Sync Windows hotfix to main

[kanushka]

Purpose

Update the main branch by merging the Windows activation hotfix.

Changes

• Syncs critical fixes for the BI extension activation on Windows.
• Ensures the latest production hotfix is reflected in the primary development branch.

Summary by CodeRabbit

• Bug Fixes
  • Improved Windows detection for Ballerina distributions, ensuring reliable path resolution across different installation locations and scenarios.
  • Enhanced environment variable handling on Windows to properly recognize Ballerina installations created after the IDE starts.
• Chores
  • Version bumped to 5.8.1.
  • Dependency updates for compatibility.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
3 out of 4 committers have signed the CLA.

✅ kanushka
✅ gigara
✅ axewilledge
❌ choreo-cicd
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates fast-xml-parser dependency to version 5.3.7 across multiple configuration files, bumps ballerina-extension to v5.8.1, and enhances Windows path detection for Ballerina distributions through new fallback logic and improved environment variable handling.

Changes

Cohort / File(s)	Summary
Dependency Update common/autoinstallers/rush-plugins/package.json, common/config/rush/.pnpmfile.cjs	Bumps fast-xml-parser from 5.3.6 to 5.3.7 via pnpm override and direct dependency updates.
Ballerina Extension Release workspaces/ballerina/ballerina-extension/package.json, workspaces/ballerina/ballerina-extension/CHANGELOG.md	Version bump from 5.8.0 to 5.8.1 with changelog entry documenting Windows detection improvements.
Windows Path Detection Enhancement workspaces/ballerina/ballerina-extension/src/core/extension.ts	Introduces findWindowsBallerinaPath function for Windows-specific fallback path discovery, enhances getShellEnvironment with registry PATH merging via PowerShell, and integrates new logic into version detection flow.

Sequence Diagram(s)

sequenceDiagram
    participant Extension as VS Code Extension
    participant VersionDetection as getBallerinaVersion()
    participant ShellEnv as getShellEnvironment()
    participant PowerShell as PowerShell
    participant PathDetection as findWindowsBallerinaPath()
    
    Extension->>VersionDetection: Request Ballerina version
    
    VersionDetection->>ShellEnv: Get environment variables
    ShellEnv->>PowerShell: Execute registry PATH merge script
    PowerShell-->>ShellEnv: Return merged environment JSON
    ShellEnv-->>VersionDetection: Return environment with registry PATHs
    
    VersionDetection->>VersionDetection: Check for ballerinaHome
    alt No ballerinaHome on Windows
        VersionDetection->>PathDetection: Find Windows Ballerina path
        PathDetection->>PathDetection: Search registry and PATH
        PathDetection-->>VersionDetection: Return Ballerina bin path
        VersionDetection->>VersionDetection: Set distPath from fallback
    end
    
    VersionDetection-->>Extension: Return version with distPath

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A Windows path once hidden from sight,
Now found through registry depths and PowerShell's might,
With fast-xml-parser swift and new,
Ballerina springs forth—version 5.8.1 too! 🚀
The detection improved, detection refined,
A better experience for those left behind.

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description provides Purpose and Changes sections but significantly deviates from the required template. Critical sections like Goals, Approach, Release notes, Documentation, and Test environment are missing or incomplete.	Expand the description to include Goals, Approach, Release notes, Documentation, and Test environment sections as specified in the repository template to provide comprehensive context for reviewers.
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Sync Windows hotfix to main' is directly related to the main purpose stated in the PR description and commit messages - merging a Windows activation hotfix from the ballerina-5.8.1 branch into main.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ballerina-5.8.1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.trivyignore (1)

8-15: Add traceability metadata for new CVE suppressions.

Lines 9, 12, and 15 add long-lived ignores without a linked tracking issue or review-by date. Please add both so these suppressions don’t become permanent blind spots.

