Skip to content

fix(vscode): harden runtime dependency validation (integrity checks, SHA256 verification, metadata timeout)#9376

Merged
lambrianmsft merged 6 commits into
Azure:mainfrom
lambrianmsft:lambrian/dependency_hardening
Jul 9, 2026
Merged

fix(vscode): harden runtime dependency validation (integrity checks, SHA256 verification, metadata timeout)#9376
lambrianmsft merged 6 commits into
Azure:mainfrom
lambrianmsft:lambrian/dependency_hardening

Conversation

@lambrianmsft

@lambrianmsft lambrianmsft commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Commit Type

  • feature - New functionality
  • fix - Bug fix
  • refactor - Code restructuring without behavior change
  • perf - Performance improvement
  • docs - Documentation update
  • test - Test-related changes
  • chore - Maintenance/tooling

Risk Level

  • Low - Minor changes, limited scope
  • Medium - Moderate changes, some user impact
  • High - Major changes, significant user/system impact

What & Why

TL;DR: Hardens the VS Code extension against runtime-dependency corruption and startup hangs, so a corrupt/partially-deleted NodeJs or FuncCoreTools install is detected and repaired -- without re-slowing activation or redownloading when the on-disk copy is actually healthy.

Why: Users reported the extension getting stuck on "Validating Runtime Dependency: NodeJS" (blocking the designer from loading), silent failures when Function Host node/DLL files went missing (surfacing only as a cryptic func host crash: The system cannot find the file specified / Failed to start Worker Channel), and endless redownloads of NodeJs/FuncCoreTools on every restart. Only the extension bundle was integrity-checked; the other runtime dependencies had no health check.

This PR adds four layers of bounded, verifiable integrity checking:

  1. Metadata request timeout -- version/metadata resolution is now bounded so a stalled network call can no longer hang activation on "Validating Runtime Dependency: NodeJS".
  2. CDN SHA256 download verification -- downloaded archives are checked against the publisher-provided SHA256 (nodejs.org SHASUMS256.txt, func-core-tools .zip.sha2) before extraction; a corrupt download is caught and retried instead of extracted.
  3. On-disk integrity manifest (size + existence) -- after a successful install we persist a .logicapps-integrity.json manifest of every extracted file with its size. On startup each dependency is validated against its manifest; a missing file or size mismatch triggers a targeted reinstall, while a healthy install with a valid manifest is not redownloaded.
  4. Bounded per-file SHA256 content verification -- the manifest also stores a SHA256 for only the critical executables (node.exe/node, func.exe/func/func.dll), captured at install right after the archive''s CDN SHA256 was verified (so they are transitively CDN-anchored). On startup those few files are re-hashed to catch silent same-size corruption that a size-only check misses.

Whole-tree hashing was deliberately avoided: publishers hash the compressed archive (not the extracted tree, and extraction isn''t reversible), the Functions Core Tools release publishes zero per-file hashes, and re-hashing ~150 MB Function Host + ~70 MB NodeJs on every startup would risk reintroducing the exact activation hang being fixed.

Impact of Change

  • Users: No change for healthy installs (they are no longer needlessly redownloaded). A corrupt/incomplete NodeJs or FuncCoreTools install is now automatically detected and repaired instead of hanging activation or crashing the Function Host at debug time.
  • Developers: writeDependencyIntegrityManifest / verifyDependencyIntegrity are now async (awaited at 3 call sites). New telemetry signals for observability: <dep>IntegrityResult (passed / manifest-missing / size-mismatch / sha256-mismatch), <dep>IntegrityHashedFiles, <dep>IntegrityMismatchFile.
  • System: Adds a bounded metadata timeout and SHA256 verification on download; startup integrity check is size/existence for the full tree plus SHA256 for a handful of critical binaries only, so activation cost stays low. No workflow/designer product behavior changes.

Test Plan

  • Unit tests added/updated
  • E2E tests added/updated
  • Manual testing completed
  • Tested in:

Build: pnpm run build:extension succeeds (esbuild). Biome clean on all changed files.

