deps: migrate pi agent suite to @earendil-works (closes remaining advisories)#63
Open
ApiliumDevTeam wants to merge 1 commit into
Open
deps: migrate pi agent suite to @earendil-works (closes remaining advisories)#63ApiliumDevTeam wants to merge 1 commit into
ApiliumDevTeam wants to merge 1 commit into
Conversation
The @mariozechner/pi-{agent-core,ai,coding-agent,tui} packages were renamed
and deprecated ("use @earendil-works/... going forward"); their last published
version (0.73.1) is still affected by 3 open advisories with no fix. Migrate
the whole suite to @earendil-works/pi-* ^0.80.2, which carries the fixes.
- Repoint all import specifiers @mariozechner/pi-* -> @earendil-works/pi-*
across src, extensions, scripts, skills, docs and the mac packaging script.
- Bump the 4 root deps to ^0.80.2.
- Adapt to the 0.54 -> 0.80 API surface:
- pi-ai: legacy helpers (complete/completeSimple/stream/streamSimple/getModel/
getEnvApiKey/streamOpenAIResponses) moved to the `@earendil-works/pi-ai/compat`
subpath; OAuth helpers to `@earendil-works/pi-ai/oauth`; deep `/dist/...`
imports repointed (types -> root, google-shared -> /api); onPayload callback
now (payload, model); ProviderHeaders allows null values; typebox re-exported
from pi-ai.
- pi-tui: dropped the `Editor` infix (getKeybindings/setKeybindings/
KeybindingsConfig/KeybindingsManager); KeybindingsManager(definitions,
userBindings?); namespaced keybinding ids; async 4-arg AutocompleteProvider.
- pi-coding-agent: codingTools -> createCodingTools(cwd); Skill.source ->
Skill.sourceInfo.source; ModelRegistry.create(...)/getApiKeyForProvider;
generateSummary headers param; createAgentSession tools is a name allowlist.
- pi-agent-core: agent.replaceMessages/setSystemPrompt -> agent.state.*.
- Add pnpm override "@apilium/mayros": "workspace:*" so the bluebubbles plugin
resolves its peer to the workspace package instead of pulling the published
0.1.1, which bundled the old vulnerable pi suite.
Closes the 3 remaining pi-coding-agent advisories: pnpm audit no longer reports
any @mariozechner/pi or pi-coding-agent finding, and @earendil-works has none.
Verified: pnpm install, pnpm tsgo (0 errors), pnpm lint (0 errors), oxfmt on
changed files. Full test suite not run here (native deps + live keys); needs a
CI run and a smoke test of the agent runtime before merge.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrates the core agent runtime from the deprecated
@mariozechner/pi-*packages to their maintained successor@earendil-works/pi-*(^0.80.2).This closes the 3 remaining Dependabot advisories that PR #62 could not fix: the old
@mariozechner/pi-coding-agentis deprecated and its latest published version (0.73.1) is still vulnerable, so a version bump was impossible — the fixes only exist under the new@earendil-worksscope.After this change
pnpm auditreports no@mariozechner/piorpi-coding-agentfinding, and@earendil-workshas 0 advisories.What changed
@mariozechner/pi-*→@earendil-works/pi-*acrosssrc/,extensions/,scripts/,skills/,docs/and the mac packaging script. Bumped the 4 root deps to^0.80.2.any/@ts-ignore/suppression):complete,completeSimple,stream,streamSimple,getModel,getEnvApiKey,streamOpenAIResponses) moved to the@earendil-works/pi-ai/compatsubpath; OAuth helpers to@earendil-works/pi-ai/oauth; deep/dist/...imports repointed (types→ root,google-shared→/api);onPayloadis now(payload, model);ProviderHeadersallowsnull;typeboxre-exported from pi-ai.Editorinfix (getKeybindings/setKeybindings/KeybindingsConfig/KeybindingsManager);KeybindingsManager(definitions, userBindings?); namespaced keybinding ids (tui.select.cancel); async 4-argAutocompleteProvider.getSuggestions.codingTools→createCodingTools(cwd);Skill.source→Skill.sourceInfo.source;ModelRegistry.create(...)+getApiKeyForProvider(...);generateSummarygained aheaders?param;createAgentSession({ tools })is now a name allowlist (string[]).agent.replaceMessages(...)/setSystemPrompt(...)→agent.state.messages/agent.state.systemPrompt.pnpm.overrides+="@apilium/mayros": "workspace:*"— thebluebubblesplugin peer-depends on@apilium/mayros, which pnpm was satisfying with the published0.1.1that bundled the old vulnerable pi suite. Forcing the peer to the workspace package removes that nested copy entirely (it was the source of the last 3 advisory instances).Relationship to #62
Independent branch off
dev. #62 (overrides for the other ~137 advisories) and this PR are complementary; with both merged,pnpm auditshould be at ~0.Verification
pnpm install— clean.pnpm tsgo— 0 errors (from 146).pnpm lint— 0 errors (pre-existing warnings only).oxfmt— changed files formatted.pnpm audit— 0pi-coding-agent/@mariozechner/pi/@earendil-worksfindings.