♻️ Suggested format

 # No fix released by the author
+# Tracking: https://github.com/wso2/vscode-extensions/issues/<issue-id>
+# Review-by: 2026-06-30
 CVE-2025-14505

 # Library is used in nested dependencies and not directly used by our codebase. No fix released by the author.
+# Tracking: https://github.com/wso2/vscode-extensions/issues/<issue-id>
+# Review-by: 2026-06-30
 CVE-2025-69873

 # used in nested dependencies and not directly used by our codebase. No fix released by the author.
+# Tracking: https://github.com/wso2/vscode-extensions/issues/<issue-id>
+# Review-by: 2026-06-30
 CVE-2026-26996

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.trivyignore around lines 8 - 15, Update the three CVE suppressions
(CVE-2025-14505, CVE-2025-69873, CVE-2026-26996) in .trivyignore to include
traceability metadata: append a tracking issue reference (e.g., GH issue number
or internal ticket id) and a "review-by" date for each entry (e.g., review-by:
YYYY-MM-DD), using the suggested format from the review so each ignored CVE line
contains the CVE identifier plus the tracking issue and review date; ensure the
metadata is clearly associated with the matching CVE entry so future reviewers
can find the justification and scheduled re-review.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@workspaces/ballerina/ballerina-extension/CHANGELOG.md`:
- Around line 9-12: Add a concise "Security" bullet under the 5.8.1 changelog
entry to note the security/dependency updates shipped with this release; in the
section around the existing "### Fixed" notes for version 5.8.1, insert a new
"Security" subheading or bullet (e.g., "Security — Updated vulnerable
dependencies to patched versions") so the changelog reflects the
dependency/security fixes included in this PR.

In `@workspaces/ballerina/ballerina-extension/src/core/extension.ts`:
- Around line 2753-2759: The code iterates fs.readdirSync(root) and returns the
first versioned bin containing 'bal.bat', which is non-deterministic; modify the
loop in extension.ts (the block that builds children, versionedBin and checks
for 'bal.bat') to sort the children array so the newest version is checked first
(use semver-aware comparison or sort by parsed version tokens descending), then
iterate the sorted list and return the first matching versionedBin + path.sep;
ensure skipped non-version entries are handled and fallback behavior remains
unchanged.
- Around line 1794-1805: The Windows fallback sets distPath from
findWindowsBallerinaPath() and then builds an unquoted command that is later
passed to exec(), which breaks on paths with spaces; update the code that
constructs and executes the Ballerina version command (the place that uses
distPath to form the command passed to exec()) to wrap the absolute bal.bat path
in quotes (or better, pass the quoted executable as the first argument to
execFile/spawn) so e.g. '"' + path.join(distPath, 'bal.bat') + '"' (or use
execFile with path.join(distPath, 'bal.bat')) is used instead of an unquoted
concatenation; ensure references to distPath and findWindowsBallerinaPath remain
consistent and that any debug log still prints the unmodified path if desired.

---

Nitpick comments:
In @.trivyignore:
- Around line 8-15: Update the three CVE suppressions (CVE-2025-14505,
CVE-2025-69873, CVE-2026-26996) in .trivyignore to include traceability
metadata: append a tracking issue reference (e.g., GH issue number or internal
ticket id) and a "review-by" date for each entry (e.g., review-by: YYYY-MM-DD),
using the suggested format from the review so each ignored CVE line contains the
CVE identifier plus the tracking issue and review date; ensure the metadata is
clearly associated with the matching CVE entry so future reviewers can find the
justification and scheduled re-review.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e4ce6e5 and c623472.

⛔ Files ignored due to path filters (2)

• common/autoinstallers/rush-plugins/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• common/config/rush/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (9)

• .trivyignore
• common/autoinstallers/rush-plugins/package.json
• common/config/rush/.pnpmfile.cjs
• package.json
• workspaces/ballerina/ballerina-extension/CHANGELOG.md
• workspaces/ballerina/ballerina-extension/package.json
• workspaces/ballerina/ballerina-extension/src/core/extension.ts
• workspaces/mi/mi-extension/package.json
• workspaces/mi/mi-visualizer/package.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Include security/dependency fixes in the 5.8.1 notes for completeness.

