Skip to content

Sync/upstream 20260519#8

Merged
gadeynebram merged 22 commits into
mainfrom
sync/upstream-20260519
May 19, 2026
Merged

Sync/upstream 20260519#8
gadeynebram merged 22 commits into
mainfrom
sync/upstream-20260519

Conversation

@gadeynebram
Copy link
Copy Markdown
Owner

@gadeynebram gadeynebram commented May 19, 2026

No description provided.

danmoseley and others added 22 commits April 29, 2026 08:20
@danmoseley
Document isError behavior for 404 in tool descriptions (microsoft#1206)
34ced6c 
> [!NOTE]
> This PR description was drafted with GitHub Copilot assistance.

Fixes microsoft#1190

## Summary

Several tool descriptions don't document their not-found behavior
(`isError: true`), making it harder for LLM agents to anticipate and
handle missing resources gracefully.

This PR adds `Returns isError: true if the [resource] is not found.` to
the descriptions of five tools:

| Tool | Added text |
|------|-----------|
| `repo_get_branch_by_name` | Returns isError: true if the branch is not
found. |
| `repo_list_directory` | Returns isError: true if the path is not
found. |
| `repo_get_file_content` | Returns isError: true if the file is not
found. |
| `wiki_get_page` | Returns isError: true if the page is not found. |
| `wiki_get_page_content` | Returns isError: true if the wiki page is
not found. |

The sixth tool mentioned in microsoft#1190 (`repo_list_branches_by_repo`) is
addressed separately in PR microsoft#1204.

## Associated Risks

None — description-only changes, no logic affected.

## PR Checklist

- [x] Description text changes only
- [x] All 924 existing tests pass
- [x] No conflicts with other open PRs (microsoft#1203, microsoft#1204, microsoft#1205)

## How did you test it

Ran the full test suite (`npx jest`) — 924 tests pass with no changes
needed.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danmoseley @danhellem
Clarify branch list tool descriptions to indicate string return (micr…
6364656 
…osoft#1204)

> [!NOTE]
> This PR description was drafted with GitHub Copilot assistance.

Fixes microsoft#1189

Agents seeing "Retrieve a list of branches" reasonably expect objects
with metadata (commit SHA, ahead/behind counts, etc.) and attempt to
access properties that don't exist. For example in Copilot CLI actual
session, before this change:

```
The branch listing returned string names rather than objects with
metadata &#8212; there's no commit SHA, ahead/behind count, or other
properties available from this tool.
```

Clarify the descriptions of `repo_list_branches_by_repo` and
`repo_list_my_branches_by_repo` to indicate they return branch name
strings, not full branch objects, and point to `repo_get_branch_by_name`
for full details.

This PR updates the descriptions to say "branch name strings, not full
branch objects" and directs agents to
`repo_get_branch_by_name` when they need full branch details.

## GitHub issue number

microsoft#1189

## **Associated Risks**

Description-only change. No behavioral change.

## ✅ **PR Checklist**

- [x] **I have read the [contribution
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CONTRIBUTING.md)**
- [x] **I have read the [code of conduct
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CODE_OF_CONDUCT.md)**
- [x] Title of the pull request is clear and informative.
- [x] 👌 Code hygiene
- [x] 🔭 Telemetry added, updated, or N/A
- [x] 📄 Documentation added, updated, or N/A
- [x] 🛡️ Automated tests added, or N/A

## 🧪 **How did you test it?**

- `npm test -- --runTestsByPath test/src/tools/repositories.test.ts
--runInBand`
- `npm run validate-tools`

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Dan Hellem <dahellem@microsoft.com>
@dependabot @danhellem
[dependencies]: Bump typescript-eslint from 8.59.0 to 8.59.1 (microso…
cc8e0e4 
…ft#1202)

Bumps
[typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)
from 8.59.0 to 8.59.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/typescript-eslint/typescript-eslint/releases">typescript-eslint's
releases</a>.</em></p>
<blockquote>
<h2>v8.59.1</h2>
<h2>8.59.1 (2026-04-27)</h2>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>eslint-plugin:</strong> [no-unnecessary-type-assertion] fix
crash &quot;TypeError: checker.getTypeArguments is not a function&quot;
(<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12246">#12246</a>)</li>
<li><strong>eslint-plugin:</strong> [no-unnecessary-type-assertion]
preserve index signatures in undefined unions (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12257">#12257</a>)</li>
<li><strong>eslint-plugin:</strong> [no-unnecessary-type-assertion]
preserve phantom type arguments in generic inference (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12269">#12269</a>)</li>
<li><strong>eslint-plugin:</strong> [no-unnecessary-type-assertion]
avoid false positive in logical assignment assertions (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12278">#12278</a>)</li>
<li><strong>eslint-plugin:</strong> [no-unnecessary-type-arguments]
handle instantiation expressions (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12220">#12220</a>)</li>
<li><strong>eslint-plugin:</strong> [no-unnecessary-condition] treat
void as nullish in no-unnecessary-condition (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12241">#12241</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>anasm266 <a
href="https://github.com/anasm266"><code>@​anasm266</code></a></li>
<li>Anshika Jain <a
href="https://github.com/Anshikakalpana"><code>@​Anshikakalpana</code></a></li>
<li>Ulrich Stark</li>
<li>yugo innami <a
href="https://github.com/nami8824"><code>@​nami8824</code></a></li>
</ul>
<p>See <a
href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.1">GitHub
Releases</a> for more information.</p>
<p>You can read about our <a
href="https://typescript-eslint.io/users/versioning">versioning
strategy</a> and <a
href="https://typescript-eslint.io/users/releases">releases</a> on our
website.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md">typescript-eslint's
changelog</a>.</em></p>
<blockquote>
<h2>8.59.1 (2026-04-27)</h2>
<p>This was a version bump only for typescript-eslint to align it with
other projects, there were no code changes.</p>
<p>See <a
href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.1">GitHub
Releases</a> for more information.</p>
<p>You can read about our <a
href="https://typescript-eslint.io/users/versioning">versioning
strategy</a> and <a
href="https://typescript-eslint.io/users/releases">releases</a> on our
website.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/typescript-eslint/typescript-eslint/commit/52457932e5507b5ca01e720a541f3f8d01e09b9d"><code>5245793</code></a>
chore(release): publish 8.59.1</li>
<li>See full diff in <a
href="https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.1/packages/typescript-eslint">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=typescript-eslint&package-manager=npm_and_yarn&previous-version=8.59.0&new-version=8.59.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Dan Hellem <dahellem@microsoft.com>
@dependabot @danhellem
[dependencies]: Bump @azure/msal-node from 5.1.4 to 5.1.5 (microsoft#…
ff02c2e 
…1208)

