Skip to content

fix: parsing mixed-value toml arrays#25416

Closed
JP-Ellis wants to merge 1 commit intomicrosoft:mainfrom
JP-Ellis:fix/parsing-mixed-value-toml-arrays
Closed

fix: parsing mixed-value toml arrays#25416
JP-Ellis wants to merge 1 commit intomicrosoft:mainfrom
JP-Ellis:fix/parsing-mixed-value-toml-arrays

Conversation

@JP-Ellis
Copy link

@JP-Ellis JP-Ellis commented Aug 25, 2025

Upgrade @iarna/toml to v3 which should support mixed values within TOML arrays.

Updated one of the test fixtures to make use of the newer [dependency-groups] section.

Fixes: #25413

@JP-Ellis
fix: parsing mixed-value toml arrays
76d3c13 
Upgrade `@iarna/toml` to v3 which should support mixed values within
TOML arrays.

Updated one of the test fixtures to make use of the newer
`[dependency-groups]` section.

Fixes: microsoft#25413
Signed-off-by: JP-Ellis <josh@jpellis.me>
@JP-Ellis
Copy link
Author

JP-Ellis commented Aug 25, 2025

@microsoft-github-policy-service agree

@JP-Ellis
Copy link
Author

JP-Ellis commented Nov 10, 2025

@eleanorjboyd Any chance you could take a look at this?

@eleanorjboyd eleanorjboyd added the feature-request Request for new features or functionality label Nov 11, 2025
@vs-code-engineering vs-code-engineering bot added this to the November 2025 milestone Nov 11, 2025
Tyriar
Tyriar requested changes Nov 11, 2025
View reviewed changes
Copy link
Member

@Tyriar Tyriar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eleanorjboyd we should not accept dependency changes from external contributors like in VS Code.

@JP-Ellis
Copy link
Author

JP-Ellis commented Nov 11, 2025
edited
Loading

That's on odd policy... Is that to mitigate supply chain attacks? I must've missed it in your contribution guide.

What about when a PR actually fixes an issue? How do I get it accepted?

@eleanorjboyd
Copy link
Member

eleanorjboyd commented Nov 11, 2025

Hi! Sorry for the confusion, I can look at handling this on my end. One question, when I run run npm view @iarna/toml version (singular), it shows the version tagged as latest in the npm registry, which is 2.2.5. However, when I run npm view @iarna/toml time (which shows all versions), I can see that 3.0.0 exists but was published after 2.2.5. Any idea is 3.0.0 is stable then if it isn't tagged as latest?

@JP-Ellis
Copy link
Author

JP-Ellis commented Nov 11, 2025

I am not the developer behind this dependency, so I can only speculate:

  1. Based on the fact the 2.2.4, 2.2.5 and 3.0.0 were all releases in quick succession, all after about ~1 year of inactivity, I suspect the developer came back to the project after a hiatus and fixed a bunch of issues quickly.
  2. 3.0.0 has been released and available for over 5 years now, so I suspect it is stable enough (and if you're worried about supply chain attacks... well that's a lot of planning 😆).

I have no idea how npm determines which version is the latest. It could be that the developer at the time forgot to mark 3.0.0 as the latest version?

@Tyriar
Copy link
Member

Tyriar commented Nov 11, 2025

@JP-Ellis yes it's to mitigate supply chain attacks. This is something we do on microsoft/vscode to prevent one possible avenue for attack, and we should do it here as well. No offence intended 😉

Until we have an action that blocks it, this could be handled by @eleanorjboyd checking out the upgrade (seems safe if it's been years) and then running the npm install on her side to generate the lock file on a trusted machine.

@eleanorjboyd
Copy link
Member

eleanorjboyd commented Nov 11, 2025

Thanks @Tyriar for the full explanation! I am going to make the changes on my end and share the PR.

@eleanorjboyd
Copy link
Member

eleanorjboyd commented Nov 11, 2025

opened this PR which will fix this: #25584

@JP-Ellis
Copy link
Author

JP-Ellis commented Nov 11, 2025

My PR is not just a package version upgrade. I'm also updating the test to validate that the issue is actually fixed.

@eleanorjboyd
Copy link
Member

eleanorjboyd commented Nov 12, 2025
edited
Loading

very true! Would you prefer I port over this change to my new branch or do you want to change this PR to just include the test for validation? Want to make sure you get credit!

@eleanorjboyd eleanorjboyd reopened this Nov 12, 2025
@JP-Ellis
Copy link
Author

JP-Ellis commented Nov 12, 2025

I'm happy for you to build on top of this PR, and run the necessary dependency verification and lockfile updates.

@eleanorjboyd
Copy link
Member

eleanorjboyd commented Nov 12, 2025

ok cherry picked it to here: #25585

@JP-Ellis
Copy link
Author

JP-Ellis commented Nov 12, 2025

Awesome thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Tyriar Tyriar Tyriar requested changes

@eleanorjboyd eleanorjboyd eleanorjboyd approved these changes

Assignees

No one assigned

Labels

feature-request Request for new features or functionality

Projects

None yet

Milestone

November 2025

Development

Successfully merging this pull request may close these issues.

Unable to handle TOML with mixed-value arrays (as used by dependency groups)

3 participants

@JP-Ellis @eleanorjboyd @Tyriar

Comments