The release notes for Line 9–Line 12 currently mention only the Windows installation fix, but this PR also includes security dependency updates. Please add a concise Security bullet under 5.8.1 so the changelog reflects the shipped changes.

📝 Suggested changelog patch

 ### Fixed
 
 - **Installation** — Enhanced Windows environment detection to properly identify Ballerina distributions on Windows.
+- **Security** — Updated dependencies to address known vulnerabilities (including fast-xml-parser and bn.js related fixes).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	### Fixed
	- **Installation** — Enhanced Windows environment detection to properly identify Ballerina distributions on Windows.
	### Fixed
	- **Installation** — Enhanced Windows environment detection to properly identify Ballerina distributions on Windows.
	- **Security** — Updated dependencies to address known vulnerabilities (including fast-xml-parser and bn.js related fixes).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workspaces/ballerina/ballerina-extension/CHANGELOG.md` around lines 9 - 12,
Add a concise "Security" bullet under the 5.8.1 changelog entry to note the
security/dependency updates shipped with this release; in the section around the
existing "### Fixed" notes for version 5.8.1, insert a new "Security" subheading
or bullet (e.g., "Security — Updated vulnerable dependencies to patched
versions") so the changelog reflects the dependency/security fixes included in
this PR.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Quote the absolute Windows bal.bat path before execution.

Line 1803 can set distPath to locations like C:\Program Files\...\bin\. That flows into the command built at Line 1827 without quoting, so exec() can fail by treating C:\Program as the executable.

🐛 Proposed fix

-        let ballerinaCommand = distPath + 'bal' + exeExtension + ' version';
+        const balExecutable = `${distPath}bal${exeExtension}`;
+        const escapedBalExecutable = balExecutable.includes(' ')
+            ? `"${balExecutable}"`
+            : balExecutable;
+        let ballerinaCommand = `${escapedBalExecutable} version`;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workspaces/ballerina/ballerina-extension/src/core/extension.ts` around lines
1794 - 1805, The Windows fallback sets distPath from findWindowsBallerinaPath()
and then builds an unquoted command that is later passed to exec(), which breaks
on paths with spaces; update the code that constructs and executes the Ballerina
version command (the place that uses distPath to form the command passed to
exec()) to wrap the absolute bal.bat path in quotes (or better, pass the quoted
executable as the first argument to execFile/spawn) so e.g. '"' +
path.join(distPath, 'bal.bat') + '"' (or use execFile with path.join(distPath,
'bal.bat')) is used instead of an unquoted concatenation; ensure references to
distPath and findWindowsBallerinaPath remain consistent and that any debug log
still prints the unmodified path if desired.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Pick the newest versioned installation deterministically.

Lines 2753-2759 iterate fs.readdirSync(root) in filesystem order, so with multiple installed versions the fallback can choose an older distribution first.

🔧 Proposed fix

-            const children = fs.readdirSync(root);
+            const children = fs.readdirSync(root)
+                .sort((a, b) => b.localeCompare(a, undefined, { numeric: true, sensitivity: 'base' }));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@workspaces/ballerina/ballerina-extension/src/core/extension.ts` around lines
2753 - 2759, The code iterates fs.readdirSync(root) and returns the first
versioned bin containing 'bal.bat', which is non-deterministic; modify the loop
in extension.ts (the block that builds children, versionedBin and checks for
'bal.bat') to sort the children array so the newest version is checked first
(use semver-aware comparison or sort by parsed version tokens descending), then
iterate the sorted list and return the first matching versionedBin + path.sep;
ensure skipped non-version entries are handled and fallback behavior remains
unchanged.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@common/config/rush/.pnpmfile.cjs`:
- Around line 43-45: Replace the non-existent pinned version '5.3.7' with the
real release '5.3.6' in this file: locate the assignments that set
pkg.dependencies['fast-xml-parser'] = '5.3.7' and the second identical pin (the
other occurrence that also assigns '5.3.7') and change both to '5.3.6' so the
package is pinned to the published version that contains the CVE fixes.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c623472 and ade1821.