Contributors

  • Author: @lambrianmsft
  • Co-author: Copilot (223556219+Copilot@users.noreply.github.com)

Screenshots/Videos

Not applicable -- CI/dependency-infra change with no visual UI surface. Verification evidence is unit-test output (116 passing) and local extension-host logs showing integrity-check pass/reinstall decisions.

lambrianmsft and others added 3 commits July 7, 2026 19:22
…cation, on-disk integrity manifest

- Add 30s timeout to readJsonFromUrl so NodeJs/Func/DotNet version lookups
  can no longer hang the extension on 'Validating Runtime Dependency: NodeJS'.
- Verify SHA256 of downloaded NodeJs (SHASUMS256.txt) and FuncCoreTools (.sha2
  sidecar) payloads, which upstream Content-MD5 checks don't cover for
  nodejs.org / GitHub release sources.
- Write a per-dependency on-disk integrity manifest (.logicapps-integrity.json)
  at install time and verify every recorded file + size at validation time so a
  removed/corrupt file forces a wipe + reinstall instead of failing at runtime.
- Wire integrity check into both NodeJs and FuncCoreTools validators; NodeJs
  validator now awaits binariesExist (fixes un-awaited Promise).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add tests locking in the reinstall-on-corruption behavior for the on-disk
integrity manifest:
- verifyDependencyIntegrity: manifest-invalid (files not an array),
  unconfigured binaries location, and a NodeJs happy path.
- writeDependencyIntegrityManifest: excludes the manifest file itself.
- validateNodeJsIsLatest / validateFuncCoreToolsIsLatest: binaries present
  but integrity invalid triggers reinstall; valid + current does not.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Extend the on-disk integrity manifest with an optional per-file sha256 for the primary executables (node.exe/node, func.exe/func/func.dll). These hashes are captured at install time right after the archive's CDN SHA256 was verified, so they are transitively CDN-anchored. On every startup the critical files are re-hashed and compared, catching silent same-size corruption that the size-only check misses, while the long tail stays size/existence-checked to avoid re-slowing activation.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 8, 2026 02:26
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

PR Title

  • Current: fix(vscode): harden runtime dependency validation (integrity checks, SHA256 verification, metadata timeout)
  • Issue: None. The title is specific, accurately describes the scope, and follows a good conventional format.
  • Recommendation: No change needed.

Commit Type

  • Properly selected (fix).
  • Only one commit type is selected, which is correct.

Risk Level

  • Properly selected (Medium).
  • Advised risk level remains medium based on the diff: this change touches dependency validation, download verification, integrity manifests, and install/reinstall behavior, but does not appear to be a broad architectural change.

What & Why

  • Current: Clear and detailed.
  • Issue: None required. The explanation is strong and sufficiently brief for the template.
  • Recommendation: No change needed.

Impact of Change

  • The section is well-populated and clearly describes user, developer, and system impact.
  • Recommendation:
    • Users: Good as written.
    • Developers: Good as written.
    • System: Good as written.

Test Plan

  • Test plan passes: the diff includes updated unit tests, which satisfies the template requirements.
  • Manual testing is also documented clearly, and the absence of E2E tests is acceptable because unit tests are present.

Contributors

  • Properly filled out.
  • Recommendation: No change needed.

Screenshots/Videos

  • Correctly marked as not applicable for a non-visual CI/dependency-infra change.
  • Recommendation: No change needed.

Summary Table

Section Status Recommendation
Title No changes needed
Commit Type No changes needed
Risk Level No changes needed
What & Why No changes needed
Impact of Change No changes needed
Test Plan No changes needed
Contributors No changes needed
Screenshots/Videos No changes needed

This PR passes review for title/body compliance. The advised risk level matches the submitter's estimate (medium).


Last updated: Thu, 09 Jul 2026 01:28:33 GMT

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the VS Code designer extension’s runtime dependency installation/validation path to prevent activation hangs and detect/repair corrupted or partially deleted Node.js / Azure Functions Core Tools installs.

