fix: zip inflate with yauzl on node v24.16.0#318682
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates yauzl to ^3.3.1 across the root, build/, and remote/ package manifests (with matching overrides) to pick up the upstream fix that makes the vendored fd-slicer use the proper _destroy(cb) contract. This unblocks npm run electron and any zip extraction path on Node v24.16.0+, where Readable.pause()/resume() becomes a no-op once a stream is marked destroyed, causing yauzl 2.x to hang mid-inflate.
Changes:
- Bump
yauzlfrom^3.0.0/^2.10.0to^3.3.1in root,build/, andremote/package.json, including addingyauzlto eachoverridesblock so nested consumers (e.g.gulp-vinyl-zip,extract-zip,@vscode/ripgrep,@vscode/vsce) all resolve to 3.3.1. - Regenerate lockfiles to resolve top-level
yauzl@3.3.1and remove the previously-nested oldyauzl/fd-slicercopies.
Reviewed changes
Copilot reviewed 3 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Bumps yauzl dep to ^3.3.1 and adds matching root override. |
| package-lock.json | Resolves top-level yauzl@3.3.1; removes nested old yauzl and fd-slicer entries from @vscode/ripgrep, extract-zip, and gulp-vinyl-zip. |
| build/package.json | Bumps build yauzl dep from ^2.10.0 to ^3.3.1 and adds override. |
| build/package-lock.json | Updates yauzl to 3.3.1 and drops the fd-slicer transitive dep. |
| remote/package.json | Bumps yauzl to ^3.3.1 and adds override (keeps versions aligned with root for hygiene check). |
| remote/package-lock.json | Resolves yauzl@3.3.1 at the top level. |
Files not reviewed (2)
- build/package-lock.json: Language not supported
- remote/package-lock.json: Language not supported
DonJayamanne
approved these changes
May 29, 2026
9 tasks
deepak1556
added a commit
that referenced
this pull request
Jun 28, 2026
Node 24.16+ made Readable pause()/resume() a no-op on destroyed streams which makes yauzl 2.x / extract-zip 2.x and older playwright extraction hang forever. - extensions/copilot: add "yauzl": "^3.3.1" override (was missed by #318682) so electron and @vscode/vsce no longer resolve the broken yauzl 2.10, fixing the hung `npm ci` in the Copilot and Extract chat-lib pipelines. - extensions/copilot: bump electron ^39.8.5 -> ^42.5.0 so its install script uses the native @electron-internal/extract-zip instead of extract-zip. - bump @playwright/test ^1.56.1 -> ^1.61.1 so `playwright install` uses the fixed extractor, unblocking the "Download Electron and Playwright" step in all electron test pipelines.
deepak1556
added a commit
that referenced
this pull request
Jun 29, 2026
Node 24.16+ made Readable pause()/resume() a no-op on destroyed streams which makes yauzl 2.x / extract-zip 2.x and older playwright extraction hang forever. - extensions/copilot: add "yauzl": "^3.3.1" override (was missed by #318682) so electron and @vscode/vsce no longer resolve the broken yauzl 2.10, fixing the hung `npm ci` in the Copilot and Extract chat-lib pipelines. - extensions/copilot: bump electron ^39.8.5 -> ^42.5.0 so its install script uses the native @electron-internal/extract-zip instead of extract-zip. - bump @playwright/test ^1.56.1 -> ^1.61.1 so `playwright install` uses the fixed extractor, unblocking the "Download Electron and Playwright" step in all electron test pipelines.
deepak1556
added a commit
that referenced
this pull request
Jun 29, 2026
Node 24.16+ made Readable pause()/resume() a no-op on destroyed streams which makes yauzl 2.x / extract-zip 2.x and older playwright extraction hang forever. - extensions/copilot: add "yauzl": "^3.3.1" override (was missed by #318682) so electron and @vscode/vsce no longer resolve the broken yauzl 2.10, fixing the hung `npm ci` in the Copilot and Extract chat-lib pipelines. - extensions/copilot: bump electron ^39.8.5 -> ^42.5.0 so its install script uses the native @electron-internal/extract-zip instead of extract-zip. - bump @playwright/test ^1.56.1 -> ^1.61.1 so `playwright install` uses the fixed extractor, unblocking the "Download Electron and Playwright" step in all electron test pipelines.
deepak1556
added a commit
that referenced
this pull request
Jun 29, 2026
Node 24.16+ made Readable pause()/resume() a no-op on destroyed streams which makes yauzl 2.x / extract-zip 2.x and older playwright extraction hang forever. - extensions/copilot: add "yauzl": "^3.3.1" override (was missed by #318682) so electron and @vscode/vsce no longer resolve the broken yauzl 2.10, fixing the hung `npm ci` in the Copilot and Extract chat-lib pipelines. - extensions/copilot: bump electron ^39.8.5 -> ^42.5.0 so its install script uses the native @electron-internal/extract-zip instead of extract-zip. - bump @playwright/test ^1.56.1 -> ^1.61.1 so `playwright install` uses the fixed extractor, unblocking the "Download Electron and Playwright" step in all electron test pipelines.
