fix(patch): cherry-pick 3ff68a9 to release/v0.33.0-preview.14-pr-21884 [CONFLICTS]

[gemini-cli-robot]

This PR automatically cherry-picks commit 3ff68a9 to patch version v0.33.0-preview.14 in the preview release to create version 0.33.0-preview.15.

⚠️ Merge Conflicts Detected

This cherry-pick resulted in merge conflicts that need manual resolution.

🔧 Next Steps:

1. Review the conflicts: Check out this branch and review the conflict markers
2. Resolve conflicts: Edit the affected files to resolve the conflicts
3. Test the changes: Ensure the patch works correctly after resolution
4. Update this PR: Push your conflict resolution

📋 Files with conflicts:

The commit has been created with conflict markers for easier manual resolution.

🚨 Important:

• Do not merge this PR until conflicts are resolved
• The automated patch release will trigger once this PR is merged

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request represents an automated cherry-pick operation aimed at incorporating a critical fix related to a gaxios stream corruption bug into a new preview release. The process encountered merge conflicts, necessitating manual intervention to resolve discrepancies in dependency versions and other code changes before the fix can be fully integrated and deployed.

Highlights

• Automated Cherry-Pick with Conflicts: This pull request is an automated cherry-pick of commit 3ff68a9e55fbf45285f206464e9cbb09a73b2a98 to create a new preview release, but it resulted in merge conflicts that require manual resolution.
• Dependency Version Adjustments: The @google/genai dependency was adjusted across multiple package.json files, primarily being downgraded to 1.30.0 to align with the cherry-picked commit.
• New Lockfile Check for gaxios: A new check was introduced in scripts/check-lockfile.js to prevent the use of gaxios v7+ due to a known stream corruption bug, ensuring stability.
• Removed Image-Related Finish Reasons: Specific IMAGE_RECITATION and IMAGE_OTHER finish reason messages were removed from the useGeminiStream hook in the CLI package.

Changelog

• packages/a2a-server/package.json
  • Downgraded @google/genai dependency to 1.30.0 and removed the caret (^) prefix.
• packages/cli/package.json
  • Downgraded @google/genai dependency to 1.30.0.
• packages/cli/src/ui/hooks/useGeminiStream.ts
  • Removed IMAGE_RECITATION and IMAGE_OTHER from the FinishReason message mapping.
• packages/core/package.json
  • Downgraded @google/genai dependency to 1.30.0 (part of the cherry-picked commit, conflicting with 1.41.0 in HEAD).
  • Added @grpc/grpc-js dependency.
  • Updated google-auth-library dependency to 9.11.0.
• packages/vscode-ide-companion/NOTICES.txt
  • Downgraded ajv to 6.12.6.
  • Removed license entries for safe-buffer and path-to-regexp.
  • Downgraded hono to 4.11.9.
• scripts/check-lockfile.js
  • Added a new check to detect and prevent the use of gaxios v7+ in node_modules due to a known stream corruption bug.

Activity

• An automated cherry-pick was initiated for commit 3ff68a9e55fbf45285f206464e9cbb09a73b2a98.
• Merge conflicts were detected during the cherry-pick process.
• Manual resolution of conflicts is required before this PR can be merged.
• The automated patch release will trigger upon successful merge of this PR.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request cherry-picks a fix for a stream corruption bug in gaxios by downgrading @google/genai and google-auth-library dependencies and adding a CI check to prevent accidental upgrades. However, there is a critical unresolved merge conflict in packages/core/package.json that must be fixed. Additionally, the new CI check in scripts/check-lockfile.js contains logic that may not correctly guard against all problematic versions of gaxios.

_{Note: Security Review is unavailable for this PR.}

I am having trouble creating individual review comments. Click here to see my feedback.

packages/core/package.json (28-33)

This file contains unresolved merge conflict markers (<<<<<<<, =======, >>>>>>>). These markers must be removed and the conflict must be resolved by choosing the correct version of the dependencies. Based on the other changes in this PR, it seems the intention is to downgrade @google/genai to 1.30.0 and add @grpc/grpc-js.

Please replace the conflicted block with:

    "@google/genai": "1.30.0",
    "@grpc/grpc-js": "^1.14.3",

scripts/check-lockfile.js (83)

The condition !location.includes('@google/genai/node_modules') seems to weaken the safeguard against gaxios@7+. If a problematic version of gaxios is installed but nested inside @google/genai/node_modules, this check would ignore it. Given that the gaxios issue is related to dependencies of @google/genai, it seems this check should apply to all instances of gaxios in the lockfile to be fully effective. Consider removing this part of the condition to ensure no version of gaxios@7+ is present anywhere in the dependency tree.