Changes:

  • Adds bounded metadata lookups (timeout) to avoid activation hangs during dependency version resolution.
  • Adds SHA256 verification of downloaded dependency archives and writes an on-disk integrity manifest for extracted installs.
  • Updates Node.js and Func Core Tools “latest” validators to trigger reinstalls when integrity validation fails, with accompanying unit test coverage.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
Localize/lang/strings.json Adds localized strings for new workflow-name validation messages.
apps/vs-code-designer/test-setup.ts Extends fs mocks to support new hashing/manifest behavior in tests.
apps/vs-code-designer/src/constants.ts Adds timeout and manifest filename constants for dependency validation.
apps/vs-code-designer/src/app/utils/binaries.ts Implements metadata timeout, archive SHA256 verification, and on-disk integrity manifest write/verify logic.
apps/vs-code-designer/src/app/utils/test/binaries.test.ts Adds unit tests for checksum resolution, SHA256 hashing, and integrity manifest validation.
apps/vs-code-designer/src/app/commands/nodeJs/validateNodeJsIsLatest.ts Reinstalls Node.js when on-disk integrity validation fails.
apps/vs-code-designer/src/app/commands/nodeJs/test/validateNodeJsIsLatest.test.ts Adds tests validating reinstall/no-reinstall behavior based on integrity checks.
apps/vs-code-designer/src/app/commands/funcCoreTools/validateFuncCoreToolsIsLatest.ts Reinstalls Func Core Tools when on-disk integrity validation fails.
apps/vs-code-designer/src/app/commands/funcCoreTools/test/validateFuncCoreToolsIsLatest.test.ts Adds tests validating reinstall/no-reinstall behavior based on integrity checks.

Comment thread apps/vs-code-designer/src/app/utils/binaries.ts
Comment thread apps/vs-code-designer/src/app/utils/binaries.ts
@lambrianmsft lambrianmsft added risk:medium Medium risk change with potential impact and removed needs-pr-update labels Jul 8, 2026
…entries

computeFileSha256 now feeds the Buffer chunk straight into hash.update instead of copying it into a new Uint8Array per chunk, removing avoidable allocation/CPU overhead when hashing large archives.

verifyDependencyIntegrity now fails fast (and schedules reinstall) when a recorded manifest entry is no longer a regular file (e.g. replaced by a directory or symlink), reported via the new 'not-a-file' integrity result. Adds a regression test and updates existing statSync stubs to model isFile().

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Comment thread apps/vs-code-designer/src/app/utils/binaries.ts Outdated
Comment thread apps/vs-code-designer/src/app/utils/binaries.ts Outdated
Comment thread apps/vs-code-designer/src/app/utils/binaries.ts Outdated
Comment thread apps/vs-code-designer/src/app/utils/binaries.ts Outdated
Comment thread apps/vs-code-designer/src/constants.ts Outdated
lambrianmsft and others added 2 commits July 8, 2026 17:34
…pper, drop URL regex and per-file integrity hashing

- Replace new echo executeCommand logs with ext.outputChannel.appendLog (localized)

- Rename downloadFileWithVerification -> downloadFileWithTransportVerification (transport-only)

- Remove URL regex in resolveExpectedDependencySha256; derive SHASUMS URL + artifact name from downloadUrl

- Drop per-file SHA256 from the on-disk integrity manifest (keep size+existence checks); manifest write/verify are now synchronous

- Trim verbose constants.ts comments; zero-copy hash.update view

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace logging-only executeCommand(..., echo, ...) calls with direct output channel appendLog calls across runtime dependency validation. Keep executeCommand only for real external processes like the DotNet installer, dotnet --version, and tar extraction.

Also align FuncCoreTools binary validation with NodeJS by skipping version probes when on-disk integrity has already failed, so a corrupt func install is reinstalled without executing it first.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lambrianmsft lambrianmsft merged commit 8d1fbdb into Azure:main Jul 9, 2026
60 of 63 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

pr-validated risk:medium Medium risk change with potential impact

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants