * Support CAPI WebSocket connections (microsoft#4068) (microsoft#4069) * Add a maximum date of the comparison commit for the 1p repo telemetry info (microsoft#3774) * initial passes with copilot before testing * only pass on successful date * add tests for new functionality * return tooOld for all date failures * remove extra logging, info is already in telemetry and may be too noisy * fix test that used custom repo mock --------- Co-authored-by: Ian Huff <ianhuff@Mac.home> Co-authored-by: Ian Huff <ianhuff@Ians-MacBook-Pro-2.local> * 0.39.0 (microsoft#4057) * Make auto have provider affiniy (microsoft#4072) * Pipe vendor from CAPI through to chat endpoint * Adopt discussed auto mode behavior * Update src/platform/endpoint/node/test/automodeService.spec.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Hold external repo info telemetry (microsoft#4075) * Hold external repo info telemetry * Update src/extension/prompt/node/repoInfoTelemetry.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update test to reflect no external telemetry for non-internal users --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * pass in the URL for the proxy to the CLI session (microsoft#4070) * Update telemetry pkg (microsoft#4078) * Merge agents and chatsession folder (microsoft#4058) * Remove duplicated memory tool in picker (microsoft#4079) * fixes microsoft/vscode#297010 * address feedback * 🎨 Palette: Add aria-busy state to webview loading container 💡 What: Toggles `aria-busy` attribute on the `solutionsContainer` during async loading phases. 🎯 Why: To prevent screen reader users from experiencing silent, disorienting DOM changes when dynamic webview content updates. ♿ Accessibility: Improves loading state communication to assistive technologies. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com> * Background - clean worktree changes cache at the end of the turn (microsoft#4083) * 🎨 Palette: Add aria-busy state to webview loading container 💡 What: Toggles `aria-busy` attribute on the `solutionsContainer` during async loading phases. 🎯 Why: To prevent screen reader users from experiencing silent, disorienting DOM changes when dynamic webview content updates. ♿ Accessibility: Improves loading state communication to assistive technologies. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com> --------- Co-authored-by: Benjamin Pasero <benjamin.pasero@microsoft.com> Co-authored-by: Alex Ross <38270282+alexr00@users.noreply.github.com> Co-authored-by: Christof Marti <chrmarti@microsoft.com> Co-authored-by: Ian Huff <ian.huff@gmail.com> Co-authored-by: Ian Huff <ianhuff@Mac.home> Co-authored-by: Ian Huff <ianhuff@Ians-MacBook-Pro-2.local> Co-authored-by: Ben Villalobos <bevillal@microsoft.com> Co-authored-by: Logan Ramos <loganramos@microsoft.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Zhichao Li <57812115+zhichli@users.noreply.github.com> Co-authored-by: Aaron Munger <2019016+amunger@users.noreply.github.com> Co-authored-by: Vijay Upadya <41652029+vijayupadya@users.noreply.github.com> Co-authored-by: Don Jayamanne <don.jayamanne@outlook.com> Co-authored-by: SteVen Batten <sbatten@microsoft.com> Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com> Co-authored-by: Ladislau Szomoru <3372902+lszomoru@users.noreply.github.com>
* Added `aria-label` to "Inspect source code" links to provide specific context (e.g., Suggestion number) and indicate that it opens in a new tab. * Whitelisted `aria-label` in the `DOMPurify` ADD_ATTR configuration to prevent it from being stripped out. * Used the evaluated `safeUrl` variable directly in the `href` attribute, rather than relying on `DOMPurify.sanitize(url)`, closing a potential script execution vulnerability. * Added specific unit test coverage asserting that the expected `aria-label` is present in the rendered HTML output. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
Filtered out sensitive environment variables (`VSCODE_`, `GITHUB_`, `COPILOT_`) from being passed blindly to external hook command child processes in `NodeHookExecutor` (`_spawn`). Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
- Replaced `String.prototype.matchAll` with a `while` loop using `RegExp.prototype.exec` in `semanticSearchTextSearchProvider.ts` and `inlineChatWorkspaceSearch.tsx`. - Extracted the static regular expression into a local variable inside the loop, avoiding iterator allocations and global mutable state side-effects. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
…hall-exec-9021052340892010449 ⚡ Bolt: Optimize large text parsing by replacing matchAll with exec
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
…ant-tooltip-13929035318460304374 🎨 Palette: Add tooltip to "Accept suggestion" button
…e.all Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
…-migration-17916351178464882625 Refactor: Remove legacy BYOK configuration migrations
…3772100-d9d0f5e0 ⚡ refactor(replay): convert sequential entryToJson to parallel Promise.all
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
…length-2340635065394988995 ⚡ Bolt: Replace TextEncoder string allocations with Buffer.byteLength
…62308440-87859c19q 🔒 Fix potential XSS via innerHTML in SuggestionsPanelWebview
…Uuid()` Replaces weak pseudorandom generation `Math.random().toString(36)` with cryptographically secure `generateUuid()` instances across several files to prevent predictable IDs and nonces. Changes made: - Added `generateUuid` imports where missing. - Refactored `Math.random().toString(36).substring(...)` with `generateUuid().substring(...)`. Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.25.12 to 0.27.3. - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](evanw/esbuild@v0.25.12...v0.27.3) --- updated-dependencies: - dependency-name: esbuild dependency-version: 0.27.3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
Co-authored-by: mexicodxnmexico-create <245638303+mexicodxnmexico-create@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
``git pull origin principal