Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) by sbouchet · Pull Request #589 · che-incubator/che-code

sbouchet · 2025-10-22T11:26:30Z

What does this PR do?

Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

What issues does this PR fix?

Updated form-data across multiple packages to address critical security vulnerability where unsafe random function was used for choosing boundary values.

Vulnerability Details:

Advisory: GHSA-fjxv-7rqg-78g4
Severity: Critical
CWE-330: Use of Insufficiently Random Values
Affected versions: <2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3

Packages Updated:

code/package-lock.json
code/extensions/che-activity-tracker/package-lock.json
code/extensions/che-api/package-lock.json
code/extensions/che-commands/package-lock.json
code/extensions/che-port/package-lock.json
code/extensions/che-remote/package-lock.json

The form-data package is used as a transitive dependency through:

@types/node-fetch
axios
jsdom

Verification: npm audit confirms the critical form-data vulnerability has been resolved. Vulnerability count reduced from 14 to 13.

Generated-by: Claude CLI

🤖 Generated with Claude Code

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
the corresponding items were added to the CHANGELOG.md file
rules for automatic git rebase were added to the .rebase folder

Updated form-data across multiple packages to address critical security vulnerability where unsafe random function was used for choosing boundary values. Vulnerability Details: - Advisory: GHSA-fjxv-7rqg-78g4 - Severity: Critical - CWE-330: Use of Insufficiently Random Values - Affected versions: <2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3 Packages Updated: - code/package-lock.json - code/extensions/che-activity-tracker/package-lock.json - code/extensions/che-api/package-lock.json - code/extensions/che-commands/package-lock.json - code/extensions/che-port/package-lock.json - code/extensions/che-remote/package-lock.json The form-data package is used as a transitive dependency through: - @types/node-fetch - axios - jsdom Verification: npm audit confirms the critical form-data vulnerability has been resolved. Vulnerability count reduced from 14 to 13. Generated-by: Claude CLI 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

github-actions · 2025-10-22T11:26:41Z

Click here to review and test in web IDE:

github-actions · 2025-10-22T12:24:31Z

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-589-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-589-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-589-dev-amd64

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

github-actions · 2025-10-28T18:19:18Z

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-589-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-589-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-589-dev-amd64

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

github-actions · 2025-10-30T18:41:31Z

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-589-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-589-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-589-dev-amd64

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

sbouchet · 2025-10-31T12:23:12Z

@RomanNikitenko please re-review my last changes.
updated directly axios in some extensions
override all vulnerable form-data in others places.

RomanNikitenko · 2025-10-31T12:43:01Z

@sbouchet
+1 to update axios version

But I should mention that axios instance is passed to the devWorkspaceGenerator library.

Some time ago we had a problem, see devfile/devworkspace-generator#201
So - maybe it makes sense to update the axios version for that library as well.

github-actions · 2025-10-31T14:37:17Z

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-589-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-589-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-589-dev-amd64

see also che-incubator/che-code#589 Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

sbouchet · 2025-10-31T15:26:11Z

@sbouchet +1 to update axios version

But I should mention that axios instance is passed to the devWorkspaceGenerator library.

Some time ago we had a problem, see devfile/devworkspace-generator#201 So - maybe it makes sense to update the axios version for that library as well.

PR merged : devfile/devworkspace-generator#271 (comment)

RomanNikitenko · 2025-10-31T15:47:13Z

@sbouchet +1 to update axios version
But I should mention that axios instance is passed to the devWorkspaceGenerator library.
Some time ago we had a problem, see devfile/devworkspace-generator#201 So - maybe it makes sense to update the axios version for that library as well.

PR merged : devfile/devworkspace-generator#271 (comment)

Great!
now @eclipse-che/che-devworkspace-generator version should be updated on the che-code side to pick up those changes

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

github-actions · 2025-11-03T16:16:06Z

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-589-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-589-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-589-dev-amd64

) * Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) Updated form-data across multiple packages to address critical security vulnerability where unsafe random function was used for choosing boundary values. Vulnerability Details: - Advisory: GHSA-fjxv-7rqg-78g4 - Severity: Critical - CWE-330: Use of Insufficiently Random Values - Affected versions: <2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3 Packages Updated: - code/package-lock.json - code/extensions/che-activity-tracker/package-lock.json - code/extensions/che-api/package-lock.json - code/extensions/che-commands/package-lock.json - code/extensions/che-port/package-lock.json - code/extensions/che-remote/package-lock.json The form-data package is used as a transitive dependency through: - @types/node-fetch - axios - jsdom Verification: npm audit confirms the critical form-data vulnerability has been resolved. Vulnerability count reduced from 14 to 13. Generated-by: Claude CLI 🤖 Generated with [Claude Code](https://claude.com/claude-code) * Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) * Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) * Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) * Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) * Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) * update che devworkspace-generator version --------- Signed-off-by: Stephane Bouchet <sbouchet@redhat.com> Co-authored-by: Claude <noreply@anthropic.com>

