Skip to content

Live Share SDK 2.0.0#794

Draft
huntj88 wants to merge 54 commits intomainfrom
mainv2
Draft

Live Share SDK 2.0.0#794
huntj88 wants to merge 54 commits intomainfrom
mainv2

Conversation

@huntj88
Copy link
Contributor

@huntj88 huntj88 commented Aug 29, 2024

No description provided.

huntj88 and others added 29 commits February 26, 2024 16:20
@huntj88
Beginning migration to Fluid V2 (#765)
7059ce7 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
@ryanbliss
Update package-lock.json
a663f32
fixed test-runtime-utils usage
5879aa6
@ryanbliss
updated version to 2.0.0-internal.2
ecbeaf8
@huntj88
Live Share unit tests now use Fluid v2 (#771)
0611b48 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
@ryanbliss
publish v 2.0.0-internal.3
fd17ce9
@ryanbliss
remove NodeJS.Timeout types for node compatibility
887393c
@ryanbliss
Replaced EventEmitter with TypedEventEmitter
e424043
@ryanbliss
updated versions
0066390
@ryanbliss
Fixed InkingManager ES compatibility issues, SharedMap v2 clear()…
f6651da 
… bug in `LiveCanvas`, and upgraded Fluid version (#775)
@ryanbliss
Updated versions to 2.0.0-internal.5
df65822
@huntj88
Updated FluidFramework packages (#779)
1956dff 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
@huntj88 @ryanbliss
Merged main into mainv2 (#780)
40957e9 
Co-authored-by: Ryan Bliss <smile@ryanbliss.me>
Co-authored-by: James Hunt <jameshunt@microsoft.com>
update imports in tests
d605f1e
@huntj88 @ryanbliss
Integrating turbo into base live-share package, delete live-share-tur…
e2b33a7 
…bo package (#781)

Co-authored-by: James Hunt <jameshunt@microsoft.com>
Co-authored-by: Ryan Bliss <smile@ryanbliss.me>
@huntj88
Cleanup Live Share folder structure (#782)
bbde862 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
deleted old host decorators
640def5
@huntj88
Provide CommonJS and ESM implementations (#785)
a875776 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
@ryanbliss
React SDK useSharedTree and useTreeNode (#783)
e5821ee 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
@huntj88
Delete deprecated docs (#787)
f0edcbf 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
@huntj88
Improved Build performance, Improved build durability of auto build a…
0050369 
…fter npm install, other V2 prep (#786)

Co-authored-by: James Hunt <jameshunt@microsoft.com>
@huntj88
When running 'npm run doctor', Prettier now also invoked (#788)
37f09ca 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
@huntj88
Use a param object for LiveObjectSynchronizer.start method (#789)
6957598 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
@huntj88 @ryanbliss
Use Audience in LivePresence for setting online/offline state (#790)
811ee43 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
Co-authored-by: Ryan Bliss <smile@ryanbliss.me>
@huntj88
Better dual ESM/CJS support, tsconfig module now Node16, improved pnp…
217519d 
…m support (#791)

