process-migrator icon indicating copy to clipboard operation
process-migrator copied to clipboard
verified publisher icon microsoft

Upgrade dependencies to resolve critical vulnerabilities and address Azure DevOps API v15 breaking changes AB#180

Open Copilot opened this issue 4 months ago • 0 comments

Upgrades azure-devops-node-api from 6.5.0 to 15.1.1 to resolve 3 critical CVEs (auth leak in typed-rest-client, RCE in underscore). Includes TypeScript 2.8→5.9 upgrade and adaptation to Azure DevOps API breaking changes.

Security Fixes

  • typed-rest-client: Fixed authentication data leak to 3rd parties
  • underscore: Fixed arbitrary code execution vulnerability
  • Result: 0 vulnerabilities (npm audit)

Azure DevOps API Breaking Changes

Method Renames

// Before (v6)
witProcessApi.getProcesses()
witProcessApi.getProcessById(id)
witProcessApi.addWorkItemTypeRule(rule, processId, witRefName)

// After (v15)
witProcessApi.getListOfProcesses()
witProcessApi.getProcessByItsId(id)
witProcessApi.addProcessWorkItemTypeRule(rule, processId, witRefName)

Fields API Restructure

Fields moved from process-scoped to collection-scoped API:

// Before: Process-level fields
const fields = await witProcessApi.getFields(processId);
// Returns: WITProcessInterfaces.FieldModel[]

// After: Collection-level fields
const fields = await witApi.getFields();
// Returns: WITInterfaces.WorkItemField[]

Added converters WITToWITProcessDefinitionsFieldModel() and WITToWITProcessDefinitionsFieldType() to handle type system differences (FieldType enums have different numeric values: String is 0 vs 1).

Type System Changes

// Process validation
process.properties.class !== ProcessClass.Derived  // Old
process.customizationType === CustomizationType.System  // New

// Rule filtering
!rule.isSystem  // Old
rule.customizationType !== CustomizationType.System  // New

// Behavior matching
behaviorsOnTarget.some(b => b.id === behavior.id)  // Old
behaviorsOnTarget.some(b => b.referenceName === behavior.id)  // New

Interface Updates

  • FieldRuleModelProcessRule with CreateProcessRuleRequest for creation
  • Field access: field.idfield.referenceName
  • ProcessInfo: removed nested properties.class, now top-level customizationType

Code Quality

  • Removed unsafe type assertions (as any)
  • Added explicit return type annotations for API calls
  • Fixed typo in error message

Testing Recommendations

Critical paths requiring validation:

  • Export/import with custom fields (especially picklists, identity types)
  • Rule migration (verify system rules excluded)
  • Behavior migration (process & work item type level)
  • Process type validation (Inherited/Custom accepted, System rejected)
  • Large processes (50+ fields, 20+ work item types)
Original prompt

Help me upgrade dependencies to the latest. There may be breaking changes in the Azure DevOps api that may require logic changes, make sure to highlight those so we make sure to test correctly.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot avatar Oct 30 '25 23:10 Copilot