From c1ce5a5d8b7f47ab1ee0786d47731f9f44454092 Mon Sep 17 00:00:00 2001 From: Hamhire Hu Date: Tue, 23 Jun 2026 17:35:07 +0800 Subject: [PATCH 1/2] =?UTF-8?q?fix(deps):=20=E7=BB=8F=20audit=20fix=20?= =?UTF-8?q?=E5=8D=87=E7=BA=A7=20undici/vite/tar=20=E5=88=B0=E5=85=BC?= =?UTF-8?q?=E5=AE=B9=E5=AE=89=E5=85=A8=E8=A1=A5=E4=B8=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit npm audit fix(非 --force)仅应用上游父依赖已允许的兼容升级:undici 6.27.0 (直接,修 6.x 告警)+ 7.28.0(@electron/get 传递)、vite 7.3.5、tar 7.5.16。 清掉对应 Dependabot 告警(undici/vite/tar)。仅 lockfile 变更。 余下 dompurify(monaco) / form-data+tmp(nx) / js-yaml(gray-matter) / esbuild(vite 锁 ^0.27) 均无兼容上游修复(仅 major 父升级可解),按既定规则暂不强升、保留告警。 Co-Authored-By: Claude Opus 4.8 --- package-lock.json | 100 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 70 insertions(+), 30 deletions(-) diff --git a/package-lock.json b/package-lock.json index 80ff0d98..ee3ef91a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -84,9 +84,9 @@ } }, "apps/desktop/node_modules/undici": { - "version": "6.26.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-6.26.0.tgz", - "integrity": "sha512-4yqz8a3n5HmGTlsbADNtr/dJlhkh/55Rq798G6ibiULcXbDtaLpTl1pvdqcbFfeoj3iSi52lePFM7h9H21cw/A==", + "version": "6.27.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-6.27.0.tgz", + "integrity": "sha512-YmfV3YnEDzXRC5lZ2jWtWWHKGUm1zIt8AhesR1tens+HTNv+YZlN/dp6G727LOvMJ8xjP9Be7Y2Sdr96LDm+pg==", "license": "MIT", "engines": { "node": ">=18.17" @@ -1345,10 +1345,20 @@ } }, "node_modules/@eslint/eslintrc/node_modules/js-yaml": { - "version": "4.1.1", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz", - "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==", + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz", + "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==", "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/puzrin" + }, + { + "type": "github", + "url": "https://github.com/sponsors/nodeca" + } + ], "license": "MIT", "dependencies": { "argparse": "^2.0.1" @@ -3895,10 +3905,20 @@ } }, "node_modules/app-builder-lib/node_modules/js-yaml": { - "version": "4.1.1", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz", - "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==", + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz", + "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==", "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/puzrin" + }, + { + "type": "github", + "url": "https://github.com/sponsors/nodeca" + } + ], "license": "MIT", "dependencies": { "argparse": "^2.0.1" @@ -4452,10 +4472,20 @@ } }, "node_modules/builder-util/node_modules/js-yaml": { - "version": "4.1.1", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz", - "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==", + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz", + "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==", "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/puzrin" + }, + { + "type": "github", + "url": "https://github.com/sponsors/nodeca" + } + ], "license": "MIT", "dependencies": { "argparse": "^2.0.1" @@ -5754,10 +5784,20 @@ } }, "node_modules/dmg-builder/node_modules/js-yaml": { - "version": "4.1.1", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz", - "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==", + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz", + "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==", "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/puzrin" + }, + { + "type": "github", + "url": "https://github.com/sponsors/nodeca" + } + ], "license": "MIT", "dependencies": { "argparse": "^2.0.1" @@ -9172,9 +9212,9 @@ } }, "node_modules/mermaid/node_modules/dompurify": { - "version": "3.4.8", - "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.4.8.tgz", - "integrity": "sha512-yb1cEmaOum7wFvOCSQxyfgVlv5D47Rc30iZWoMpbDIWTnJ6grDDQyu2KFJzB2k7u0pMuJcQ1zphH//fFnw2tjQ==", + "version": "3.4.11", + "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.4.11.tgz", + "integrity": "sha512-zhlUV12GsaRzMsf9q5M254YhA4+VuF0fG+QFqu6aYpoGlKtz+w8//jBcGVYBgQkR5GHjUomejY84AV+/uPbWdw==", "license": "(MPL-2.0 OR Apache-2.0)", "optionalDependencies": { "@types/trusted-types": "^2.0.7" @@ -10022,9 +10062,9 @@ } }, "node_modules/node-gyp/node_modules/undici": { - "version": "6.26.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-6.26.0.tgz", - "integrity": "sha512-4yqz8a3n5HmGTlsbADNtr/dJlhkh/55Rq798G6ibiULcXbDtaLpTl1pvdqcbFfeoj3iSi52lePFM7h9H21cw/A==", + "version": "6.27.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-6.27.0.tgz", + "integrity": "sha512-YmfV3YnEDzXRC5lZ2jWtWWHKGUm1zIt8AhesR1tens+HTNv+YZlN/dp6G727LOvMJ8xjP9Be7Y2Sdr96LDm+pg==", "dev": true, "license": "MIT", "engines": { @@ -12433,9 +12473,9 @@ } }, "node_modules/tar": { - "version": "7.5.15", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.15.tgz", - "integrity": "sha512-dzGK0boVlC4W5QFuQN1EFSl3bIDYsk7Tj40U6eIBnK2k/8ml7TZ5agbI5j5+qnoVcAA+rNtBml8SEiLxZpNqRQ==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "dev": true, "license": "BlueOak-1.0.0", "dependencies": { @@ -12840,9 +12880,9 @@ } }, "node_modules/undici": { - "version": "7.26.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.26.0.tgz", - "integrity": "sha512-3O9Tf67pGhgOv9jM35AbhkXAKi13f3oy3aE4CSgr+TckGeY+/iu97ZXN+J7DpHPzLbVApFd1IFhcnBjREYXYcg==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "dev": true, "license": "MIT", "optional": true, @@ -13090,9 +13130,9 @@ } }, "node_modules/vite": { - "version": "7.3.3", - "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.3.tgz", - "integrity": "sha512-/4XH147Ui7OGTjg3HbdWe5arnZQSbfuRzdr9Ec7TQi5I7R+ir0Rlc9GIvD4v0XZurELqA035KVXJXpR61xhiTA==", + "version": "7.3.5", + "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.5.tgz", + "integrity": "sha512-KuOaNhcnGFN2zIPGA7wRmzF+lJA1sea7rHq17aiJ++9lzY1WWG6Jpwqwe1KNbRVPIqHmr8GLYx7jbrQcN/7/ww==", "dev": true, "license": "MIT", "dependencies": { From d4f089d596b7ab90f2e6db6e8368cee76a56f51e Mon Sep 17 00:00:00 2001 From: Hamhire Hu Date: Tue, 23 Jun 2026 17:37:01 +0800 Subject: [PATCH 2/2] =?UTF-8?q?fix(chat):=20=E6=8A=91=E5=88=B6=20litellm?= =?UTF-8?q?=20=E8=A3=85=E9=A5=B0=E6=80=A7=20stdout=20=E6=8F=90=E7=A4=BA?= =?UTF-8?q?=EF=BC=8C=E9=81=BF=E5=85=8D=E6=BC=8F=E8=BF=9B=E8=AF=84=E5=AE=A1?= =?UTF-8?q?=E6=80=BB=E7=BB=93?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit litellm 对未进本地 model_cost 表的新模型(如 claude-opus-4-8)在 cost/token 计量里 get_llm_provider 解析失败时,会先把红字「Provider List: …」print 到 stdout 再抛错 (错误被上游吞掉、不影响结果);编排 chat 通道以子进程 stdout 作模型回复,该 print 漏进了 评审总结正文。patch 时置 litellm.suppress_debug_info=True 关掉这些 print(正是该段的开关), 全局生效、与版本无关,放在版本守卫/CLI 分支之前。docs/arch/04 同步说明。 Co-Authored-By: Claude Opus 4.8 (1M context) --- .../meebox_pragent_shim/patches/litellm_handler.py | 11 +++++++++++ docs/arch/04-pragent-runtime.md | 5 ++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/apps/desktop/scripts/pragent-shim/meebox_pragent_shim/patches/litellm_handler.py b/apps/desktop/scripts/pragent-shim/meebox_pragent_shim/patches/litellm_handler.py index 354a14e6..7d057015 100644 --- a/apps/desktop/scripts/pragent-shim/meebox_pragent_shim/patches/litellm_handler.py +++ b/apps/desktop/scripts/pragent-shim/meebox_pragent_shim/patches/litellm_handler.py @@ -100,6 +100,17 @@ def patch(module) -> None: 容器:凡走 anthropic 原厂的模型一律不发 temperature。LiteLLMAIHandler.__init__ 里 `self.no_support_temperature_models = NO_SUPPORT_TEMPERATURE_MODELS` 取的是模块全局名,故重绑 全局即对之后创建的 handler 生效;只动成员判定、不碰 system/user 合并。""" + # 抑制 litellm 往 **stdout** 打的「Provider List: …」等装饰性提示(ANSI 红字)。编排 chat 通道以子进程 + # stdout 作模型回复:litellm 在 cost/token 计量里对未进本地 model_cost 表的新模型(如 claude-opus-4-8) + # 调 get_llm_provider 失败时会先 print 该提示再抛错(错误被上游吞掉、不影响最终结果),但 print 已污染 + # stdout、漏进评审总结。置 suppress_debug_info=True 关掉这些 print(真实 usage 由我们自己的 hook 采集, + # 不依赖这些输出)。全局生效、与 pr-agent 版本无关,故放在版本守卫与 CLI 分支之前。 + try: + import litellm + + litellm.suppress_debug_info = True + except Exception: # noqa: BLE001 - litellm 未就绪等,纯装饰性抑制失败不致命 + pass # (0) CLI 模式:换 chat_completion 直接调本机 CLI,绕过 litellm。放在版本守卫之前, # 因为它只依赖 base_ai_handler 的稳定契约,跟 pr-agent 内部实现无关。装好即 return。 if os.environ.get("MEEBOX_CLI_MODE"): diff --git a/docs/arch/04-pragent-runtime.md b/docs/arch/04-pragent-runtime.md index d64cfa9f..5b650a62 100644 --- a/docs/arch/04-pragent-runtime.md +++ b/docs/arch/04-pragent-runtime.md @@ -72,7 +72,10 @@ inline 包 pr-agent 的 `_get_completion`,从返回的 `response.usage` 取 `p 以哨兵行 `@@MEEBOX_USAGE@@ {json}` 打到 **stderr**;主进程逐行捕获、按前缀累加、落到 run(见 [05](05-review-workflow.md))。 **为什么 inline 而非 litellm callback**:litellm 的 async 回调走后台 logging worker,短命 CLI 退出过快会被丢; inline 在 await 链里必在退出前执行,可靠。只取 token、不取 cost → 统一设 `LITELLM_LOCAL_MODEL_COST_MAP=True` -关掉 litellm 的远端价格表联网(弱网会 SSL 超时)。 +关掉 litellm 的远端价格表联网(弱网会 SSL 超时)。另在 patch 时置 `litellm.suppress_debug_info=True`:编排 chat +通道以子进程 **stdout** 作模型回复,而 litellm 对未进本地 `model_cost` 表的新模型(如 `claude-opus-4-8`)在 cost/token +计量里调 `get_llm_provider` 失败时会先 `print` 装饰性的「Provider List: …」(ANSI 红字)再抛错(错误被吞、不影响结果), +该 print 会污染 stdout、漏进评审总结——置此开关关掉这些 print。 ### 本地 CLI provider