Perform yarn upgrade

[jfaltermeier]

What it does

The commit performs a yarn upgrade of the framework to better
represent what downstream applications pull with our version ranges, and
to resolve known security vulnerabilities which were pulled by our
lockfile. The changes also make sure that our declared ranges for
dependencies are correct and fixes any compilation errors.

Contributed on behalf of STMicroelectronics

How to test

Check for any regressions, especially for the components that needed compile fixes.

Review checklist

• As an author, I have thoroughly tested my changes and carefully followed the review guidelines

Reminder for reviewers

• As a reviewer, I agree to behave in accordance with the review guidelines

[jfaltermeier]

Pending Reviews: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/?sort=created_date&state=opened&author_username=mdumais&in=DESCRIPTION&search=ecd.theia&first_page_size=20

opened for a different project, but we need these dependencies as well:

https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/?sort=created_date&state=opened&author_username=mdumais&in=DESCRIPTION&search=ecd.cdt-cloud&first_page_size=20

[MatthewKhouzam]

Hey, this is really cool. Just wanted to say thanks!

[JonasHelming]

@jfaltermeier What is the state of this?

[jfaltermeier]

The license check does not complete because the IP team has not yet reviewed the upgraded vsce-sign-* packages. See links above.

[marcdumais-work]

The license check does not complete because the IP team has not yet reviewed the upgraded vsce-sign-* packages. See links above.

The IP check for this is a bit complicated and could potentially take a while. Looking quickly in this repo, how @vscode/vsce is used, I think you have a good case to be granted "works with" approval for the vsce-sign-* packages:

Searching in the repo, the only use made of vsce is to package test plugins (vscode extensions), that are not published to the Visual Studio Marketplace or even openvsx, AFAIK:

What I would do:

• Manually open a single IP ticket about the @vscode/vsce-sign-* and explain the limited way vsce is used in this project. I expect you will be granted a "works with" project-wide permission for these dependencies.
• if the license check still fails on some or all of them, add the corresponding npm packages in the exclude file, adding for each a link to the IP ticket where you got approval to use the dependencies: https://github.com/eclipse-theia/theia/blob/master/dependency-check-baseline.json
• the license check should now pass

[JonasHelming]

@marcdumais-work Thank you very much! @jfaltermeier FYI

[marcdumais-work]

@jfaltermeier Alternatively, and probably quicker, another option would be to use a slightly older version of vsce, that does not pull the `vsce-sign* packages:

Update root package.json to depend on [email protected]. If that's not enough, you might pin the version by adding an entry in the resolutions block in the same file, "@vscode/vsce": "2.25.0".

I would suggest doing this for now, but maybe still going forward with the suggestion to open a Theia-specific IP ticket, for the longer term, since you may not want to use an older vsce forever.

[jfaltermeier]

I've pinned it to 2.25.0 now and opened a ticket regarding the works-with approval: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/16445.

Now the license check is failing for npm/npmjs/-/electron-to-chromium/1.5.13. We've seen this happen in other projects as well, starting mid/end of last month - license checks that were green are now failing because of this.