Bumps
[@azure/msal-node](https://github.com/AzureAD/microsoft-authentication-library-for-js)
from 5.1.4 to 5.1.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/AzureAD/microsoft-authentication-library-for-js/releases"><code>@​azure/msal-node</code>'s
releases</a>.</em></p>
<blockquote>
<h2><code>@​azure/msal-node-extensions</code> v5.1.5</h2>
<h2>5.1.5</h2>
<p>Tue, 28 Apr 2026 21:30:33 GMT</p>
<h3>Patches</h3>
<ul>
<li>Bump <code>@​azure/msal-common</code> to v16.5.2 (beachball)</li>
</ul>
<h2><code>@​azure/msal-node</code> v5.1.5</h2>
<h2>5.1.5</h2>
<p>Tue, 28 Apr 2026 21:30:32 GMT</p>
<h3>Patches</h3>
<ul>
<li>fix(msal-node): replace uuid with node:crypto to resolve
GHSA-w5hq-g745-h8pq (<a
href="mailto:pieter.willaert@colruytgroup.com">pieter.willaert@colruytgroup.com</a>)</li>
<li>Preserve authority metadata when calling clear() <a
href="https://redirect.github.com/AzureAD/microsoft-authentication-library-for-js/pull/8542">#8542</a>
(<a
href="mailto:shylasummers@microsoft.com">shylasummers@microsoft.com</a>)</li>
<li>Bump <code>@​azure/msal-common</code> to v16.5.2 (beachball)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/AzureAD/microsoft-authentication-library-for-js/commit/7ca7202caaa8f335bf5cec4359de7f664b335d2b"><code>7ca7202</code></a>
fix(sample): acquire token after B2C edit profile policy (<a
href="https://redirect.github.com/AzureAD/microsoft-authentication-library-for-js/issues/8568">#8568</a>)</li>
<li><a
href="https://github.com/AzureAD/microsoft-authentication-library-for-js/commit/29a826b8abf0371b8ab74201f105bdb4f4679cd9"><code>29a826b</code></a>
Address dependabot Github Actions alerts (<a
href="https://redirect.github.com/AzureAD/microsoft-authentication-library-for-js/issues/8550">#8550</a>)</li>
<li><a
href="https://github.com/AzureAD/microsoft-authentication-library-for-js/commit/34a4e06620d35bdf51f6d7577831d9e6767b280a"><code>34a4e06</code></a>
fix(msal-browser): CookieStorage tolerates malformed percent-encoded
cookies ...</li>
<li><a
href="https://github.com/AzureAD/microsoft-authentication-library-for-js/commit/a800fd2f9efc2e0dd69f56ad88adfcd4fd20474f"><code>a800fd2</code></a>
fix(msal-common): use proper 2-arg comparator in getAccountInfoFilter…
(<a
href="https://redirect.github.com/AzureAD/microsoft-authentication-library-for-js/issues/8559">#8559</a>)</li>
<li><a
href="https://github.com/AzureAD/microsoft-authentication-library-for-js/commit/1737897f474316537f5f3a47a54ee21fd05741cb"><code>1737897</code></a>
fix(msal-browser): freeze Date.now() in beforeEach to eliminate
timestamp fla...</li>
<li><a
href="https://github.com/AzureAD/microsoft-authentication-library-for-js/commit/b9c8b813380c964f14551f477aaa11d358dd5873"><code>b9c8b81</code></a>
fix(msal-node): replace uuid with node:crypto.randomUUID() (GHSA-w5hq…
(<a
href="https://redirect.github.com/AzureAD/microsoft-authentication-library-for-js/issues/8566">#8566</a>)</li>
<li><a
href="https://github.com/AzureAD/microsoft-authentication-library-for-js/commit/8033a180e33865b889cc1ec7296dc9fda9f1461e"><code>8033a18</code></a>
Remove beachball change file for msal-browser native broker revert (<a
href="https://redirect.github.com/AzureAD/microsoft-authentication-library-for-js/issues/8567">#8567</a>)</li>
<li><a
href="https://github.com/AzureAD/microsoft-authentication-library-for-js/commit/e6f44e9209ca77e277d8cee62573203b88428874"><code>e6f44e9</code></a>
Revert &quot;Bugfix - include extra query parameters in ExtraParameters
in Platfor...</li>
<li><a
href="https://github.com/AzureAD/microsoft-authentication-library-for-js/commit/109a3517041ea7187721b194d89587ee9d4692ce"><code>109a351</code></a>
Bugfix - include extra query parameters in ExtraParameters in
PlatformAuthReq...</li>
<li><a
href="https://github.com/AzureAD/microsoft-authentication-library-for-js/commit/274795144bc12548a2e3e61512d20e327d732924"><code>2747951</code></a>
Native Auth:fix: use client_info=&quot;1&quot; string value in native
auth token reques...</li>
<li>Additional commits viewable in <a
href="https://github.com/AzureAD/microsoft-authentication-library-for-js/compare/msal-node-v5.1.4...msal-node-v5.1.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@azure/msal-node&package-manager=npm_and_yarn&previous-version=5.1.4&new-version=5.1.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Dan Hellem <dahellem@microsoft.com>
@danmoseley @danhellem
Auto-resolve repository name to GUID in get_build_definitions (micros…
e2e150a 
…oft#1205)

> [!NOTE]
> This PR description was drafted with GitHub Copilot assistance.

Fixes microsoft#1194

Auto-resolve repository names to GUIDs in
`pipelines_get_build_definitions` for Azure Repos (TfsGit).

The Azure DevOps `getDefinitions()` API requires a GUID for
`repositoryId` when `repositoryType` is TfsGit. Agents naturally pass
repository names (which they get from other tools), causing a cryptic
failure:

```
Tool: ado-dnceng-public-pipelines_get_build_definitions
Args: { "project": "public", "repositoryId": "aspnet-AspLabs", "repositoryType": "TfsGit" }
Result: Repository ID for a tfsgit repository should be a GUID.
IsError: true
```

This PR detects when `repositoryId` is not a GUID (and the repository
type is TfsGit or unspecified), resolves it via
`getRepositories(project)`, and passes the GUID to the API. If the name
isn't found, it returns a clear error.

Confirmed with live ADO API against `aspnet-AspLabs` in dnceng — name
fails, resolved GUID succeeds.

## GitHub issue number

microsoft#1194

## **Associated Risks**

Adds an extra API call (`getRepositories`) only when `repositoryId` is
not a GUID and the repository type is TfsGit or unspecified. GUID values
and non-TfsGit types are passed through unchanged.

## ✅ **PR Checklist**

- [x] **I have read the [contribution
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CONTRIBUTING.md)**
- [x] **I have read the [code of conduct
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CODE_OF_CONDUCT.md)**
- [x] Title of the pull request is clear and informative.
- [x] 👌 Code hygiene
- [x] 🔭 Telemetry added, updated, or N/A
- [x] 📄 Documentation added, updated, or N/A
- [x] 🛡️ Automated tests added, or N/A

## 🧪 **How did you test it?**

- `npm test -- --runTestsByPath test/src/tools/pipelines.test.ts
--runInBand`
- Confirmed with live ADO API: `getDefinitions(project,
"aspnet-AspLabs", "TfsGit")` returns "Repository ID should be a GUID";
after resolving to GUID `4b7f10b6-89f4-46cf-8858-4c21032ec66a` returns 1
definition

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Dan Hellem <dahellem@microsoft.com>
@danmoseley @danhellem
Return isError for missing paths in repo_list_directory (microsoft#1203)
2e1f8e3 
Fixes microsoft#1188

Return `isError: true` when `repo_list_directory` finds no items at the
requested path.

The Azure DevOps `getItems()` API returns `null` for nonexistent paths
rather than throwing. The tool currently returns a success response with
"No items found at path: ..." which the agent treats as a valid empty
result. This makes it difficult for agents to detect a bad path and
recover.

This PR adds `isError: true` to the response and appends "The path may
not exist in the repository." to the message, consistent with the
`isError` pattern already used elsewhere in this codebase (e.g.,
`core.ts` identities lookup, `work.ts` iterations, `repositories.ts` PR
iterations).

Confirmed with live ADO API: `getItems("/nonexistent")` on a real
repository returns `null`, not an exception.

Note -- the case where `[]` is returned is also treated as an error,
consistent with other tools in this MCP, although in practice this
hasn't been seen. An empty directory always returns at least itself in
the results.

## Example
```
 Tool: ado-dnceng-public-repo_list_directory                                                          
   Args: { "project": "public", "repositoryId": "2459d599-fdb2-4d28-9810-daeec061cf90", "path":        
  "/nonexistent-path-xyz-12345" }
```
currently
```                                                         
  Result: No items found at path: /nonexistent-path-xyz-12345                                         
  IsError: false                                                                                       
```
  then with this fix
```                                                                                                   
  Result: No items found at path: /nonexistent-path-xyz-12345. The path may not exist in the repository
  IsError: true     
```

## GitHub issue number

microsoft#1188

## **Associated Risks**

Agents that currently ignore the "No items found" message and treat it
as success will now see `isError: true`. This is the intended behavior
change.

## ✅ **PR Checklist**

- [x] **I have read the [contribution
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CONTRIBUTING.md)**
- [x] **I have read the [code of conduct
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CODE_OF_CONDUCT.md)**
- [x] Title of the pull request is clear and informative.
- [x] 👌 Code hygiene
- [x] 🔭 Telemetry added, updated, or N/A
- [x] 📄 Documentation added, updated, or N/A
- [x] 🛡️ Automated tests added, or N/A

## 🧪 **How did you test it?**

- `npm test -- --runTestsByPath test/src/tools/repositories.test.ts
--runInBand`
- Confirmed with live ADO API that `getItems()` returns `null` for
nonexistent paths

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Dan Hellem <dahellem@microsoft.com>
@danmoseley @danhellem
Avoid stack overflow flattening test results (microsoft#1183)
ddd430d 
> [!NOTE]
> This PR description was drafted with GitHub Copilot assistance.

