vso-task-lib is deprecated, but still packaged

[bvida01]

What happened?

Part of the agent deliveries is vso-task-lib. It is mentioned in the src/Misc/externals.sh file:
acquireExternalTool "$CONTAINER_URL/vso-task-lib/0.5.5/vso-task-lib.tar.gz" vso-task-lib

According to npmjs.com, vso-task-lib is deprecated: https://www.npmjs.com/package/vso-task-lib. Instead azure-pipelines-task-lib should be used.

The vso-task-lib itself has vulnerable dependencies, which are constantly revealed by the security scanners.

Is it possible to exclude vso-task-lib and use azure-pipelines-task-lib instead?

Versions

Pipelines Agent v3.240.1 / Linux x64

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

No response

Version controll system

No response

Relevant log output

No response

[vmapetr]

Hi @bvida01 thanks for reporting!
We are working on more prioritized issues at the moment, but will get back to this one soon.