From 8f2986e659326dde978c656c04fdcb7a3cde3f90 Mon Sep 17 00:00:00 2001 From: Stephane Bouchet Date: Fri, 15 May 2026 17:08:51 +0200 Subject: [PATCH 1/2] Fix CVE-2026-33228 by updating flatted to patched version Add flatted ^3.4.2 override in code/package.json to fix prototype pollution vulnerability via parse(). Update rebase add rule accordingly. Signed-off-by: Stephane Bouchet Co-Authored-By: Claude Opus 4.6 Signed-off-by: Stephane Bouchet --- .rebase/CHANGELOG.md | 6 ++++++ .rebase/add/code/package.json | 3 ++- code/extensions/che-remote/package-lock.json | 9 +++++---- code/extensions/che-remote/package.json | 3 ++- code/package-lock.json | 9 +++++---- code/package.json | 3 ++- launcher/package-lock.json | 9 +++++---- launcher/package.json | 3 ++- 8 files changed, 29 insertions(+), 16 deletions(-) diff --git a/.rebase/CHANGELOG.md b/.rebase/CHANGELOG.md index 8e8e158b2b3..6037c210692 100644 --- a/.rebase/CHANGELOG.md +++ b/.rebase/CHANGELOG.md @@ -2,6 +2,12 @@ The file to keep a list of changed files which will potentionaly help to resolve rebase conflicts. +#### @sbouchet +https://github.com/che-incubator/che-code/commit/e148ccad43841a4610ca572f9b69b13bf7b2442e + +- code/package.json +--- + #### @sbouchet https://github.com/che-incubator/che-code/pull/698 diff --git a/.rebase/add/code/package.json b/.rebase/add/code/package.json index 8e6cdc5f9cb..165fada9b73 100644 --- a/.rebase/add/code/package.json +++ b/.rebase/add/code/package.json @@ -63,6 +63,7 @@ "minimatch": "^5.1.9" } }, - "es5-ext": "npm:@unes/es5-ext@0.10.64-1" + "es5-ext": "npm:@unes/es5-ext@0.10.64-1", + "flatted": "^3.4.2" } } diff --git a/code/extensions/che-remote/package-lock.json b/code/extensions/che-remote/package-lock.json index b131a1c64a5..428650ecb69 100644 --- a/code/extensions/che-remote/package-lock.json +++ b/code/extensions/che-remote/package-lock.json @@ -2518,10 +2518,11 @@ } }, "node_modules/flatted": { - "version": "3.3.1", - "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.1.tgz", - "integrity": "sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==", - "dev": true + "version": "3.4.2", + "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz", + "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==", + "dev": true, + "license": "ISC" }, "node_modules/follow-redirects": { "version": "1.16.0", diff --git a/code/extensions/che-remote/package.json b/code/extensions/che-remote/package.json index 07edb5373bb..b3a1c339672 100644 --- a/code/extensions/che-remote/package.json +++ b/code/extensions/che-remote/package.json @@ -61,7 +61,8 @@ "ajv": "6.14.0", "minimatch": "^3.1.5", "handlebars": "4.7.9", - "follow-redirects": "^1.16.0" + "follow-redirects": "^1.16.0", + "flatted": "^3.4.2" }, "repository": { "type": "git", diff --git a/code/package-lock.json b/code/package-lock.json index ba29e9b501e..81a69fc06c1 100644 --- a/code/package-lock.json +++ b/code/package-lock.json @@ -7388,10 +7388,11 @@ } }, "node_modules/flatted": { - "version": "3.3.1", - "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.1.tgz", - "integrity": "sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==", - "dev": true + "version": "3.4.2", + "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz", + "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==", + "dev": true, + "license": "ISC" }, "node_modules/flush-write-stream": { "version": "1.1.1", diff --git a/code/package.json b/code/package.json index 253ca56ca12..cc5783a8eb0 100644 --- a/code/package.json +++ b/code/package.json @@ -287,7 +287,8 @@ "minimatch": "^5.1.9" } }, - "es5-ext": "npm:@unes/es5-ext@0.10.64-1" + "es5-ext": "npm:@unes/es5-ext@0.10.64-1", + "flatted": "^3.4.2" }, "repository": { "type": "git", diff --git a/launcher/package-lock.json b/launcher/package-lock.json index fa3190a3111..b410bc92e4b 100644 --- a/launcher/package-lock.json +++ b/launcher/package-lock.json @@ -2754,10 +2754,11 @@ } }, "node_modules/flatted": { - "version": "3.3.1", - "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.1.tgz", - "integrity": "sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==", - "dev": true + "version": "3.4.2", + "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz", + "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==", + "dev": true, + "license": "ISC" }, "node_modules/form-data": { "version": "4.0.5", diff --git a/launcher/package.json b/launcher/package.json index e9c2b2e6750..e37235a40fc 100644 --- a/launcher/package.json +++ b/launcher/package.json @@ -53,7 +53,8 @@ }, "ajv": "6.14.0", "minimatch": "^3.1.5", - "handlebars": "4.7.9" + "handlebars": "4.7.9", + "flatted": "^3.4.2" }, "jest": { "collectCoverage": true, From dca2f5259d28c1305732b6cc9262d0de598a612f Mon Sep 17 00:00:00 2001 From: Stephane Bouchet Date: Mon, 18 May 2026 14:12:58 +0200 Subject: [PATCH 2/2] use correct PR url Signed-off-by: Stephane Bouchet --- .rebase/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.rebase/CHANGELOG.md b/.rebase/CHANGELOG.md index 6037c210692..2f8e8a17a80 100644 --- a/.rebase/CHANGELOG.md +++ b/.rebase/CHANGELOG.md @@ -3,7 +3,7 @@ The file to keep a list of changed files which will potentionaly help to resolve rebase conflicts. #### @sbouchet -https://github.com/che-incubator/che-code/commit/e148ccad43841a4610ca572f9b69b13bf7b2442e +https://github.com/che-incubator/che-code/pull/708 - code/package.json ---