Fixes microsoft#1179

Avoid stack overflow when flattening large result groups in
`testplan_show_test_results_from_build_id`.

The previous implementation used:

```ts
allResults.push(...group.results)
```

For very large result groups, that spreads every result as a function
argument and can exceed JavaScript engine argument limits, throwing
`Maximum call stack size exceeded`:
```
Tool: ado-dnceng-public-testplan_show_test_results_from_build_id
Args: { "project": "public", "buildid": 1395596 }
Result: MCP server 'ado-dnceng-public': Error fetching test results: Maximum call stack size exceeded
```

This PR changes the flattening to iterate results and push one item at a
time. The structure of the JSON is not changed -- it's the same
structure the code would produce if it didn't stack overflow the engine
by using spread.

## GitHub issue number

microsoft#1179

## **Associated Risks**

This is intended to be behavior-preserving except for avoiding the
spread/argument-limit failure. It does not otherwise change result
fetching or output shape.
Returning very large output successfully may now expose a limitation
elsewhere.

## ✅ **PR Checklist**

- [x] **I have read the [contribution
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CONTRIBUTING.md)**
- [x] **I have read the [code of conduct
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CODE_OF_CONDUCT.md)**
- [x] Title of the pull request is clear and informative.
- [x] 👌 Code hygiene
- [x] 🔭 Telemetry added, updated, or N/A
- [x] 📄 Documentation added, updated, or N/A
- [x] 🛡️ Automated tests added, or N/A

## 🧪 **How did you test it?**

- `npm test -- --runTestsByPath test/src/tools/test-plan.test.ts
--runInBand`
- `npm run validate-tools`

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Dan Hellem <dahellem@microsoft.com>
@danmoseley @danhellem
Harden artifact download path validation (microsoft#1185)
2a73b4b 
> [!NOTE]
> This PR description was drafted with GitHub Copilot assistance.

Fixes microsoft#1181

Clarify and harden path validation for `pipelines_download_artifact`.

The tool rejects absolute `destinationPath` values, but agents primarily
see runtime MCP tool descriptions rather than repository docs. In
Copilot CLI I got
```text
Tool: ado-dnceng-public-pipelines_download_artifact
Args: { "project": "public", "buildId": 1395596, "artifactName": "Windows_NT_Libraries Test Run release coreclr windows x86 Release_Attempt1", "destinationPath": "C:\\temp\\runtime-127406-testresults" }
Result: Invalid destinationPath: absolute paths and path traversals are not allowed.
```

This PR makes the relative-only requirement visible in both the
top-level tool description and the `destinationPath` parameter
description.

It also strengthens validation by treating `artifactName` as a name
rather than a path and rejecting path separators, absolute paths,
drive-letter syntax, and `.`/`..` path segments.

## GitHub issue number

microsoft#1181

## **Associated Risks**

This intentionally keeps absolute `destinationPath` values rejected to
avoid arbitrary local write locations. Agents that currently pass
absolute paths will receive a clearer pre-call schema description and a
clearer validation error.

## ✅ **PR Checklist**

- [x] **I have read the [contribution
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CONTRIBUTING.md)**
- [x] **I have read the [code of conduct
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CODE_OF_CONDUCT.md)**
- [x] Title of the pull request is clear and informative.
- [x] 👌 Code hygiene
- [x] 🔭 Telemetry added, updated, or N/A
- [x] 📄 Documentation added, updated, or N/A
- [x] 🛡️ Automated tests added, or N/A

## 🧪 **How did you test it?**

- `npm test -- --runTestsByPath test/src/tools/pipelines.test.ts
--runInBand`
- `npm run validate-tools`

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Dan Hellem <dahellem@microsoft.com>
@danmoseley @danhellem
Fix test result outcome filtering (microsoft#1182)
c95c9b3 
> [!NOTE]
> This PR description was drafted with GitHub Copilot assistance.

Fixes microsoft#1129

Avoid sending the invalid Azure DevOps result-details `$filter`
expression for `outcomes` in `testplan_show_test_results_from_build_id`.

The current implementation builds an expression like:

```text
Outcome eq 'Failed' or Outcome eq 'Aborted'
```

Azure DevOps rejects this for the result-details endpoint, this is what
I got in Copilot:

```text
Tool: ado-dnceng-testplan_show_test_results_from_build_id
Args: { "project": "internal", "buildid": 2952924, "outcomes": ["Failed"] }
Result: Error fetching test results: Argument filter with value Outcome eq 'Failed' is not correct.
```

## Cause

This is because of a bug in test-plans.ts, where it assumed values
should be quoted and joined with "or" when what actually is expected by
the API is unquoted and joined with comma:

https://github.com/microsoft/azure-devops-mcp/blob/main/src/tools/test-plans.ts#L431-L432

Proof -- this [example working
URL](https://vstmr.dev.azure.com/dnceng-public/public/_apis/testresults/resultdetailsbybuild?buildId=1396794&publishContext=CI&groupBy=TestRun&%24filter=Outcome%20eq%20Failed%2CPassed&%24orderby=&shouldIncludeResults=true&queryRunSummaryForInProgress=false)
filters for "failed or passed" and contains
`Outcome%20eq%20Failed%2CPassed` ie unquoted comma separated.

## GitHub issue number

microsoft#1129

## **Associated Risks**

Relies on the filter syntax, which is not well (or at all?) documented,
however the existing code already relies on this. Plus, this repo is
owned by the Azure Devops team, who can presumably be confident of what
is OK to rely on.

## ✅ **PR Checklist**

- [x] **I have read the [contribution
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CONTRIBUTING.md)**
- [x] **I have read the [code of conduct
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CODE_OF_CONDUCT.md)**
- [x] Title of the pull request is clear and informative.
- [x] 👌 Code hygiene
- [x] 🔭 Telemetry added, updated, or N/A
- [x] 📄 Documentation added, updated, or N/A
- [x] 🛡️ Automated tests added, or N/A

## 🧪 **How did you test it?**

- `npm test -- --runTestsByPath test/src/tools/test-plan.test.ts
--runInBand`
- `npm run validate-tools`

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Dan Hellem <dahellem@microsoft.com>
@danhellem
Add support for default project and team configuration (microsoft#1225)
ba0ddca 
This pull request adds support for setting default Azure DevOps project
and team values via environment variables and updates the documentation
and tests accordingly. Now, if the environment variables are set, users
will not be prompted to select a project or team, streamlining the
workflow. The changes also document how to set these defaults in
`.vscode/mcp.json` and ensure robust test coverage for the new behavior.

## GitHub issue number
microsoft#1195

## **Associated Risks**

None

## ✅ **PR Checklist**

- [x] **I have read the [contribution
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CONTRIBUTING.md)**
- [x] **I have read the [code of conduct
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CODE_OF_CONDUCT.md)**
- [x] Title of the pull request is clear and informative.
- [x] 👌 Code hygiene
- [x] 🔭 Telemetry added, updated, or N/A
- [x] 📄 Documentation added, updated, or N/A
- [x] 🛡️ Automated tests added, or N/A

## 🧪 **How did you test it?**

manual testing and updated auto tests
@dependabot
[dependencies]: Bump typescript-eslint from 8.59.1 to 8.59.2 (microso…
9da6b70 
…ft#1229)

