Skip to content

Merge upstream QwenLM/qwen-code v0.14.4 #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lukemarsden wants to merge 2,838 commits into
base: main
Choose a base branch
from

Disable all external telemetry and phone-home in Helix fork

ca5f3a2
Select commit
Loading
Failed to load commit list.
Open

Merge upstream QwenLM/qwen-code v0.14.4 #8

Disable all external telemetry and phone-home in Helix fork
ca5f3a2
Select commit
Loading
Failed to load commit list.
GitHub Advanced Security / CodeQL failed Apr 16, 2026 in 4s

18 new alerts including 12 high severity security vulnerabilities

New alerts in code changed by this pull request

Security Alerts:

  • 12 high
  • 6 medium

Alerts not introduced by this pull request might have been detected because the code changes were too large.

See annotations below for details.

View all branch alerts.

Annotations

Check failure on line 43 in packages/webui/src/components/layout/Onboarding.tsx

See this annotation in the file changed.

Code scanning / CodeQL

DOM text reinterpreted as HTML High

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Check failure on line 399 in packages/vscode-ide-companion/src/webview/handlers/SessionMessageHandler.ts

See this annotation in the file changed.

Code scanning / CodeQL

Insecure randomness High

This uses a cryptographically insecure random number generated at
Math.random()
Loading
in a security context.

Check failure on line 359 in packages/vscode-ide-companion/src/extension.ts

See this annotation in the file changed.

Code scanning / CodeQL

Incomplete string escaping or encoding High

This does not escape backslash characters in the input.

Check failure on line 183 in packages/core/src/utils/paths.ts

See this annotation in the file changed.

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data High

This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '/'.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '/'.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '/'.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '/'.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '/'.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '/'.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '/'.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '/'.

Check failure on line 63 in packages/core/src/tools/web-fetch.ts

See this annotation in the file changed.

Code scanning / CodeQL

Incomplete URL substring sanitization High

'
github.com
Loading
' can be anywhere in the URL, and arbitrary hosts may come before or after it.

Check failure on line 250 in packages/core/src/tools/shell.ts

See this annotation in the file changed.

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data High

This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '&'.

Check failure on line 882 in packages/core/src/mcp/oauth-provider.ts

See this annotation in the file changed.

Code scanning / CodeQL

Use of password hash with insufficient computational effort High

Password from
a call to getPassword
Loading
is hashed insecurely.
Password from
an access to password
Loading
is hashed insecurely.

Check failure on line 59 in packages/core/src/extension/variables.ts

See this annotation in the file changed.

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data High

This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings starting with '${' and with many repetitions of '${a'.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings starting with '${' and with many repetitions of '${a'.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings starting with '${' and with many repetitions of '${a'.

Check failure on line 26 in packages/core/src/core/openaiContentGenerator/provider/deepseek.ts

See this annotation in the file changed.

Code scanning / CodeQL

Incomplete URL substring sanitization High

'
api.deepseek.com
Loading
' can be anywhere in the URL, and arbitrary hosts may come before or after it.

Check failure on line 37 in packages/core/src/core/openaiContentGenerator/provider/dashscope.ts

See this annotation in the file changed.

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data High

This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '-'.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '-'.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '-'.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '-'.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '-'.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '-'.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings with many repetitions of '-'.

Check failure on line 12 in packages/channels/weixin/src/send.ts

See this annotation in the file changed.

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data High

This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings starting with '' and with many repetitions of ''.
This
regular expression
Loading
that depends on
library input
Loading
may run slow on strings starting with '```\n' and with many repetitions of '\na'.

Check failure on line 253 in packages/channels/telegram/src/TelegramAdapter.ts

See this annotation in the file changed.

Code scanning / CodeQL

Incomplete multi-character sanitization High

This string may still contain
<script
Loading
, which may cause an HTML element injection vulnerability.

Check warning on line 214 in packages/core/src/services/loopDetectionService.ts

See this annotation in the file changed.

Code scanning / CodeQL

Overly permissive regular expression range Medium

Suspicious character range that is equivalent to \[+,\-.\/0-9:;<=>?@A-Z\\[\\\\]^_\].

Check warning on line 793 in packages/cli/src/utils/sandbox.ts

See this annotation in the file changed.

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.

Check warning on line 376 in packages/cli/src/utils/sandbox.ts

See this annotation in the file changed.

Code scanning / CodeQL

Shell command built from environment values Medium

This shell command depends on an uncontrolled
absolute path
Loading
.
This shell command depends on an uncontrolled
file name
Loading
.
This shell command depends on an uncontrolled
absolute path
Loading
.

Check warning on line 105 in packages/core/src/utils/shell-utils.ts

See this annotation in the file changed.

Code scanning / CodeQL

Unsafe shell command constructed from library input Medium

This string concatenation which depends on
library input
Loading
is later used in a
shell command
Loading
.

Check warning on line 108 in packages/core/src/utils/shell-utils.ts

See this annotation in the file changed.

Code scanning / CodeQL

Unsafe shell command constructed from library input Medium

This string concatenation which depends on
library input
Loading
is later used in a
shell command
Loading
.

Check warning on line 62 in packages/cli/src/utils/commentJson.ts

See this annotation in the file changed.

Code scanning / CodeQL

Prototype-polluting function Medium

Properties are copied from
updates
Loading
to
result
Loading
without guarding against prototype pollution.