CRW-9702: fix CVE-2025-66031 node-forge ASN.1 Unbounded Recursion

sbouchet · RomanNikitenko · commit c544f0f3c4bb · 2025-12-05T10:52:21.000+02:00
Signed-off-by: Stephane Bouchet &lt;sbouchet@redhat.com&gt;
diff --git a/.rebase/CHANGELOG.md b/.rebase/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 The file to keep a list of changed files which will potentionaly help to resolve rebase conflicts.
 
+#### @sbouchet
+https://github.com/che-incubator/che-code/pull/607
+
+- code/extensions/vscode-api-tests/package.json
+---
+
 #### @sbouchet
 https://github.com/che-incubator/che-code/pull/589
 
diff --git a/.rebase/override/code/extensions/vscode-api-tests/package.json b/.rebase/override/code/extensions/vscode-api-tests/package.json
@@ -0,0 +1,5 @@
+{
+  "devDependencies": {
+    "node-forge": "^1.3.2"
+  }
+}
diff --git a/code/extensions/vscode-api-tests/package-lock.json b/code/extensions/vscode-api-tests/package-lock.json
diff --git a/code/extensions/vscode-api-tests/package.json b/code/extensions/vscode-api-tests/package.json
@@ -268,7 +268,7 @@
     "@types/mocha": "^9.1.1",
     "@types/node": "22.x",
     "@types/node-forge": "^1.3.11",
-    "node-forge": "^1.3.1",
+    "node-forge": "^1.3.2",
     "straightforward": "^4.2.2"
   },
   "repository": {
diff --git a/rebase.sh b/rebase.sh
@@ -203,6 +203,30 @@ apply_code_extensions_microsoft_authentication_package_lock_changes() {
   git add code/extensions/microsoft-authentication/package-lock.json > /dev/null 2>&1
 }
 
+# Apply changes on code/extensions/vscode-api-tests/package-lock.json file
+apply_code_extensions_vscode_api_tests_package_lock_changes() {
+
+  echo "  ⚙️ reworking code/extensions/vscode-api-tests/package-lock.json..."
+  
+  conflicted_files=$(git diff --name-only --diff-filter=U)
+
+  # Check if code/extensions/vscode-api-tests/package.json is in the list
+  if echo "$conflicted_files" | grep -q "^code/extensions/vscode-api-tests/package.json$"; then
+      echo "Conflict for the code/extensions/vscode-api-tests/package.json should be fixed first!"
+      apply_package_changes_by_path "code/extensions/vscode-api-tests/package.json"
+  fi
+  
+  # reset the file from what is upstream
+  git checkout --ours code/extensions/vscode-api-tests/package-lock.json > /dev/null 2>&1
+
+  # update package-lock.json
+  npm install --ignore-scripts --prefix code/extensions/vscode-api-tests
+
+  # resolve the change
+  git add code/extensions/vscode-api-tests/package-lock.json > /dev/null 2>&1
+}
+
+
 # Apply changes on code/remote/package-lock.json file
 apply_code_remote_package_lock_changes() {
 
@@ -420,6 +444,10 @@ resolve_conflicts() {
       apply_package_changes_by_path "$conflictingFile"
     elif [[ "$conflictingFile" == "code/extensions/microsoft-authentication/package-lock.json" ]]; then
       apply_code_extensions_microsoft_authentication_package_lock_changes
+    elif [[ "$conflictingFile" == "code/extensions/vscode-api-tests/package.json" ]]; then
+      apply_package_changes_by_path "$conflictingFile"
+    elif [[ "$conflictingFile" == "code/extensions/vscode-api-tests/package-lock.json" ]]; then
+      apply_code_extensions_vscode_api_tests_package_lock_changes
     elif [[ "$conflictingFile" == "code/build/lib/mangle/index.js" ]]; then
       apply_mangle_index_js_changes
     elif [[ "$conflictingFile" == "code/build/lib/mangle/index.ts" ]]; then

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +{
 +  "devDependencies": {
 +    "node-forge": "^1.3.2"
 +  }
 +}