Bumps
[typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)
from 8.59.1 to 8.59.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/typescript-eslint/typescript-eslint/releases">typescript-eslint's
releases</a>.</em></p>
<blockquote>
<h2>v8.59.2</h2>
<h2>8.59.2 (2026-05-04)</h2>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>eslint-plugin:</strong> [no-unsafe-type-assertion] handle
crash on recursive template literal types (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12150">#12150</a>)</li>
<li><strong>eslint-plugin:</strong> [no-deprecated] object destructuring
values should be treated as declarations (<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12292">#12292</a>)</li>
<li><strong>rule-tester:</strong> add TypeScript as a peer dependency
(<a
href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12288">#12288</a>)</li>
</ul>
<h3>❤️ Thank You</h3>
<ul>
<li>Dariusz Czajkowski</li>
<li>Dima Barabash</li>
<li>Kirk Waiblinger <a
href="https://github.com/kirkwaiblinger"><code>@​kirkwaiblinger</code></a></li>
</ul>
<p>See <a
href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.2">GitHub
Releases</a> for more information.</p>
<p>You can read about our <a
href="https://typescript-eslint.io/users/versioning">versioning
strategy</a> and <a
href="https://typescript-eslint.io/users/releases">releases</a> on our
website.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md">typescript-eslint's
changelog</a>.</em></p>
<blockquote>
<h2>8.59.2 (2026-05-04)</h2>
<p>This was a version bump only for typescript-eslint to align it with
other projects, there were no code changes.</p>
<p>See <a
href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.2">GitHub
Releases</a> for more information.</p>
<p>You can read about our <a
href="https://typescript-eslint.io/users/versioning">versioning
strategy</a> and <a
href="https://typescript-eslint.io/users/releases">releases</a> on our
website.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/typescript-eslint/typescript-eslint/commit/2ec35f1760aade4df4c631d76d78c7ed5e136333"><code>2ec35f1</code></a>
chore(release): publish 8.59.2</li>
<li>See full diff in <a
href="https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.2/packages/typescript-eslint">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=typescript-eslint&package-manager=npm_and_yarn&previous-version=8.59.1&new-version=8.59.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
[dependencies]: Bump ip-address and express-rate-limit (microsoft#1235)
feac5c9 
Bumps [ip-address](https://github.com/beaugunderson/ip-address) and
[express-rate-limit](https://github.com/express-rate-limit/express-rate-limit).
These dependencies needed to be updated together.
Updates `ip-address` from 10.1.0 to 10.2.0
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/beaugunderson/ip-address/commits">compare
view</a></li>
</ul>
</details>
<br />

Updates `express-rate-limit` from 8.3.0 to 8.5.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/express-rate-limit/express-rate-limit/releases">express-rate-limit's
releases</a>.</em></p>
<blockquote>
<h2>v8.5.1</h2>
<p>You can view the changelog <a
href="https://express-rate-limit.mintlify.app/reference/changelog">here</a>.</p>
<h2>v8.5.0</h2>
<p>You can view the changelog <a
href="https://express-rate-limit.mintlify.app/reference/changelog">here</a>.</p>
<h2>v8.4.1</h2>
<p>You can view the changelog <a
href="https://express-rate-limit.mintlify.app/reference/changelog">here</a>.</p>
<h2>v8.4.0</h2>
<p>You can view the changelog <a
href="https://express-rate-limit.mintlify.app/reference/changelog">here</a>.</p>
<h2>v8.3.2</h2>
<p>You can view the changelog <a
href="https://express-rate-limit.mintlify.app/reference/changelog">here</a>.</p>
<h2>v8.3.1</h2>
<p>You can view the changelog <a
href="https://express-rate-limit.mintlify.app/reference/changelog">here</a>.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/express-rate-limit/express-rate-limit/commit/50cc3f6345f603ac2fe4eb646edd7338b9a31fbb"><code>50cc3f6</code></a>
8.5.1</li>
<li><a
href="https://github.com/express-rate-limit/express-rate-limit/commit/92c8e3efd87b9b9f89092b1f9c8c17ac134c1293"><code>92c8e3e</code></a>
chore: bump ip-address library to latest (<a
href="https://redirect.github.com/express-rate-limit/express-rate-limit/issues/626">#626</a>)</li>
<li><a
href="https://github.com/express-rate-limit/express-rate-limit/commit/807e383875e93be940493464ea397381fc93942b"><code>807e383</code></a>
8.5.0</li>
<li><a
href="https://github.com/express-rate-limit/express-rate-limit/commit/b84413793127a1c392738ef26d10ec7a899d9d2d"><code>b844137</code></a>
v8.5.0 changelog</li>
<li><a
href="https://github.com/express-rate-limit/express-rate-limit/commit/ceaffabad1ee435549434b6b933097a938b27abe"><code>ceaffab</code></a>
feat: async store init (<a
href="https://redirect.github.com/express-rate-limit/express-rate-limit/issues/621">#621</a>)</li>
<li><a
href="https://github.com/express-rate-limit/express-rate-limit/commit/69568d4ea794905df4ff2e872f04e1daa1f89050"><code>69568d4</code></a>
8.4.1</li>
<li><a
href="https://github.com/express-rate-limit/express-rate-limit/commit/c686acd0bac3058dca4b7f116f240e694878b517"><code>c686acd</code></a>
v8.4.1 changelog</li>
<li><a
href="https://github.com/express-rate-limit/express-rate-limit/commit/ba71353abbd8a6a5ee891faea755026cf960ead2"><code>ba71353</code></a>
test: bump timeout in flakey skipFailedRequests test (<a
href="https://redirect.github.com/express-rate-limit/express-rate-limit/issues/618">#618</a>)</li>
<li><a
href="https://github.com/express-rate-limit/express-rate-limit/commit/dd4c8944d4a739e819306c8dde57852eac8540e0"><code>dd4c894</code></a>
feat: allow usage of custom logger (<a
href="https://redirect.github.com/express-rate-limit/express-rate-limit/issues/616">#616</a>)</li>
<li><a
href="https://github.com/express-rate-limit/express-rate-limit/commit/2bb343cd078c311e8bc7f48b31b9047cf17f3ece"><code>2bb343c</code></a>
resolve Jest timeout for server-based tests (<a
href="https://redirect.github.com/express-rate-limit/express-rate-limit/issues/617">#617</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/express-rate-limit/express-rate-limit/compare/v8.3.0...v8.5.1">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new
releaser for express-rate-limit since your current version.</p>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/azure-devops-mcp/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@simontherry @danhellem
Add merge commit message option to repo_update_pull_request (microsof…
1f89641 
…t#1217)

## Summary
- Add an optional `mergeCommitMessage` parameter to
`repo_update_pull_request`.
- Pass the value through to `completionOptions.mergeCommitMessage` when
autocomplete completion options are built.
- Add Jest coverage for the autocomplete path.

## Why
Azure DevOps supports customizing the final merge or squash commit
message through pull request completion options, but the MCP tool did
not expose that field.

