feat: ts-builder vscode-integration command

[AStaroverov]

This pull request introduces a new CLI command to the ts-builder tool for automating VSCode (and Cursor IDE) integration and configuration across a monorepo. The new command streamlines setup by ensuring recommended extensions, editor settings, and required dependencies are present, and by generating configuration files for all relevant packages. Additionally, a redundant oxfmt configuration file is removed.

New VSCode/IDE integration feature:

• Added a new vscode-integration command in tools/ts-builder/src/commands/vscode-integration.ts that automates configuration of VSCode/Cursor IDE settings, extension recommendations, root dependencies, and per-package config files for all packages using @milaboratories/ts-builder in the monorepo.
• Registered the new command in the CLI by importing and adding it in tools/ts-builder/src/cli.ts. [1] [2]

Configuration cleanup:

• Removed the now-unnecessary .oxfmt.json config file from tools/ts-builder, as configuration is now handled per-package by the new integration command.

[changeset-bot]

🦋 Changeset detected

Latest commit: ff9df8d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@milaboratories/ts-builder	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[gemini-code-assist]

Summary of Changes

Hello @AStaroverov, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant enhancement to the ts-builder tool by adding a new vscode-integration command. This command streamlines the developer setup process for monorepos by automatically configuring VSCode settings, recommending essential extensions, and ensuring consistent Oxc linting and formatting configurations across all relevant packages. The goal is to reduce manual setup effort and promote a unified development environment.

Highlights

• New VSCode Integration Command: A new vscode-integration command has been added to ts-builder to automate the setup of VSCode and Oxc tooling within a monorepo.
• Automated VSCode Configuration: The command configures .vscode/settings.json to set the Oxc extension as the default formatter for various file types and updates typescript.tsdk. It also adds the Oxc VSCode extension to .vscode/extensions.json recommendations.
• Root Dependency Management: It ensures that oxlint and oxfmt are listed as devDependencies in the monorepo's root package.json.
• Package-Specific Oxc Configuration: The command identifies all packages within the monorepo that use @milaboratories/ts-builder and automatically generates .oxfmtrc.json and .oxlintrc.json files for them, inferring the linting target from their build scripts.
• Removed Legacy Configuration: The .oxfmt.json file in tools/ts-builder has been removed, as its functionality is now handled by the new integration.

Changelog

• tools/ts-builder/.oxfmt.json
  • Removed the top-level Oxc formatter configuration file.
• tools/ts-builder/src/cli.ts
  • Imported vscodeIntegrationCommand.
  • Registered vscodeIntegrationCommand with the CLI program.
• tools/ts-builder/src/commands/vscode-integration.ts
  • Introduced vscodeIntegrationCommand to automate VSCode and Oxc tooling setup.
  • Implemented functions to find the monorepo root, read/write JSON files.
  • Added logic to configure .vscode/settings.json to set Oxc as the default formatter for various file types and configure TypeScript SDK path.
  • Added logic to configure .vscode/extensions.json to recommend the Oxc VSCode extension.
  • Included functionality to ensure oxlint and oxfmt are present in the root package.json's devDependencies.
  • Developed a mechanism to find all packages within the monorepo that depend on @milaboratories/ts-builder.
  • Implemented logic to create .oxfmtrc.json and .oxlintrc.json for each detected package, inferring the linting target from build scripts.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new vscode-integration command to ts-builder for standardizing development environments within a monorepo. A high-severity Path Traversal vulnerability has been identified; the command's recursive scanning for packages does not correctly handle symbolic links, which could allow an attacker to write files outside the project directory via a malicious symlink. It is recommended to use lstatSync instead of statSync to mitigate this. Furthermore, high-severity issues were found with the logic for merging VSCode settings, which may not work for nested configurations, and a robustness issue in handling the current working directory that could lead to instability.

[gemini-code-assist]

The walk function uses statSync which follows symbolic links. This can lead to a path traversal vulnerability if a malicious symlink is present in the repository. An attacker could trick the script into traversing directories outside the project root, and the ensurePackageConfigs function would then use process.chdir to move into those directories and write configuration files. This could allow writing files to arbitrary locations on the user's filesystem.

Remediation:
Replace statSync with lstatSync to get stats of the link itself instead of what it points to. Then, add a check to explicitly ignore symbolic links.

        const stats = lstatSync(fullPath);
        if (stats.isSymbolicLink()) continue;
        if (stats.isDirectory()) {
          walk(fullPath);
        }

[gemini-code-assist]

The current logic for updating VSCode settings is not robust enough for nested configurations. It only checks for the top-level key's existence. If a language-specific setting key like "[typescript]" already exists in settings.json (even as an empty object), the editor.defaultFormatter property will not be added. The logic should be changed to merge properties for object values to ensure settings are applied correctly without being destructive.

    if (key.startsWith("[")) {
      const currentGroup = (settings as any)[key];
      if (typeof currentGroup !== "object" || currentGroup === null || Array.isArray(currentGroup)) {
        (settings as any)[key] = value;
        modified = true;
      } else {
        const valueGroup = value as Record<string, unknown>;
        for (const prop in valueGroup) {
          if (!(prop in currentGroup)) {
            (currentGroup as Record<string, unknown>)[prop] = valueGroup[prop];
            modified = true;
          }
        }
      }
    } else if (!(key in settings)) {
      settings[key] = value;
      modified = true;
    }

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.78%. Comparing base (eaebd9b) to head (ff9df8d).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1429   +/-   ##
=======================================
  Coverage   52.77%   52.78%           
=======================================
  Files         239      239           
  Lines       13472    13472           
  Branches     2787     2787           
=======================================
+ Hits         7110     7111    +1     
  Misses       5459     5459           
+ Partials      903      902    -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.