RomanNikitenko · 2025-11-11T12:42:40Z

@sbouchet
I've created the following PRs to fix some problems related to the current PR

please review them

One more question: I see there is still 2.3.3 version of the form-data is used in the launcher
Any reason why it was not fixed within the current PR?

sbouchet · 2025-11-12T09:46:04Z

One more question: I see there is still 2.3.3 version of the form-data is used in the launcher Any reason why it was not fixed within the current PR?

hum. claude AI didn't see it and me too. need to create another PR for it :(

sbouchet added this to Eclipse Che Team C Backlog Oct 22, 2025

sbouchet self-assigned this Oct 22, 2025

sbouchet moved this to 🚧 In Progress in Eclipse Che Team C Backlog Oct 22, 2025

Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

caf7b04

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

sbouchet marked this pull request as ready for review October 28, 2025 10:00

sbouchet requested review from RomanNikitenko, azatsarynnyy and vitaliy-guliy as code owners October 28, 2025 10:00

sbouchet moved this from 🚧 In Progress to Ready for Review in Eclipse Che Team C Backlog Oct 28, 2025

RomanNikitenko reviewed Oct 28, 2025

View reviewed changes

Comment thread code/package.json

Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

f08d28a

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

RomanNikitenko reviewed Oct 29, 2025

View reviewed changes

Comment thread code/extensions/che-activity-tracker/package.json Outdated

sbouchet added 2 commits October 30, 2025 18:38

Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

4217916

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

b9a2a05

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

sbouchet marked this pull request as draft October 30, 2025 18:20

Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

6d10e91

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

sbouchet marked this pull request as ready for review October 31, 2025 12:21

sbouchet added a commit to sbouchet/devworkspace-generator that referenced this pull request Oct 31, 2025

Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

78aa530

see also che-incubator/che-code#589 Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

sbouchet mentioned this pull request Oct 31, 2025

Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) devfile/devworkspace-generator#271

Merged

svor pushed a commit to devfile/devworkspace-generator that referenced this pull request Oct 31, 2025

Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) (#271)

252c290

see also che-incubator/che-code#589 Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

update che devworkspace-generator version

5c0da53

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

RomanNikitenko approved these changes Nov 4, 2025

View reviewed changes

sbouchet merged commit a847288 into che-incubator:main Nov 4, 2025
12 of 13 checks passed

sbouchet deleted the GHSA-fjxv-7rqg-78g4 branch November 4, 2025 13:46

sbouchet mentioned this pull request Nov 4, 2025

[7.111.x] Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) #591

Merged

3 tasks

sbouchet moved this from Ready for Review to ✅ Done in Eclipse Che Team C Backlog Nov 4, 2025

This was referenced Nov 11, 2025

chore: Fix rebasing rule for the form-data dependency #595

Merged

Fix CVE in form-data #596

Merged

sbouchet mentioned this pull request Nov 12, 2025

Fix CVE in launcher from form-data #598

Merged

3 tasks

Conversation

sbouchet commented Oct 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What does this PR do?

What issues does this PR fix?

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

Uh oh!

github-actions Bot commented Oct 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Oct 22, 2025

Uh oh!

Uh oh!

github-actions Bot commented Oct 28, 2025

Uh oh!

Uh oh!

github-actions Bot commented Oct 30, 2025

Uh oh!

sbouchet commented Oct 31, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

RomanNikitenko commented Oct 31, 2025

Uh oh!

github-actions Bot commented Oct 31, 2025

Uh oh!

sbouchet commented Oct 31, 2025

Uh oh!

RomanNikitenko commented Oct 31, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Nov 3, 2025

Uh oh!

Uh oh!

RomanNikitenko commented Nov 11, 2025

Uh oh!

sbouchet commented Nov 12, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

sbouchet commented Oct 22, 2025 •

edited

Loading

github-actions Bot commented Oct 22, 2025 •

edited

Loading

sbouchet commented Oct 31, 2025 •

edited

Loading

RomanNikitenko commented Oct 31, 2025 •

edited

Loading