deepak1556
added a commit
that referenced
this pull request
Jun 29, 2026
Node 24.16+ made Readable pause()/resume() a no-op on destroyed streams which makes yauzl 2.x / extract-zip 2.x and older playwright extraction hang forever. - extensions/copilot: add "yauzl": "^3.3.1" override (was missed by #318682) so electron and @vscode/vsce no longer resolve the broken yauzl 2.10, fixing the hung `npm ci` in the Copilot and Extract chat-lib pipelines. - extensions/copilot: bump electron ^39.8.5 -> ^42.5.0 so its install script uses the native @electron-internal/extract-zip instead of extract-zip. - bump @playwright/test ^1.56.1 -> ^1.61.1 so `playwright install` uses the fixed extractor, unblocking the "Download Electron and Playwright" step in all electron test pipelines.
deepak1556
added a commit
that referenced
this pull request
Jun 29, 2026
Node 24.16+ made Readable pause()/resume() a no-op on destroyed streams which makes yauzl 2.x / extract-zip 2.x and older playwright extraction hang forever. - extensions/copilot: add "yauzl": "^3.3.1" override (was missed by #318682) so electron and @vscode/vsce no longer resolve the broken yauzl 2.10, fixing the hung `npm ci` in the Copilot and Extract chat-lib pipelines. - extensions/copilot: bump electron ^39.8.5 -> ^42.5.0 so its install script uses the native @electron-internal/extract-zip instead of extract-zip. - bump @playwright/test ^1.56.1 -> ^1.61.1 so `playwright install` uses the fixed extractor, unblocking the "Download Electron and Playwright" step in all electron test pipelines.
deepak1556
added a commit
that referenced
this pull request
Jun 29, 2026
* chore: bump electron@42.4.0 * chore: apply temp dir workaround for short paths * chore: use 24.15.x for CI node * chore: update nodejs build * chore: bump electron@42.5.0 * fix: unblock playwright install on node 24.17 Node 24.16+ made Readable pause()/resume() a no-op on destroyed streams which makes yauzl 2.x / extract-zip 2.x and older playwright extraction hang forever. - extensions/copilot: add "yauzl": "^3.3.1" override (was missed by #318682) so electron and @vscode/vsce no longer resolve the broken yauzl 2.10, fixing the hung `npm ci` in the Copilot and Extract chat-lib pipelines. - extensions/copilot: bump electron ^39.8.5 -> ^42.5.0 so its install script uses the native @electron-internal/extract-zip instead of extract-zip. - bump @playwright/test ^1.56.1 -> ^1.61.1 so `playwright install` uses the fixed extractor, unblocking the "Download Electron and Playwright" step in all electron test pipelines. * chore: update build * agentHost: fix macOS sandbox smoke sentinel parsing On macOS CI, the AgentHost sandbox smoke test resolves the shell to /bin/sh, which uses the sentinel-based completion path. In that path, the parser could consume the echoed sentinel command text (`<<<COPILOT_SENTINEL_..._EXIT_$?>>>`) before the real numeric marker arrived, causing a false `Exit code: -1` failure even though the command later completed successfully. Harden the sentinel parser to ignore echoed/non-numeric sentinel text and use the latest complete numeric marker instead. Also force the macOS AgentHost sandbox smoke test to use /bin/sh and assert that in the suite log so local runs exercise the same path as CI. Adds a regression test for echoed sentinel command text. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore: update screenshot baseline after playwright bump * chore: bump distro * chore: fix typecheck * chore: bump distro --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Followup to #316661
Node.js v24.16.0 made
Readable.prototype.pause()/resume()a no-op once the stream is marked destroyed (nodejs/node#62557). yauzlfd-slicersetsself.destroyed = truebeforeself.push(null)at end-of-range, so once Node 24.16 sees the destroyed flag, zlib never flushes its tail and never emits 'end'.npm run electron(build/lib/electron.ts → @vscode/gulp-electron → gulp-vinyl-zip → yauzl) silently produces abroken
.build/electroncontaining only a handful of files: the first large compressed entry hangs forever, and thebuild exits with a corrupt Electron bundle.
The fix landed upstream in yauzl 3.3.1 (thejoshwolfe/yauzl#170), which rewrites the vendored fd-slicer to use the proper
_destroy(cb)contract.Audit of yauzl consumers in the repo (by copilot)
Direct callers:
Uses:
open(path, { lazyEntries }, cb),Entry,ZipFiletypes,zipfile.openReadStream(entry, cb),zipfile.readEntry(), events 'entry'/'close'/'error'. All present and unchanged in v3.Both use:
yauzl.open(zipPath, { lazyEntries: true, autoClose: true }, cb)andzipfile.openReadStream(entry, cb). Both unchanged in v3.Indirect callers (node_modules):
yauzl.open(...openReadStream...)yauzl.open(...openReadStream...)yauzl.fromBuffer/open + openReadStreamyauzl.open(...openReadStream...)API contract: v2 -> v3 is safe for every caller above
yauzl 3.x removed only legacy stuff that no caller in this repo relies on:
fd-slicerdependency; vendors a small internal one. None of our callers touch fd-slicer directly.decodeStrings: falseis no longer auto-enabled whenstrictFileNamesis true; our callers do not pass either option, so default behavior is unchanged.open(path, options?, cb),fromBuffer(buffer, options?, cb),dosDateTimeToDate(date, time),ZipFile:readEntry(),openReadStream(entry, options?, cb),events 'entry'/'end'/'close'/'error',
Entry:fileName,compressionMethod,compressedSize,uncompressedSize,relativeOffsetOfLocalHeader,getLastModDate(),lazyEntries,autoCloseoptions is identical between 2.x and 3.x.src/vs/base/node/zip.ts.