Co-authored-by: James Hunt <jameshunt@microsoft.com>
@ryanbliss
Changed TData generic to support undefined and null (#792)
cacda7f
@ryanbliss
mainv2 docs & samples updates (#793)
0655416
Merge branch 'mainv2'
4681998
update live share package version to 2.0.0, change test package to 1.…
d40306f 
…0.0, removed references to live-share-turbo
@ryanbliss ryanbliss linked an issue Aug 29, 2024 that may be closed by this pull request
[Feature Request]: Use param objects where they make sense for named variables. #750
Open
This was linked to issues Aug 29, 2024
[Feature Request]: Support Fluid Framework version 2 #741
Open
[Bug][LiveCanvas]: Laser Pointer and highlighter first and last position persists for non local clients #723
Open
[Feature Request]: Undo/redo support for live-share-canvas #101
Open
ryanbliss and others added 23 commits August 30, 2024 15:39
@ryanbliss
Target signals to specific clients (#795)
2db81b7
@ryanbliss
Change versions to 2.0.0-internal.6
a3e0b20
Presence update change status of user to Online
cbb4ab7
@ryanbliss
Return onlineUsers from useLivePresence
dddcf28
@ryanbliss
Published 2.0.0-internal.7
01a704e
@ryanbliss
maxPlaybackDrift and positionUpdateInterval scaling by audience s…
e80c59b 
…ize (#796)
@huntj88
Update .npmignore, no unnecessary files in published package (#799)
ebf6a44 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
@ryanbliss
Publish v2.0.0-internal.8
c2e4bd5
@ryanbliss
update fluid imports to use /legacy > /internal when possible
6b0babb
@ryanbliss
Added video js sample (#801)
ac366c8
@ryanbliss
Update typedocs
34b8084
@ryanbliss
remove createDataObjectKind (#802)
f2a6105
@huntj88
InsecureTokenProvider usage change (#804)
4eb0ab9 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
@huntj88
Fix JS sample 22 (#806)
c3e537f 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
@ryanbliss
2.0.0-internal.9 release (#805)
6a57441
@huntj88
Fix pipeline timeout (#809)
8e96a09 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
@ryanbliss @huntj88
Remove legacy assert and re-add azure-client as peer dep (#807)
89bfabe 
Co-authored-by: huntj88 <huntj88@gmail.com>
Co-authored-by: James Hunt <jameshunt@microsoft.com>
@jason-ha
build: fix path to support Windows (#820)
bcc9659
@jason-ha
improvement: use public imports where possible (#822)
e6cb0f5
@jason-ha @huntj88 @ryanbliss
improvement: typed result Containers (#808)
3b03a0b 
Co-authored-by: huntj88 <huntj88@gmail.com>
Co-authored-by: Ryan Bliss <smile@ryanbliss.me>
@huntj88
Update compatibility with FluidFramework to >=2.40 <2.70 (#824)
9de0002 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
@ryanbliss
update to version 2.0.0-internal.12 (#825)
fdc04c7
@ryanbliss
update fluid versions + v2.0.0-internal.13 release (#826)
54bf1c5
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 28, 2025
View reviewed changes
huntj88 and others added 2 commits January 8, 2026 15:25
@huntj88
Update to version 2.0.0-internal.14 (#827)
319b323 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: huntj88 <10103298+huntj88@users.noreply.github.com>
@huntj88
2.0.0-internal.15 (#830)
2bbd52f 
Co-authored-by: James Hunt <jameshunt@microsoft.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 4, 2026
View reviewed changes
.github/workflows/live-share-build-samples.yaml
Comment on lines +12 to +39
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [20.x, 22.x]

steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: "npm"
- run: npm --loglevel verbose ci --ignore-scripts
timeout-minutes: 20

- run: npm install jest
working-directory: samples/javascript/02.react-video

- name: "build packages and samples"
run: npm run build

# TODO: get scenario_test.sh working

# - name: "test 02.react-video sample"
# shell: "bash"
# run: sh ../../../.github/workflows/scenario_test.sh
# working-directory: samples/javascript/02.react-video

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 days ago

In general, the fix is to add a permissions: block that explicitly scopes the GITHUB_TOKEN to the least privileges the workflow needs. For this workflow, it only checks out code and installs/builds dependencies, so contents: read is sufficient.

The best minimal fix without changing existing behavior is to add a workflow-level permissions: block right after the name: (or before jobs:). This will apply to all jobs that do not define their own permissions. We will set:

permissions:
    contents: read

This ensures that the GITHUB_TOKEN can read repository contents (needed for actions/checkout if the repo is private) but cannot write. No additional methods, imports, or definitions are required; it is purely a YAML configuration change in .github/workflows/live-share-build-samples.yaml.

Concretely, edit .github/workflows/live-share-build-samples.yaml to insert a permissions: section between line 2 and line 3 (between the workflow name and the on: block).

Suggested changeset 1
.github/workflows/live-share-build-samples.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/live-share-build-samples.yaml b/.github/workflows/live-share-build-samples.yaml
--- a/.github/workflows/live-share-build-samples.yaml
+++ b/.github/workflows/live-share-build-samples.yaml
@@ -1,5 +1,8 @@
 name: Build Live Share SDK samples
 
+permissions:
+    contents: read
+
 on:
     push:
         branches: [main, mainv2]
EOF
@@ -1,5 +1,8 @@
name: Build Live Share SDK samples

permissions:
contents: read

on:
push:
branches: [main, mainv2]
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/live-share-formatting.yaml
Comment on lines +12 to +31
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [20.x, 22.x]

steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: "npm"

- run: npm --loglevel verbose ci --ignore-scripts
timeout-minutes: 20

- name: "check formatting"
run: "bash checkFormatting.sh"
working-directory: .github/workflows

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 days ago

In general, the fix is to explicitly declare a permissions block for the workflow or for the specific job, setting least‑privilege scopes instead of relying on inherited defaults. For a formatting‑check workflow that only needs to read the repository contents, contents: read is an appropriate minimal setting.

For this concrete file, the simplest and least intrusive fix is to add a root‑level permissions: block (applies to all jobs) immediately after the name: or on: section, specifying only contents: read. This documents the intent and ensures the GITHUB_TOKEN cannot write to the repository even if the org/repo default is broader. No additional libraries, imports, or functional changes are required because permissions configuration is purely declarative in the workflow YAML.

Concretely: in .github/workflows/live-share-formatting.yaml, insert:

permissions:
    contents: read

right after the on: block (or right after name:); keeping existing indentation consistent with the file. No other edits are needed.