Fixes microsoft#1209

## Validation
- `npm test -- --runTestsByPath test/src/tools/repositories.test.ts`
- `npm run validate-tools`

Co-authored-by: Simon Therry <simon@thinck.be>
Co-authored-by: Dan Hellem <dahellem@microsoft.com>
@dependabot @danhellem
[dependencies]: Bump hono from 4.12.14 to 4.12.18 (microsoft#1236)
b23a2b4 
Bumps [hono](https://github.com/honojs/hono) from 4.12.14 to 4.12.18.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/honojs/hono/releases">hono's
releases</a>.</em></p>
<blockquote>
<h2>v4.12.18</h2>
<h2>Security fixes</h2>
<p>This release includes fixes for the following security issues:</p>
<h3>Cache Middleware ignores Vary: Authorization / Vary: Cookie leading
to cross-user cache leakage</h3>
<p>Affects: Cache Middleware. Fixes missing cache-skip handling for
<code>Vary: Authorization</code> and <code>Vary: Cookie</code>, where a
response cached for one authenticated user could be served to other
users. GHSA-p77w-8qqv-26rm</p>
<h3>CSS Declaration Injection via Style Object Values in JSX SSR</h3>
<p>Affects: hono/jsx. Fixes a missing CSS-context escape for
<code>style</code> object values and property names, where untrusted
input could inject additional CSS declarations. The impact is limited to
CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p</p>
<h3>Improper validation of NumericDate claims (exp, nbf, iat) in JWT
verify()</h3>
<p>Affects: <code>hono/utils/jwt</code>. Fixes improper validation of
<code>exp</code>, <code>nbf</code>, and <code>iat</code> claims, where
falsy, non-finite, or non-numeric values could silently bypass
time-based checks instead of being rejected per RFC 7519.
GHSA-hm8q-7f3q-5f36</p>
<hr />
<p>Users who use the JWT helper, hono/jsx, or the Cache middleware are
strongly encouraged to upgrade to this version.</p>
<h2>v4.12.17</h2>
<h2>What's Changed</h2>
<ul>
<li>fix(jsx): normalize SVG attributes on the <!-- raw HTML omitted -->
root element by <a
href="https://github.com/kfly8"><code>@​kfly8</code></a> in <a
href="https://redirect.github.com/honojs/hono/pull/4893">honojs/hono#4893</a></li>
<li>fix(ssg): add <code>atom+xml</code> and <code>rss+xml</code> to
<code>defaultExtensionMap</code> by <a
href="https://github.com/yuintei"><code>@​yuintei</code></a> in <a
href="https://redirect.github.com/honojs/hono/pull/4899">honojs/hono#4899</a></li>
<li>fix(cors): make origin optional in CORSOptions by <a
href="https://github.com/truffle-dev"><code>@​truffle-dev</code></a> in
<a
href="https://redirect.github.com/honojs/hono/pull/4905">honojs/hono#4905</a></li>
<li>fix(types): propagate middleware response types to app.on overloads
by <a href="https://github.com/T4ko0522"><code>@​T4ko0522</code></a> in
<a
href="https://redirect.github.com/honojs/hono/pull/4906">honojs/hono#4906</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/kfly8"><code>@​kfly8</code></a> made
their first contribution in <a
href="https://redirect.github.com/honojs/hono/pull/4893">honojs/hono#4893</a></li>
<li><a
href="https://github.com/truffle-dev"><code>@​truffle-dev</code></a>
made their first contribution in <a
href="https://redirect.github.com/honojs/hono/pull/4905">honojs/hono#4905</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/honojs/hono/compare/v4.12.16...v4.12.17">https://github.com/honojs/hono/compare/v4.12.16...v4.12.17</a></p>
<h2>v4.12.16</h2>
<h2>Security fixes</h2>
<p>This release includes fixes for the following security issues:</p>
<h3>Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection</h3>
<p>Affects: hono/jsx. Fixes missing validation of JSX tag names when
using <code>jsx()</code> or <code>createElement()</code>, which could
allow HTML injection if untrusted input is used as the tag name.
GHSA-69xw-7hcm-h432</p>
<h3>bodyLimit() can be bypassed for chunked / unknown-length
requests</h3>
<p>Affects: Body Limit Middleware. Fixes late enforcement for request
bodies without a reliable Content-Length (e.g. chunked requests), where
oversized requests could reach handlers and return successful responses
before being rejected. GHSA-9vqf-7f2p-gf9v</p>
<h2>v4.12.15</h2>
<h2>What's Changed</h2>
<ul>
<li>fix(jwt): support single-line PEM keys by <a
href="https://github.com/hiendv"><code>@​hiendv</code></a> in <a
href="https://redirect.github.com/honojs/hono/pull/4889">honojs/hono#4889</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/honojs/hono/commit/f10dee89ced5956b73c1cdc416d6bc0fd54d63b7"><code>f10dee8</code></a>
4.12.18</li>
<li><a
href="https://github.com/honojs/hono/commit/a5bd9ebead279ed9d0239ecbd854f629edfc0e57"><code>a5bd9eb</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/honojs/hono/commit/58d3d3ad5656e007ed99da1b73865975952de5e9"><code>58d3d3a</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/honojs/hono/commit/568c2ecc1dd556894fad4dfa4a7ba499db6dba9c"><code>568c2ec</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/honojs/hono/commit/ff2b3d31df1be35f7d597a95dd3369402b6e87f2"><code>ff2b3d3</code></a>
4.12.17</li>
<li><a
href="https://github.com/honojs/hono/commit/52aaaf9714b06303ce5caa655b1d80675be687e9"><code>52aaaf9</code></a>
fix(types): propagate middleware response types to app.on overloads (<a
href="https://redirect.github.com/honojs/hono/issues/4906">#4906</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/76d5589e9b0569f4e74ec37e8dd6979455f70dfa"><code>76d5589</code></a>
fix(cors): make origin optional in CORSOptions (<a
href="https://redirect.github.com/honojs/hono/issues/4905">#4905</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/8f027e5574e91e3c7f263a728656e3888559e51a"><code>8f027e5</code></a>
fix(ssg): add <code>atom+xml</code> and <code>rss+xml</code> to
<code>defaultExtensionMap</code> (<a
href="https://redirect.github.com/honojs/hono/issues/4899">#4899</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/bfba97ca7ea3d4541a3419f1749e5a1a3e8f1727"><code>bfba97c</code></a>
fix(jsx): normalize SVG attributes on the &lt;svg&gt; root element (<a
href="https://redirect.github.com/honojs/hono/issues/4893">#4893</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/90d4182aabd328e2ec6af3f25ec62ddc574ad8cb"><code>90d4182</code></a>
4.12.16</li>
<li>Additional commits viewable in <a
href="https://github.com/honojs/hono/compare/v4.12.14...v4.12.18">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=hono&package-manager=npm_and_yarn&previous-version=4.12.14&new-version=4.12.18)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/azure-devops-mcp/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Dan Hellem <dahellem@microsoft.com>
@dependabot
[dependencies]: Bump fast-uri from 3.1.0 to 3.1.2 (microsoft#1240)
d4895f4 
Bumps [fast-uri](https://github.com/fastify/fast-uri) from 3.1.0 to
3.1.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/fastify/fast-uri/releases">fast-uri's
releases</a>.</em></p>
<blockquote>
<h2>v3.1.2</h2>
<h2>⚠️ Security Release</h2>
<ul>
<li>Fix for <a
href="https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc">https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc</a></li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>Handle malformed fragment decoding as a parse error by <a
href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/171">fastify/fast-uri#171</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/fastify/fast-uri/compare/v3.1.1...v3.1.2">https://github.com/fastify/fast-uri/compare/v3.1.1...v3.1.2</a></p>
<h2>v3.1.1</h2>
<h2>⚠️ Security Release</h2>
<ul>
<li>Fix for <a
href="https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6">https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6</a></li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/148">fastify/fast-uri#148</a></li>
<li>build(deps): bump actions/checkout from 4 to 5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/149">fastify/fast-uri#149</a></li>
<li>chore(.npmrc): ignore scripts by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/150">fastify/fast-uri#150</a></li>
<li>build(deps-dev): remove <code>@​fastify/pre-commit</code> by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/151">fastify/fast-uri#151</a></li>
<li>build(deps): bump actions/setup-node from 4 to 5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/152">fastify/fast-uri#152</a></li>
<li>ci(ci): add concurrency config by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/153">fastify/fast-uri#153</a></li>
<li>build(deps): bump actions/setup-node from 5 to 6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/154">fastify/fast-uri#154</a></li>
<li>build(deps): bump actions/checkout from 5 to 6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/156">fastify/fast-uri#156</a></li>
<li>chore(license): standardise license notice by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/159">fastify/fast-uri#159</a></li>
<li>style: remove trailing whitespace by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/161">fastify/fast-uri#161</a></li>
<li>ci: remove unused github files by <a
href="https://github.com/Tony133"><code>@​Tony133</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/162">fastify/fast-uri#162</a></li>
<li>chore: update readme by <a
href="https://github.com/Tony133"><code>@​Tony133</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/164">fastify/fast-uri#164</a></li>
<li>build(deps): bump
fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from
5 to 6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/165">fastify/fast-uri#165</a></li>
<li>build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml
from 5 to 6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/166">fastify/fast-uri#166</a></li>
<li>build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/167">fastify/fast-uri#167</a></li>
<li>ci: add lock-threads workflow by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/169">fastify/fast-uri#169</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/Tony133"><code>@​Tony133</code></a> made
their first contribution in <a
href="https://redirect.github.com/fastify/fast-uri/pull/162">fastify/fast-uri#162</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.1">https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/fastify/fast-uri/commit/919dd8ea7689fcc220d0d9b71307f5095e723ef9"><code>919dd8e</code></a>
Bumped v3.1.2</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/c65ba573714af6b8e19e481d9444c27bc4355d07"><code>c65ba57</code></a>
fixup: linting</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/6c86c17c3d76fb93aa3700ec6c0fa00faeb97293"><code>6c86c17</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/a95158ad308df4d92bbde4eba699ce5165e9f796"><code>a95158a</code></a>
Handle malformed fragment decoding without throwing (<a
href="https://redirect.github.com/fastify/fast-uri/issues/171">#171</a>)</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/cea547c91c6aae610041b17b75792ca4aa035a6d"><code>cea547c</code></a>
Bumped v3.1.1</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/876ce79b662c3e5015e4e7dffe6f37752ad34f35"><code>876ce79</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/dcdf690b71a7bb3a19887ada65a9ab160d83bcc0"><code>dcdf690</code></a>
ci: add lock-threads workflow (<a
href="https://redirect.github.com/fastify/fast-uri/issues/169">#169</a>)</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/c860e6589b1ac346f66e114b4eadb9613768108c"><code>c860e65</code></a>
build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (<a
href="https://redirect.github.com/fastify/fast-uri/issues/167">#167</a>)</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/9b4c6dc82fde0ca44e674403ece9185d85bb6d5f"><code>9b4c6dc</code></a>
build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (<a
href="https://redirect.github.com/fastify/fast-uri/issues/166">#166</a>)</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/85d09a9f7aa76b32c2bb005a90a71e144c361d24"><code>85d09a9</code></a>
build(deps): bump
fastify/workflows/.github/workflows/plugins-ci-package-mana...</li>
<li>Additional commits viewable in <a
href="https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=fast-uri&package-manager=npm_and_yarn&previous-version=3.1.0&new-version=3.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/azure-devops-mcp/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@danhellem
Update README.md for clarity and improved onboarding instructions (mi…
72d0b9b 
…crosoft#1247)