⛔ Files ignored due to path filters (2)

• common/autoinstallers/rush-plugins/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• common/config/rush/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• common/autoinstallers/rush-plugins/package.json
• common/config/rush/.pnpmfile.cjs
• workspaces/ballerina/ballerina-extension/package.json

🚧 Files skipped from review as they are similar to previous changes (2)

• workspaces/ballerina/ballerina-extension/package.json
• common/autoinstallers/rush-plugins/package.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

fast-xml-parser version 5.3.7 npm release date published

💡 Result:

fast-xml-parser@5.3.7 does not appear to have been published to npm (no listing for 5.3.7 in public version indexes; the newest published version shown is 5.3.6). [1], [2]

So there is no npm “published” date for 5.3.7. [1], [2]

Sources: [1] shows latest as 5.3.6 and lists recent versions; [2] also shows current version as 5.3.6.

---

🌐 Web query:

CVE-2026-25896 CVE-2026-26278 fast-xml-parser security advisory

💡 Result:

fast-xml-parser security advisories (CVE-2026-25896, CVE-2026-26278)

CVE-2026-25896 — Entity encoding bypass → XSS/injection (Critical, CVSS 9.3)

• What it is: A . (dot) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, letting an attacker “shadow” built-in XML entities like <, >, &, ", ' with arbitrary strings—bypassing entity encoding and enabling XSS when output is rendered (and other injection risks depending on sinks). [1]
• Affected: fast-xml-parser >= 4.1.3 and <= 5.3.4. [1]
• Fix: Upgrade to 5.3.5. [1]
• Advisory date: Published Feb 20, 2026. [1]

CVE-2026-26278 — XML entity expansion DoS (High, CVSS 7.5)

• What it is: The parser can be forced into unbounded entity expansion (even with small XML), causing very long parse times and effectively freezing a Node.js service (event-loop blocking). [2][3]
• Affected: fast-xml-parser >= 4.1.3 and <= 5.3.5. [2]
• Fix: Upgrade to 5.3.6. [2][3]
• Workaround: Disable DOCTYPE/entity processing via processEntities: false. [2][3]
• Advisory date: Published Feb 14, 2026 (GitHub); NVD lists the CVE as received/published Feb 19, 2026. [2][3]

Recommended action: If you might receive untrusted XML, upgrade at least to 5.3.6 (covers both: 5.3.5 fixes CVE-2026-25896; 5.3.6 fixes CVE-2026-26278). [1][2]

Sources

• [1] GitHub Security Advisory GHSA-m7jm-9gc2-mpf2 (CVE-2026-25896) (github.com)
• [2] GitHub Security Advisory GHSA-jmr7-xgp7-cmfj (CVE-2026-26278) (github.com)
• [3] NVD entry for CVE-2026-26278 (nvd.nist.gov)

Citations:

• 1: GHSA-m7jm-9gc2-mpf2
• 2: GHSA-jmr7-xgp7-cmfj
• 3: https://nvd.nist.gov/vuln/detail/CVE-2026-26278?utm_source=openai

---

🏁 Script executed:

cd common/config/rush && cat -n .pnpmfile.cjs | sed -n '40,50p;92,98p'

Repository: wso2/vscode-extensions

Length of output: 881

---

CRITICAL: fast-xml-parser version 5.3.7 does not exist; update to 5.3.6 instead.

Version 5.3.7 is not published to npm (latest is 5.3.6). Both pinned versions at lines 44 and 95 must be corrected to '5.3.6', which is the actual release that fixes both CVE-2026-25896 (entity encoding bypass/XSS, fixed in 5.3.5) and CVE-2026-26278 (entity expansion DoS, fixed in 5.3.6). The current pin to a non-existent version will not resolve the security vulnerabilities as intended.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@common/config/rush/.pnpmfile.cjs` around lines 43 - 45, Replace the
non-existent pinned version '5.3.7' with the real release '5.3.6' in this file:
locate the assignments that set pkg.dependencies['fast-xml-parser'] = '5.3.7'
and the second identical pin (the other occurrence that also assigns '5.3.7')
and change both to '5.3.6' so the package is pinned to the published version
that contains the CVE fixes.