Suggested changeset 1
.github/workflows/live-share-formatting.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/live-share-formatting.yaml b/.github/workflows/live-share-formatting.yaml
--- a/.github/workflows/live-share-formatting.yaml
+++ b/.github/workflows/live-share-formatting.yaml
@@ -7,6 +7,9 @@
         branches: [main, mainv2, "user/**", "copilot/**"]
     workflow_dispatch:
 
+permissions:
+    contents: read
+
 jobs:
     build:
         runs-on: ubuntu-latest
EOF
@@ -7,6 +7,9 @@
branches: [main, mainv2, "user/**", "copilot/**"]
workflow_dispatch:

permissions:
contents: read

jobs:
build:
runs-on: ubuntu-latest
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/live-share-test-packages.yaml
Comment on lines +12 to +40
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [20.x, 22.x]

steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: "npm"
- run: npm --loglevel verbose ci --ignore-scripts
timeout-minutes: 20

- run: npm run prepare # will trigger a build of all packages

- name: "test live-share"
run: npm run test
working-directory: packages/live-share

- name: "test live-share-canvas"
run: npm run test
working-directory: packages/live-share-canvas

- name: "test live-share-media"
run: npm run test
working-directory: packages/live-share-media

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 days ago

Generally, this issue is fixed by adding an explicit permissions block to the workflow or specific job(s), limiting GITHUB_TOKEN to the minimal required scopes (typically contents: read for a pure CI job). This prevents the workflow from inheriting broader default permissions from the repository or organization.

For this workflow, the best fix without changing functionality is to add a permissions block at the workflow root (top-level, alongside name and on). The job only checks out code and runs Node/npm commands; it does not need to write to the repository or other resources via the GitHub API. Therefore, contents: read is sufficient and matches the minimal starting point suggested by CodeQL. Concretely, in .github/workflows/live-share-test-packages.yaml, insert:

permissions:
    contents: read

between the existing on: block and the jobs: block (i.e., after line 8 and before line 10). No additional imports, methods, or definitions are needed since this is just a YAML configuration change.

Suggested changeset 1
.github/workflows/live-share-test-packages.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/live-share-test-packages.yaml b/.github/workflows/live-share-test-packages.yaml
--- a/.github/workflows/live-share-test-packages.yaml
+++ b/.github/workflows/live-share-test-packages.yaml
@@ -7,6 +7,9 @@
         branches: [main, mainv2, "user/**", "copilot/**"]
     workflow_dispatch:
 
+permissions:
+    contents: read
+
 jobs:
     build:
         runs-on: ubuntu-latest
EOF
@@ -7,6 +7,9 @@
branches: [main, mainv2, "user/**", "copilot/**"]
workflow_dispatch:

permissions:
contents: read

jobs:
build:
runs-on: ubuntu-latest
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/live-share-test-usage.yaml
Comment on lines +12 to +45
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [20.x, 22.x]

steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: "npm"
- run: npm --loglevel verbose ci --ignore-scripts
timeout-minutes: 20

- run: npm run prepare # will trigger a build of all packages

- name: "test live-share with cjs app"
run: npm run test
working-directory: internal/usage-test/cjs-test

- name: "test live-share with esm app"
run: npm run test
working-directory: internal/usage-test/esm-test

- uses: pnpm/action-setup@v4
name: Install pnpm for next step
with:
version: 9
run_install: false
- name: "test live-share with pnpm typescript esm app"
run: pnpm run test
working-directory: internal/usage-test/pnpm-test

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 days ago

In general, the fix is to add an explicit permissions: block declaring the minimal scopes needed by this workflow. For a test-only workflow that just checks out code and runs Node/npm/pnpm commands, contents: read is typically sufficient. Declaring this at the workflow root will apply to all jobs that do not override permissions.

The single best fix here, without changing functionality, is to add a root-level permissions: block right after the name: (before on:) in .github/workflows/live-share-test-usage.yaml:

name: Test Usage of Live Share SDK packages in different JS environments
permissions:
    contents: read

This restricts the GITHUB_TOKEN to read-only access to repository contents, which supports actions/checkout@v4 and normal test execution, while avoiding unnecessary write powers. No additional imports, methods, or other definitions are needed; it is purely a YAML configuration change in this workflow file.

Suggested changeset 1
.github/workflows/live-share-test-usage.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/live-share-test-usage.yaml b/.github/workflows/live-share-test-usage.yaml
--- a/.github/workflows/live-share-test-usage.yaml
+++ b/.github/workflows/live-share-test-usage.yaml
@@ -1,4 +1,6 @@
 name: Test Usage of Live Share SDK packages in different JS environments
+permissions:
+    contents: read
 
 on:
     push:
EOF
@@ -1,4 +1,6 @@
name: Test Usage of Live Share SDK packages in different JS environments
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment