+1 (binding)
I found a number of minor issues. I do not believe these indicate serious
issues, but they really should be fixed for the next release.
I checked:
[OK] hashes and signatures of source and helper binaries are correct
[OK] source and helper binaries are 100% reproducible
[OK] signature of git tag verifies
[OK] source release matches git tag
[OK] source compiles using yarn package
[MIONR] tests pass using yarn test
- Svelte test fail, see issue #1557, I assume this is an environment issue
[MINOR] All nightly tests pass
- Nightly tests have failed for months, with recent tests having almost no
passing jobs. This does not need to be resolved for this release, but
nightlies don't provide much value if they always fail and are ignored.
It would be nice to see the issues with CI get resolved by the next
release, to the point where PRs are never merged if there are any
failures, and nightly failures are reported and considered critical
errors.
[MINOR] source and helper binary include correct LICENSE/NOTICE
- The NOTICE files still say copyright 2022 or 2023. This issue was raised
in the last release and was not fixed in this one. Correct licenses are
important to ASF. Please fix this in the next release.
- The *.woff2 files listed in root LICENSE have the incorrect path, there
is an extra "src/"
- The root LICENSE file mentions jackson-core and the shaded MIT
FastDoubleParser. The root LICENSE is only for files distributed in the
source, but jackson-core is not in the source. That should instead be in
the build/package/LICENSE file, which is the license info for files
distributed in the .vsix
- The following jars exist in the .vsix file but are not mentioned in
build/package:
com.siemens.ct.exi.exificient
com.siemens.ct.exi.exificient-core
com.siemens.ct.exi.exificient-grammars
com.sun.activation.jakarta.activation
net.sf.saxon.Saxon-HE
org.fusesource.jansi.jans
org.jline.jline
org.rogach.scallop
org.scala-lang.scala3-library
org.xmlresolver.xmlresolver
I think these are new because we now include the daffodil CLI artifact in
the release, which contains a number of jars vscode hasn't included in
the past. I'm sure they all are compatible with ASF since Daffodil CLI
uses them and includes them in the CLI license file, they just need to
also be included in the vsix license file
[OK] RAT check passes
[OK] no unexpected binaries in source
[OK] vsix installs and runs with run with basic usage
[MINOR] no open CVEs found using sbt dependencyCheck and yarn audit
- MEDIUM finding for java commons-io 2.10.0 (CVE-2024-47554)
- HIGH finding for java logback-core/classic 1.2.11 (CVE-2023-6378)
- other jar dependencies seem to be false positives
- LOW finding for npm cookie
[OK] Page for release candidate published on website
On 2025-12-08 09:18 AM, Shane Dell wrote:
Hello all,
I'd like to call a vote to release Apache Daffodil™ Extension for Visual
Studio Code 1.5.0-rc1.
All distribution packages, including signatures, digests, etc. can be
found at:
https://dist.apache.org/repos/dist/dev/daffodil/daffodil-vscode/1.5.0-rc1
This release has been signed with PGP key
86DDE7B41291E380237934F007570D3ADC76D51B, corresponding
to [email protected], which is included in the KEYS file here:
https://downloads.apache.org/daffodil/KEYS
The release candidate has been tagged in git with 1.5.0-rc1.
For reference, here is a list of all closed GitHub issues tagged with 1.5.0:
https://github.com/apache/daffodil-vscode/milestone/12?closed=1
Please review and vote. The vote will be open for at least 72 hours
(Thursday, 11 December 2025, 9:30am EST).
[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove (and reason why)
Documentation for 1.5.0 can be found here
https://github.com/apache/daffodil-vscode/wiki/Apache-Daffodil%E2%84%A2-Extension-for-Visual-Studio-Code:-v1.5.0.
