Skip to content

Commit 4f93601

Browse files
sbouchetclaude
sbouchet
and
claude
authored
Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) (#589) (#591)
* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) Updated form-data across multiple packages to address critical security vulnerability where unsafe random function was used for choosing boundary values. Vulnerability Details: - Advisory: GHSA-fjxv-7rqg-78g4 - Severity: Critical - CWE-330: Use of Insufficiently Random Values - Affected versions: <2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3 Packages Updated: - code/package-lock.json - code/extensions/che-activity-tracker/package-lock.json - code/extensions/che-api/package-lock.json - code/extensions/che-commands/package-lock.json - code/extensions/che-port/package-lock.json - code/extensions/che-remote/package-lock.json The form-data package is used as a transitive dependency through: - @types/node-fetch - axios - jsdom Verification: npm audit confirms the critical form-data vulnerability has been resolved. Vulnerability count reduced from 14 to 13. Generated-by: Claude CLI 🤖 Generated with [Claude Code](https://claude.com/claude-code) * Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) * Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) * Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) * Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) * Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) * update che devworkspace-generator version --------- Signed-off-by: Stephane Bouchet <sbouchet@redhat.com> Co-authored-by: Claude <noreply@anthropic.com>
1 parent ab62d4f commit 4f93601

12 files changed

Lines changed: 628 additions & 139 deletions

File tree

code/extensions/che-activity-tracker/package-lock.json

Lines changed: 176 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

code/extensions/che-activity-tracker/package.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,11 @@
3939
"jest": "27.3.1",
4040
"ts-jest": "^27.1.4"
4141
},
42+
"overrides": {
43+
"jsdom": {
44+
"form-data": "3.0.4"
45+
}
46+
},
4247
"repository": {
4348
"type": "git",
4449
"url": "https://github.com/che-incubator/che-code.git"

code/extensions/che-api/package-lock.json

Lines changed: 25 additions & 15 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

code/extensions/che-api/package.json

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@
3131
},
3232
"dependencies": {
3333
"@devfile/api": "^2.3.0-1738854228",
34-
"axios": "^1.7.4",
34+
"axios": "^1.13.1",
3535
"@kubernetes/client-node": "^0.22.0",
3636
"fs-extra": "^11.2.0",
3737
"inversify": "^6.0.2",
@@ -53,6 +53,12 @@
5353
"jsonpath-plus": "10.1.0",
5454
"request": {
5555
"form-data": "2.5.5"
56+
},
57+
"@types/node-fetch": {
58+
"form-data": "4.0.4"
59+
},
60+
"jsdom": {
61+
"form-data": "3.0.4"
5662
}
5763
},
5864
"repository": {

0 commit comments

Comments
 (0)