Skip to content

Moved vso-task-lib download to runtime #5277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 24, 2025
Merged

Moved vso-task-lib download to runtime #5277

merged 2 commits into from
Jul 24, 2025

Conversation

sanjuyadav24
Copy link
Contributor

Context

Agent code has few vulnerabilities due to vso-task-lib packaging few old minimist and shelljs packages
moving vso-task-lib loading to run time to avoid these CVEs for users not having custom task dependent on these
📌 AB#2301251

Description

Agent code has few vulnerabilities due to vso-task-lib packaging few old minimist and shelljs pacakages
moving vso-task-lib loading to run time to avoid these CVEs for users not having custom task depdendent on these
CVE-2022-0144
CVE-2022-3517
CVE-2017-18077

Risk Assessment (Low)

Moving the dependency to load from build time to run time, as this dependency is not required till NodeHandler is defined this is a safe place

Unit Tests Added or Updated (Yes / No)

No

Additional Testing Performed

Manually triggered pipelines and validate the folder is available at desired location for tasks using NodeHandler

Change Behind Feature Flag (Yes / No)

No (the original change to use these files is already behind FF, moving this as well in that FF condition

Tech Design / Approach

NA

Documentation Changes Required (Yes/No)

Na

Logging Added/Updated (Yes/No)

Yes

Telemetry Added/Updated (Yes/No)

NA

Rollback Scenario and Process (Yes/No)

Enable the feature flag

Dependency Impact Assessed and Regression Tested (Yes/No)

Yes

@sanjuyadav24 sanjuyadav24 requested review from a team as code owners July 23, 2025 06:11
tarunramsinghani
tarunramsinghani reviewed Jul 23, 2025
View reviewed changes
@sanjuyadav24
Copy link
Contributor Author

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@sanjuyadav24 sanjuyadav24 force-pushed the user/sanjuyadav/vso_task_lib_runtime branch from 19984f2 to 7609295 Compare July 23, 2025 10:35
@sanjuyadav24 sanjuyadav24 added the misc Miscellaneous Changes label Jul 23, 2025
@sanjuyadav24 sanjuyadav24 force-pushed the user/sanjuyadav/vso_task_lib_runtime branch from 7609295 to 6200e54 Compare July 23, 2025 10:37
@sanjuyadav24
Copy link
Contributor Author

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@tarunramsinghani tarunramsinghani requested a review from Copilot July 23, 2025 11:53
Copilot
Copilot AI reviewed Jul 23, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR moves the vso-task-lib download from build time to runtime to mitigate security vulnerabilities (CVE-2022-0144, CVE-2022-3517, CVE-2017-18077) in the minimist and shelljs packages. The change ensures that users without custom tasks dependent on vso-task-lib are not exposed to these CVEs.

  • Removes build-time download of vso-task-lib from the externals.sh script
  • Implements runtime download functionality through a new VsoTaskLibManager class
  • Adds telemetry tracking for vso-task-lib usage in NodeHandler

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File Description
src/Misc/externals.sh Removes the build-time download of vso-task-lib
src/Agent.Worker/VsoTaskLibManager.cs New class implementing runtime download and extraction of vso-task-lib
src/Agent.Worker/Handlers/NodeHandler.cs Integrates runtime download and adds telemetry tracking

tarunramsinghani
tarunramsinghani reviewed Jul 23, 2025
View reviewed changes
tarunramsinghani
tarunramsinghani reviewed Jul 23, 2025
View reviewed changes
@sanjuyadav24
Copy link
Contributor Author

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@sanjuyadav24
Copy link
Contributor Author

@microsoft-github-policy-service agree

@sanjuyadav24
Copy link
Contributor Author

@microsoft-github-policy-service rerun

@sanjuyadav24 sanjuyadav24 merged commit 16ef0b3 into master Jul 24, 2025
22 checks passed
@tarunramsinghani tarunramsinghani deleted the user/sanjuyadav/vso_task_lib_runtime branch July 24, 2025 06:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@tarunramsinghani tarunramsinghani tarunramsinghani approved these changes

Assignees
No one assigned
Labels
misc Miscellaneous Changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sanjuyadav24 @tarunramsinghani