This pull request updates the `README.md` to emphasize the Remote MCP
Server as the recommended onboarding path and clarifies the distinction
between remote and local server usage. It improves onboarding
instructions, adds a quick-start example for remote configuration, and
updates documentation links for clarity.

## GitHub issue number
N/A

## **Associated Risks**

None

## 🧪 **How did you test it?**

N/A
@danhellem
Enhance error handling in configureWikiTools for wiki page content re… (
f85662c 
microsoft#1238)

This pull request improves the robustness and test coverage of the wiki
tools, especially around error handling and edge cases in wiki URL
parsing and content fetching. The most important changes include
clarifying assumptions in the main code, expanding test coverage for
various edge cases, and improving error messaging.

## GitHub issue number
N/A

## **Associated Risks**

None

## ✅ **PR Checklist**

- [x] **I have read the [contribution
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CONTRIBUTING.md)**
- [x] **I have read the [code of conduct
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CODE_OF_CONDUCT.md)**
- [x] Title of the pull request is clear and informative.
- [x] 👌 Code hygiene
- [x] 🔭 Telemetry added, updated, or N/A
- [x] 📄 Documentation added, updated, or N/A
- [x] 🛡️ Automated tests added, or N/A

## 🧪 **How did you test it?**

Improvements to test coverage for wiki
@danhellem
Enhance error handling for pull request creation and update tests (mi…
1d8dda8 
…crosoft#1246)

This pull request improves error handling and messaging for pull request
creation failures in the repository tools. When the API does not return
data and no matching pull request is found, the user is now given a more
informative error message, and the response is explicitly marked as an
error. Corresponding tests have been updated to validate these changes.

## GitHub issue number
microsoft#1245 

## **Associated Risks**

None

## ✅ **PR Checklist**

- [x] **I have read the [contribution
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CONTRIBUTING.md)**
- [x] **I have read the [code of conduct
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CODE_OF_CONDUCT.md)**
- [x] Title of the pull request is clear and informative.
- [x] 👌 Code hygiene
- [x] 🔭 Telemetry added, updated, or N/A
- [x] 📄 Documentation added, updated, or N/A
- [x] 🛡️ Automated tests added, or N/A

