v0.2.4 — Security Patch

No functional changes. This release upgrades transitive dependencies to address a Dependabot security alert.

Vulnerability

Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()

Affected packages in the dependency tree:

• serialize-javascript — upgraded from 6.0.2 to 7.0.3
• minimatch — upgraded from 9.0.5 to 9.0.7

Both are transitive dependencies pulled in by mocha and @vscode/test-cli (devDependencies only). The vulnerability does not affect runtime extension code, but is resolved out of caution.

References

• GHSA-69xj-mcc2-95jq — serialize-javascript RCE
• CVE-2025-23208 — minimatch ReDoS

Install

Download formalist-0.2.4.vsix from the release assets and install via:

code --install-extension formalist-0.2.4.vsix

What's Changed

• fix extension marketplace compatibility for Code 1.108+ by changing engines.vscode to a semver range (^1.106.0)
• fixes #11

Full Changelog: 0.2.3...0.2.3-1

What's Changed

• just updated JS dependencies

Full Changelog: 0.2.2...0.2.3

• Updated R dependencies. Switched from {flint} to {flir} (fix #5)
• README update

• Updated README

[0.2.0] -- 2025-01-05

• New feature -- added Fix Lint function

[0.1.0] -- 2024-12-18

• Added logo
• Published on Open VSX Registry (#2)

Initial release of the Formalist Positron extension.

⚠ It works only with the latest Positron version 2025.01.0