Skip to content

[7.111.x] Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)#591

Merged
RomanNikitenko merged 1 commit into
che-incubator:7.111.xfrom
sbouchet:7.111_GHSA-fjxv-7rqg-78g4
Nov 6, 2025
Merged

[7.111.x] Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)#591
RomanNikitenko merged 1 commit into
che-incubator:7.111.xfrom
sbouchet:7.111_GHSA-fjxv-7rqg-78g4

Conversation

@sbouchet
Copy link
Copy Markdown
Collaborator

@sbouchet sbouchet commented Nov 4, 2025

Updated form-data across multiple packages to address critical security vulnerability where unsafe random function was used for choosing boundary
values.

Vulnerability Details:

  • Advisory: GHSA-fjxv-7rqg-78g4
  • Severity: Critical
  • CWE-330: Use of Insufficiently Random Values
  • Affected versions: <2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3

Packages Updated:

  • code/package-lock.json
  • code/extensions/che-activity-tracker/package-lock.json
  • code/extensions/che-api/package-lock.json
  • code/extensions/che-commands/package-lock.json
  • code/extensions/che-port/package-lock.json
  • code/extensions/che-remote/package-lock.json

The form-data package is used as a transitive dependency through:

  • @types/node-fetch
  • axios
  • jsdom

Verification: npm audit confirms the critical form-data vulnerability has been resolved. Vulnerability count reduced from 14 to 13.

Generated-by: Claude CLI

🤖 Generated with Claude Code

What does this PR do?

backport of #589

What issues does this PR fix?

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

@sbouchet @claude
Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) (che-incu…
c45bd35 
…bator#589)

* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

Updated form-data across multiple packages to address critical security
vulnerability where unsafe random function was used for choosing
boundary
values.

Vulnerability Details:
- Advisory: GHSA-fjxv-7rqg-78g4
- Severity: Critical
- CWE-330: Use of Insufficiently Random Values
- Affected versions: <2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3

Packages Updated:
- code/package-lock.json
- code/extensions/che-activity-tracker/package-lock.json
- code/extensions/che-api/package-lock.json
- code/extensions/che-commands/package-lock.json
- code/extensions/che-port/package-lock.json
- code/extensions/che-remote/package-lock.json

The form-data package is used as a transitive dependency through:
- @types/node-fetch
- axios
- jsdom

Verification: npm audit confirms the critical form-data vulnerability
has been resolved. Vulnerability count reduced from 14 to 13.

Generated-by: Claude CLI

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

* update che devworkspace-generator version

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

---------

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Nov 4, 2025
edited
Loading

Click here to review and test in web IDE: Contribute

@sbouchet sbouchet self-assigned this Nov 4, 2025
@sbouchet sbouchet moved this to Ready for Review in Eclipse Che Team C Backlog Nov 4, 2025
@sbouchet sbouchet changed the title Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) [7.111.x] Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) Nov 4, 2025
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Nov 4, 2025

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-591-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-591-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-591-dev-amd64

@RomanNikitenko
Copy link
Copy Markdown
Collaborator

RomanNikitenko commented Nov 5, 2025

@SkorikSergey
it's backport PR to the release branch - please review when you have a chance

@RomanNikitenko RomanNikitenko merged commit 4f93601 into che-incubator:7.111.x Nov 6, 2025
14 checks passed
@sbouchet sbouchet deleted the 7.111_GHSA-fjxv-7rqg-78g4 branch November 10, 2025 10:17
@sbouchet sbouchet moved this from Ready for Review to ✅ Done in Eclipse Che Team C Backlog Nov 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RomanNikitenko RomanNikitenko RomanNikitenko approved these changes

@azatsarynnyy azatsarynnyy Awaiting requested review from azatsarynnyy azatsarynnyy is a code owner

@vitaliy-guliy vitaliy-guliy Awaiting requested review from vitaliy-guliy vitaliy-guliy is a code owner

+1 more reviewer

@SkorikSergey SkorikSergey SkorikSergey approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@sbouchet sbouchet

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sbouchet @RomanNikitenko @SkorikSergey