## 🧪 **How did you test it?**

Manual tested and updated and ran automated tests
@dependabot @danhellem
[dependencies]: Bump lint-staged from 16.4.0 to 17.0.0 (microsoft#1230)
fc45762 
Bumps [lint-staged](https://github.com/lint-staged/lint-staged) from
16.4.0 to 17.0.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lint-staged/lint-staged/releases">lint-staged's
releases</a>.</em></p>
<blockquote>
<h2>v17.0.0</h2>
<h3>Major Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1745">#1745</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/e244adfab430be95803e74b20acf518517054c9f"><code>e244adf</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
<strong>Node.js v20 is no longer supported, and the oldest supported
version is now <code>22.22.1</code></strong>, which is an active LTS
version at the time of this release. Node.js 20 will be EOL after April
2026. Please upgrade your Node.js version!</p>
</li>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1676">#1676</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/0584e0b8824a07ea4d0151f2c17fc37c4905a421"><code>0584e0b</code></a>
Thanks <a
href="https://github.com/outslept"><code>@​outslept</code></a>! -
<em>Lint-staged</em> now tries to verify the installed Git version is at
least <code>2.32.0</code>, released in 2021. If you're using an even
older Git version, you need to <a
href="https://git-scm.com/install/mac">upgrade</a> it before running
<em>lint-staged</em>!</p>
</li>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1745">#1745</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/2dcc40a1a98aea20d38f76031ac30b278f81682a"><code>2dcc40a</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
The dependency <code>yaml</code> is now marked as optional and probably
won't be installed by default. If you're using a YAML configuration file
you should install the package separately:</p>
<pre lang="shell"><code>npm install --development yaml
</code></pre>
<p>If you're using <code>.lintstagedrc</code> as the config file name
(without a file extension), it will be treated as a YAML file. If the
content is JSON, consider renaming it to <code>.lintstagedrc.json</code>
to avoid needing to install <code>yaml</code>.</p>
</li>
</ul>
<h3>Minor Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1748">#1748</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/809d5ef0a66edb2b26b233d33ce8e14af6c978e7"><code>809d5ef</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
Add new option <code>--hide-all</code> for hiding all unstaged changes
and untracked files, before running tasks. This makes it easier to run
tools like <a href="https://knip.dev">Knip</a> which check for unused
code. Untracked files are included in the backup stash and restored
automatically after running.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1759">#1759</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/f13045a5eae28c3233fc37146b0e1f51739c254b"><code>f13045a</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
Update dependencies, including <a
href="https://github.com/tinylibs/tinyexec/releases/tag/1.1.1"><code>tinyexec@1.1.1</code></a>
to fix the following issues:</p>
<ul>
<li>When using a Node.js version manager with multiple versions
installed (<a href="https://github.com/nvm-sh/nvm">nvm</a>, <a
href="https://github.com/tj/n">n</a>, for example), scripts with the
<code>#!/usr/bin/env node</code> shebang (<a
href="https://github.com/prettier/prettier">Prettier</a>, <a
href="https://github.com/eslint/eslint">ESLint</a>, for example) were
previously spawned using the default Node.js version configured by the
version manager (the one <code>which node</code> points to) on POSIX
systems. Now, they will be spawned with the same version that
<em>lint-staged</em> itself was started with.
<ul>
<li>For example, if your default Node.js version is 24.14.1 but
<em>lint-staged</em> is run with the latest version 25.9.0, the tasks
spawned by <em>lint-staged</em> will now also use version 25.9.0.
Previously they were spawned using 24.14.1.</li>
</ul>
</li>
<li>When installing Node.js from the Ubuntu App Center (<a
href="https://snapcraft.io/store">Snap store</a>), the <code>node</code>
executable available in <code>PATH</code> is a symlink pointing to Snap
itself. The sandboxing features of Snap prevented <em>lint-staged</em>
from spawning scripts with the <code>#!/usr/bin/env node</code> shebang,
because it meant <em>lint-staged</em> tried to spawn Snap via the
symlink. This resulted in an <code>ENOENT</code> error when trying to
run <code>prettier</code>, for example. Now, since the real
<code>node</code> executable's directory is available in the
<code>PATH</code>, <em>lint-staged</em> will instead spawn the script
with the real <code>node</code> binary succesfully.</li>
</ul>
</li>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1761">#1761</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/d3251b192d7116f059e7cabeffa3bfd7788dedeb"><code>d3251b1</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
<em>Lint-staged</em> now runs <code>git update-index --again</code>
after running tasks, instead of <code>git add &lt;originally staged
files&gt;</code>. This should improve compatibility when using
non-default indexes, for example when committing with a pathspec
<code>git commit -m &quot;message&quot; .</code> instead of adding files
to the index.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1745">#1745</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/a9585ac7ce0162c5c6c9aa88a28c11c812abedaf"><code>a9585ac</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
Remove <code>commander</code> as a dependency and use the built-in
<code>parseArgs</code> from <code>node:util</code> to parse CLI
flags.</p>
</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1755">#1755</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/c82d30bda8c80f886bdfead2e7aa123f7337aa76"><code>c82d30b</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
All tests now pass on the <a href="https://bun.com">Bun</a> runtime
(latest).</p>
</li>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1750">#1750</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/a4018185016617b02e4473d14e036a5f1a9b3f85"><code>a401818</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
Remove manual handling for <code>git stash --keep-index</code>
resurrecting deleted files, because the issue was fixed in Git
<code>2.23.0</code> and <em>lint-staged</em> requires at least Git
<code>2.32.0</code>.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1771">#1771</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/c4b893665bf39670650ae71b4ec2073025e9984e"><code>c4b8936</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
Fix documentation about multiple config files and the <code>--cwd</code>
option. When using it, all tasks will be run in the specified directory.
For example, to run everything in the actual <code>process.cwd()</code>,
use <code>lint-staged --cwd=&quot;.&quot;</code>.</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md">lint-staged's
changelog</a>.</em></p>
<blockquote>
<h2>17.0.0</h2>
<h3>Major Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1745">#1745</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/e244adfab430be95803e74b20acf518517054c9f"><code>e244adf</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
<strong>Node.js v20 is no longer supported, and the oldest supported
version is now <code>22.22.1</code></strong>, which is an active LTS
version at the time of this release. Node.js 20 will be EOL after April
2026. Please upgrade your Node.js version!</p>
</li>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1676">#1676</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/0584e0b8824a07ea4d0151f2c17fc37c4905a421"><code>0584e0b</code></a>
Thanks <a
href="https://github.com/outslept"><code>@​outslept</code></a>! -
<em>Lint-staged</em> now tries to verify the installed Git version is at
least <code>2.32.0</code>, released in 2021. If you're using an even
older Git version, you need to <a
href="https://git-scm.com/install/mac">upgrade</a> it before running
<em>lint-staged</em>!</p>
</li>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1745">#1745</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/2dcc40a1a98aea20d38f76031ac30b278f81682a"><code>2dcc40a</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
The dependency <code>yaml</code> is now marked as optional and probably
won't be installed by default. If you're using a YAML configuration file
you should install the package separately:</p>
<pre lang="shell"><code>npm install --development yaml
</code></pre>
<p>If you're using <code>.lintstagedrc</code> as the config file name
(without a file extension), it will be treated as a YAML file. If the
content is JSON, consider renaming it to <code>.lintstagedrc.json</code>
to avoid needing to install <code>yaml</code>.</p>
</li>
</ul>
<h3>Minor Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1748">#1748</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/809d5ef0a66edb2b26b233d33ce8e14af6c978e7"><code>809d5ef</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
Add new option <code>--hide-all</code> for hiding all unstaged changes
and untracked files, before running tasks. This makes it easier to run
tools like <a href="https://knip.dev">Knip</a> which check for unused
code. Untracked files are included in the backup stash and restored
automatically after running.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1759">#1759</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/f13045a5eae28c3233fc37146b0e1f51739c254b"><code>f13045a</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
Update dependencies, including <a
href="https://github.com/tinylibs/tinyexec/releases/tag/1.1.1"><code>tinyexec@1.1.1</code></a>
to fix the following issues:</p>
<ul>
<li>When using a Node.js version manager with multiple versions
installed (<a href="https://github.com/nvm-sh/nvm">nvm</a>, <a
href="https://github.com/tj/n">n</a>, for example), scripts with the
<code>#!/usr/bin/env node</code> shebang (<a
href="https://github.com/prettier/prettier">Prettier</a>, <a
href="https://github.com/eslint/eslint">ESLint</a>, for example) were
previously spawned using the default Node.js version configured by the
version manager (the one <code>which node</code> points to) on POSIX
systems. Now, they will be spawned with the same version that
<em>lint-staged</em> itself was started with.
<ul>
<li>For example, if your default Node.js version is 24.14.1 but
<em>lint-staged</em> is run with the latest version 25.9.0, the tasks
spawned by <em>lint-staged</em> will now also use version 25.9.0.
Previously they were spawned using 24.14.1.</li>
</ul>
</li>
<li>When installing Node.js from the Ubuntu App Center (<a
href="https://snapcraft.io/store">Snap store</a>), the <code>node</code>
executable available in <code>PATH</code> is a symlink pointing to Snap
itself. The sandboxing features of Snap prevented <em>lint-staged</em>
from spawning scripts with the <code>#!/usr/bin/env node</code> shebang,
because it meant <em>lint-staged</em> tried to spawn Snap via the
symlink. This resulted in an <code>ENOENT</code> error when trying to
run <code>prettier</code>, for example. Now, since the real
<code>node</code> executable's directory is available in the
<code>PATH</code>, <em>lint-staged</em> will instead spawn the script
with the real <code>node</code> binary succesfully.</li>
</ul>
</li>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1761">#1761</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/d3251b192d7116f059e7cabeffa3bfd7788dedeb"><code>d3251b1</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
<em>Lint-staged</em> now runs <code>git update-index --again</code>
after running tasks, instead of <code>git add &lt;originally staged
files&gt;</code>. This should improve compatibility when using
non-default indexes, for example when committing with a pathspec
<code>git commit -m &quot;message&quot; .</code> instead of adding files
to the index.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1745">#1745</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/a9585ac7ce0162c5c6c9aa88a28c11c812abedaf"><code>a9585ac</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
Remove <code>commander</code> as a dependency and use the built-in
<code>parseArgs</code> from <code>node:util</code> to parse CLI
flags.</p>
</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1755">#1755</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/c82d30bda8c80f886bdfead2e7aa123f7337aa76"><code>c82d30b</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
All tests now pass on the <a href="https://bun.com">Bun</a> runtime
(latest).</p>
</li>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1750">#1750</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/a4018185016617b02e4473d14e036a5f1a9b3f85"><code>a401818</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
Remove manual handling for <code>git stash --keep-index</code>
resurrecting deleted files, because the issue was fixed in Git
<code>2.23.0</code> and <em>lint-staged</em> requires at least Git
<code>2.32.0</code>.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/lint-staged/lint-staged/pull/1771">#1771</a>
<a
href="https://github.com/lint-staged/lint-staged/commit/c4b893665bf39670650ae71b4ec2073025e9984e"><code>c4b8936</code></a>
Thanks <a href="https://github.com/iiroj"><code>@​iiroj</code></a>! -
Fix documentation about multiple config files and the <code>--cwd</code>
option. When using it, all tasks will be run in the specified directory.
For example, to run everything in the actual <code>process.cwd()</code>,
use <code>lint-staged --cwd=&quot;.&quot;</code>.</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lint-staged/lint-staged/commit/5e06d60e027db6b628bcf3689fca23fc59a396e4"><code>5e06d60</code></a>
Merge pull request <a
href="https://redirect.github.com/lint-staged/lint-staged/issues/1747">#1747</a>
from lint-staged/changeset-release/main</li>
<li><a
href="https://github.com/lint-staged/lint-staged/commit/adb794d31f1611178ca69cc4e478bd6308ceefab"><code>adb794d</code></a>
chore(changeset): release</li>
<li><a
href="https://github.com/lint-staged/lint-staged/commit/e72151daeb8ab376930b967f47fe69518043109d"><code>e72151d</code></a>
Merge pull request <a
href="https://redirect.github.com/lint-staged/lint-staged/issues/1775">#1775</a>
from lint-staged/updates</li>
<li><a
href="https://github.com/lint-staged/lint-staged/commit/ac054f0740df35cf89935357823a231a13618ebe"><code>ac054f0</code></a>
test: run tests on Node.js 26, drop 25</li>
<li><a
href="https://github.com/lint-staged/lint-staged/commit/6da0fcd5cbf0edd7df17441d620b2cc6a42c29e6"><code>6da0fcd</code></a>
build(deps): update dependencies</li>
<li><a
href="https://github.com/lint-staged/lint-staged/commit/1b46346aef6767562dc45568442a079cdbac57e0"><code>1b46346</code></a>
Merge pull request <a
href="https://redirect.github.com/lint-staged/lint-staged/issues/1774">#1774</a>
from lint-staged/changesets-commit-message</li>
<li><a
href="https://github.com/lint-staged/lint-staged/commit/6be5aa65b99d476ccefe272da9ecc9e850ed8975"><code>6be5aa6</code></a>
ci: fix Changeset commit message</li>
<li><a
href="https://github.com/lint-staged/lint-staged/commit/28f7f4f62c6ab9462dec6683d42dfb58ffef199d"><code>28f7f4f</code></a>
Merge pull request <a
href="https://redirect.github.com/lint-staged/lint-staged/issues/1773">#1773</a>
from lint-staged/signed-changesets-user</li>
<li><a
href="https://github.com/lint-staged/lint-staged/commit/a2e6856e83e45774f4e9001132cef8215f5e82e7"><code>a2e6856</code></a>
ci: configure GitHub Bot user for changesets</li>
<li><a
href="https://github.com/lint-staged/lint-staged/commit/0db4e086ae26bf01b646de2e0858400d97b33efc"><code>0db4e08</code></a>
Merge pull request <a
href="https://redirect.github.com/lint-staged/lint-staged/issues/1772">#1772</a>
from lint-staged/signed-changesets</li>
<li>Additional commits viewable in <a
href="https://github.com/lint-staged/lint-staged/compare/v16.4.0...v17.0.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=lint-staged&package-manager=npm_and_yarn&previous-version=16.4.0&new-version=17.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Dan Hellem <dahellem@microsoft.com>
@nikolapeja6
Delete .github/workflows/ai-issue-processing.yml (microsoft#1258)
e472c84 
Not really used, and also could be problematic.

