Skip to content

feat: add vulnerability quick-fix + hint#39

Open
nitodeco wants to merge 3 commits intonpmx-dev:mainfrom
nitodeco:vuln-quick-fix
Open

feat: add vulnerability quick-fix + hint#39
nitodeco wants to merge 3 commits intonpmx-dev:mainfrom
nitodeco:vuln-quick-fix

Conversation

@nitodeco
Copy link
Collaborator

@nitodeco nitodeco commented Feb 9, 2026

Closes #24

marked 16 1 1, This version has 1 high, 2 moderate vulnerabilities Upgrade to 16 1 5 to

@nitodeco nitodeco requested a review from 9romise February 9, 2026 23:24
@coderabbitai
Copy link

coderabbitai bot commented Feb 9, 2026

📝 Walkthrough

Walkthrough

This pull request implements vulnerability code actions for the extension. It adds a new timeout constant for vulnerability fetches, integrates a code action provider in the main extension entry point, and creates a VulnerabilityCodeActionProvider that offers QuickFix actions to update package versions. The vulnerability diagnostic system is enhanced to extract fixed-in version information from API responses, determine the best available fixed version, and propagate this data through diagnostic messages and codes. The VulnerabilitySummary interface is extended with an optional fixedIn field to support this new functionality.

Suggested reviewers

  • 9romise
🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description check ✅ Passed The PR description references issue #24 and includes screenshots demonstrating the vulnerability quick-fix feature with version recommendations.
Linked Issues check ✅ Passed The PR successfully implements all objectives from issue #24: surfacing earliest safe versions in vulnerability warnings, providing the minimum upgrade version, and enabling quick-fix code actions for version updates.
Out of Scope Changes check ✅ Passed All changes align with the PR objectives: constants for timeout, code action provider for vulnerability fixes, diagnostic enhancements with fixed-in versions, and API interface updates.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Feb 9, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
src/providers/code-actions/vulnerability.ts (1)

47-51: Minor: Redundant parseVersion call on fixedInVersion.

The fixedInVersion extracted from the diagnostic code is already a raw semver string (e.g., "16.1.5"), so parseVersion(fixedInVersion)?.semver will return the same value. While this works correctly, it's slightly redundant.

♻️ Optional simplification 
       const currentVersion = document.getText(diagnostic.range)
       const currentSemver = parseVersion(currentVersion)?.semver
-      const fixedSemver = parseVersion(fixedInVersion)?.semver ?? fixedInVersion
-      if (currentSemver && currentSemver === fixedSemver)
+      if (currentSemver && currentSemver === fixedInVersion)
         return []

9romise
9romise requested changes Feb 10, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@9romise 9romise 9romise requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Display earliest safe version for vulnurability check

2 participants

@nitodeco @9romise