Bump minimatch and azure-pipelines-task-lib in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript/azure-devops-report/tasks/PublishAIEvaluationReport#7361
Conversation
Bumps [minimatch](https://github.com/isaacs/minimatch) to 3.1.5 and updates ancestor dependency [azure-pipelines-task-lib](https://github.com/Microsoft/azure-pipelines-task-lib). These dependencies need to be updated together. Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `azure-pipelines-task-lib` from 5.2.2 to 5.2.7 - [Commits](https://github.com/Microsoft/azure-pipelines-task-lib/commits) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect - dependency-name: azure-pipelines-task-lib dependency-version: 5.2.7 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
dependencies
dependabot
bot
added
dependencies
github-actions
bot
added
the
area-ai-eval
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@shyamnamboodiripad it looks like the credentials are stale in |
…oft.Extensions.AI.Evaluation.Reporting/TypeScript/azure-devops-report/tasks/PublishAIEvaluationReport/multi-6d5a8d4811
|
Still fails with #7365. |
…oft.Extensions.AI.Evaluation.Reporting/TypeScript/azure-devops-report/tasks/PublishAIEvaluationReport/multi-6d5a8d4811
Ah I missed this earlier @ilonatommy @evgenyfedorov2 - sorry for the delayed response. I am not super familiar with how the auth is supposed to work here - tagging @peterwald who probably knows this better than myself - but looks like #7366 may have fixed the issue. Thanks! |
…oft.Extensions.AI.Evaluation.Reporting/TypeScript/azure-devops-report/tasks/PublishAIEvaluationReport/multi-6d5a8d4811
The previous fix using NPM_CONFIG_USERCONFIG/GLOBALCONFIG env vars only overrides user-level and global-level .npmrc files, but npm has additional config sources (parent directory .npmrc walk-up, builtin npm config, and agent-level env vars) that can still provide stale auth tokens. Use CLI flags to explicitly set the auth token to empty for the public dotnet-public-npm feed. CLI flags have the highest precedence in npm's config hierarchy, overriding all other sources. Co-authored-by: Copilot <[email protected]>
The previous CLI flag approach was silently ignored because npm's argument parser (nopt) does not support scoped registry auth as CLI arguments. New approach: append empty _authToken entries (both specific and broad scope) directly into each project .npmrc before running npm ci. Project- level config has higher precedence than user/global/builtin configs, so this overrides stale tokens regardless of where they live on the agent. Also adds npm config list output for diagnostics. Co-authored-by: Copilot <[email protected]>
The previous commits on this branch wrote empty _authToken= entries into the project .npmrc. npm treats an empty token as invalid credentials (not 'no credentials'), so it sends the empty token and gets E401. Revert to main's approach: set NPM_CONFIG_USERCONFIG and NPM_CONFIG_GLOBALCONFIG env vars pointing to non-existent files. This makes npm skip user/global config (where stale tokens live) and access the public feed anonymously — which is what actually works. Co-authored-by: Copilot <[email protected]>
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@shyamnamboodiripad I looked at the changes, but I'm not sure I understand why these changes are required. What changed to cause our original auth strategy to be no longer valid? |
…oft.Extensions.AI.Evaluation.Reporting/TypeScript/azure-devops-report/tasks/PublishAIEvaluationReport/multi-6d5a8d4811
@peterwald I don't have the full context - however the below sequence of PRs that @ilonatommy created may be helpful - Based on a quick read through the descriptions for the above PRs, the problem seems to be that the previous auth strategy ended up caching stale credentials in some instances of the CI agent pool and that's now leading to CI failures. I am not sure why this only started happening now though. @ilonatommy @evgenyfedorov2 Do you know? Also looping in @akoeplinger who had created the following PR earlier that introduced the .npmrc and lock file for the PublishAIEvaluationReport package in #7108. (Some of the comments in that PR may also be helpful for context.) |
No, I have no knowledge about the root cause, I was just trying to help having this PR merged with various workarounds of the issue. |
|
#7366 is wrong and should be reverted, it basically bypasses our custom .npmrc that sets the AzDO dotnet-public-npm feed which we have to do for SFI compliance. The reason why you're getting 401 is that any new version of an upstream npm package needs to be ingested into the dotnet-public-npm feed explicitly from an authenticated Microsoft user for security reasons. You can do this by running scripts/UpdateNpmDependencies.ps1 from the directory that contains the package.json on a local machine and it will use your credentials to restore the packages (unfortunately this doesn't work in a Codespace so it needs to be a real machine) |
@akoeplinger Thanks much for clarifying! @ilonatommy Could you please revert the workarounds that you had merged earlier and retry what @akoeplinger is proposing above? |
The workarounds bypassed the custom .npmrc that sets the AzDO dotnet-public-npm feed, which is required for SFI compliance. The actual fix is to run scripts/UpdateNpmDependencies.ps1 to ingest new upstream npm package versions into the feed. Co-authored-by: Copilot <[email protected]>
ilonatommy
deleted the
dependabot/npm_and_yarn/src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript/azure-devops-report/tasks/PublishAIEvaluationReport/multi-6d5a8d4811
branch
5 participants
Bumps minimatch to 3.1.5 and updates ancestor dependency azure-pipelines-task-lib. These dependencies need to be updated together.
Updates
minimatchfrom 3.1.2 to 3.1.5Commits
7bba9783.1.5bd25942docs: add warning about ReDoS1a9c27cfix partial matching of globstar patterns1a2e0843.1.4ae24656update lockfileb100374limit recursion for **, improve perf considerably26ffeaalockfile update9eca892lock node version to 1400c323b3.1.330486b2update CI matrix and actionsUpdates
azure-pipelines-task-libfrom 5.2.2 to 5.2.7Commits
Maintainer changes
This version was pushed to npm by tramsing, a new releaser for azure-pipelines-task-lib since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.