## GitHub issue number

## **Associated Risks**

_Replace_ by possible risks this pull request can bring you might have
thought of

## ✅ **PR Checklist**

- [ ] **I have read the [contribution
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CONTRIBUTING.md)**
- [ ] **I have read the [code of conduct
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CODE_OF_CONDUCT.md)**
- [ ] Title of the pull request is clear and informative.
- [ ] 👌 Code hygiene
- [ ] 🔭 Telemetry added, updated, or N/A
- [ ] 📄 Documentation added, updated, or N/A
- [ ] 🛡️ Automated tests added, or N/A

## 🧪 **How did you test it?**

_Replace_ with use cases tested and models used
@krid-583
Fixing repo_get_pull_request_changes to be able to get the file chang…
bb008b1 
…es for PR's with only added and only deleted files (microsoft#1259)

The `repo_get_pull_request_changes` doesn't get the file changes when
having only added files or only deleted files in the PR even when the
includeDiffs and includeLineContent is set to true.

## GitHub issue number

1237

## **Associated Risks**

None

## ✅ **PR Checklist**

- [X] **I have read the [contribution
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CONTRIBUTING.md)**
- [X] **I have read the [code of conduct
guidelines](https://github.com/microsoft/azure-devops-mcp/blob/main/CODE_OF_CONDUCT.md)**
- [X] Title of the pull request is clear and informative.
- [X] 👌 Code hygiene
- [ ] 🔭 Telemetry added, updated, or N/A
- [ ] 📄 Documentation added, updated, or N/A
- [X] 🛡️ Automated tests added, or N/A

## 🧪 **How did you test it?**

- Added 2 unit tests concerning both the scenarios where files are only
added and only deleted
- Added 6 other unit tests to ensure line coverage is satisfied.
- Performed manual testing on VS Code Copilot

Only deleted scenario mentioned in the issue:
<img width="603" height="526" alt="image"
src="https://github.com/user-attachments/assets/2dd2e3d1-d99f-4511-99d6-c32022bc1a17"
/>

Only added scenario mentioned in the issue:
<img width="956" height="565" alt="image"
src="https://github.com/user-attachments/assets/154da3cd-0545-4b80-9da4-727c8cf32111"
/>

---------

Co-authored-by: Krishna Prasath D <krid@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@gadeynebram
Merge remote-tracking branch 'upstream/main' into sync/upstream-20260519
5353ffc
@gadeynebram gadeynebram merged commit 35aef9f into main May 19, 2026
2 checks passed
@gadeynebram gadeynebram deleted the sync/upstream-20260519 branch May 19, 2026 11:55
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 19, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
npm/@azure/msal-common 16.5.2 🟢 6.4
Details
CheckScoreReason
Security-Policy🟢 9security policy file detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 10all changesets reviewed
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 9branch protection is not maximal on development and all release branches
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@azure/msal-node 5.1.5 🟢 6.4
Details
CheckScoreReason
Security-Policy🟢 9security policy file detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 10all changesets reviewed
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 9branch protection is not maximal on development and all release branches
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/eslint-plugin 8.59.2 🟢 5.9
Details
CheckScoreReason
Code-Review🟢 8Found 24/27 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/parser 8.59.2 🟢 5.9
Details
CheckScoreReason
Code-Review🟢 8Found 24/27 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/project-service 8.59.2 🟢 5.9
Details
CheckScoreReason
Code-Review🟢 8Found 24/27 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/scope-manager 8.59.2 🟢 5.9
Details
CheckScoreReason
Code-Review🟢 8Found 24/27 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/tsconfig-utils 8.59.2 🟢 5.9
Details
CheckScoreReason
Code-Review🟢 8Found 24/27 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/type-utils 8.59.2 🟢 5.9
Details
CheckScoreReason
Code-Review🟢 8Found 24/27 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/types 8.59.2 🟢 5.9
Details
CheckScoreReason
Code-Review🟢 8Found 24/27 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/typescript-estree 8.59.2 🟢 5.9
Details
CheckScoreReason
Code-Review🟢 8Found 24/27 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/utils 8.59.2 🟢 5.9
Details
CheckScoreReason
Code-Review🟢 8Found 24/27 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/visitor-keys 8.59.2 🟢 5.9
Details
CheckScoreReason
Code-Review🟢 8Found 24/27 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/ansi-escapes 7.3.0 🟢 3.7
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Code-Review⚠️ 2Found 7/30 approved changesets -- score normalized to 2
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/cli-truncate 5.2.0 🟢 4
Details
CheckScoreReason
Code-Review⚠️ 2Found 7/30 approved changesets -- score normalized to 2
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 34 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/eventemitter3 5.0.4 🟢 4
Details
CheckScoreReason
Code-Review⚠️ 1GitHub code reviews found for 3 commits out of the last 30 -- score normalized to 1
Maintained⚠️ 23 commit(s) out of 30 and 0 issue activity out of 30 found in the last 90 days -- score normalized to 2
CII-Best-Practices⚠️ 0no badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0non read-only tokens detected in GitHub workflows
Packaging⚠️ -1no published package detected
License🟢 10license file detected
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
Vulnerabilities🟢 10no vulnerabilities detected
Dependency-Update-Tool⚠️ 0no update tool detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Fuzzing⚠️ 0project is not fuzzed
Security-Policy⚠️ 0security policy file not detected
npm/express-rate-limit 8.5.1 UnknownUnknown
npm/fast-uri 3.1.2 UnknownUnknown
npm/get-east-asian-width 1.5.0 🟢 4.3
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 4Found 12/25 approved changesets -- score normalized to 4
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 45 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/hono 4.12.18 UnknownUnknown
npm/ip-address 10.2.0 🟢 4.1
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ -1No tokens found
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Dangerous-Workflow⚠️ -1no workflows found
Maintained🟢 1025 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ -1no dependencies found
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/lint-staged 17.0.0 UnknownUnknown
npm/listr2 10.2.1 UnknownUnknown
npm/slice-ansi 8.0.0 🟢 4
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Code-Review⚠️ 2Found 6/30 approved changesets -- score normalized to 2
Maintained🟢 33 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 3
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/string-width 8.2.1 🟢 4.4
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Code-Review🟢 3Found 9/30 approved changesets -- score normalized to 3
Maintained🟢 66 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 6
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/tinyexec 1.1.2 UnknownUnknown
npm/typescript-eslint 8.59.2 🟢 5.9
Details
CheckScoreReason
Code-Review🟢 8Found 24/27 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/wrap-ansi 10.0.0 🟢 4.2
Details
CheckScoreReason
Code-Review⚠️ 2Found 7/30 approved changesets -- score normalized to 2
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 57 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/yaml 2.8.4 🟢 7.2
Details
CheckScoreReason
Maintained🟢 1023 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10
Code-Review⚠️ 0Found 0/11 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 2dependency not pinned by hash detected -- score normalized to 2
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Fuzzing🟢 10project is fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
SAST🟢 10SAST tool is run on all commits

Scanned Files

  • .github/workflows/ai-issue-processing.yml
  • package-lock.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@gadeynebram @danmoseley @danhellem @simontherry @nikolapeja6 @krid-583