Skip to content

fix: override ws to patched versions (CVE-2026-48779)#728

Merged
sbouchet merged 6 commits into
che-incubator:mainfrom
sbouchet:CVE-2026-48779
Jun 25, 2026
Merged

fix: override ws to patched versions (CVE-2026-48779)#728
sbouchet merged 6 commits into
che-incubator:mainfrom
sbouchet:CVE-2026-48779

Conversation

@sbouchet

@sbouchet sbouchet commented Jun 22, 2026

Copy link
Copy Markdown
Collaborator

What does this PR do?

This PR fixes CVE-2026-48779 and CVE-2026-45736

ws version is updated to 8.21.0

What issues does this PR fix?

https://redhat.atlassian.net/browse/CRW-11279
https://redhat.atlassian.net/browse/CRW-11392

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

Summary by CodeRabbit

  • Bug Fixes
    • Updated the WebSocket package version across the project to a newer release.
    • Added package overrides to keep key dependencies on compatible, secure versions.
    • Adjusted related tooling and extension manifests to stay aligned with the updated dependency set.

@github-actions

github-actions Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Click here to review and test in web IDE: Contribute

@sbouchet sbouchet marked this pull request as ready for review June 22, 2026 15:55
@sbouchet sbouchet marked this pull request as draft June 22, 2026 15:57
@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d051a8d1-d531-4f40-bc7a-ca634eb30e46

📥 Commits

Reviewing files that changed from the base of the PR and between 2cddc72 and dcec534.

📒 Files selected for processing (2)
  • .rebase/override/code/package.json
  • .rebase/override/code/remote/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • .rebase/override/code/package.json

📝 Walkthrough

Walkthrough

This PR updates ws to ^8.21.0 in code/package.json, code/remote/package.json, and code/extensions/che-terminal/package.json. It adds ws overrides in several code/extensions/* and build manifests, adds a chrome-remote-interface override that pins ws to ^7.5.11, and mirrors the same manifest changes in .rebase override/add files plus a changelog entry.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

  • che-incubator/che-code#711: Also updates ws versions in code/package.json, code/remote/package.json, and related extension manifests.

Suggested reviewers

  • rgrunber
  • azatsarynnyy
  • vitaliy-guliy
  • RomanNikitenko
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise, under the length limit, and clearly describes the ws vulnerability fix.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Rebase Rules For Upstream Changes ✅ Passed PASS: all non-che code/ changes have matching .rebase rules, a CHANGELOG entry, and rebase.sh routes; the PR checklist boxes are checked.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.rebase/CHANGELOG.md:
- Around line 5-13: The CHANGELOG entry for PR `#728` by `@sbouchet` is incomplete,
listing only 4 modified package.json files when the PR actually touched 8 or
more files according to the PR summary. Add the missing entries to the changelog
section to accurately document all modified package.json files including
code/extensions/che-api, che-commands, che-github-authentication,
che-resource-monitor, and any other packages that were changed in the PR. Ensure
the changelog entry provides a complete list of all affected files for accurate
documentation of the PR scope.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8a7b12ac-a50f-4d02-ba12-86cd5ccc5705

📥 Commits

Reviewing files that changed from the base of the PR and between cffaa7b and 950a2a5.

⛔ Files ignored due to path filters (10)
  • code/build/rspack/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-api/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-commands/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-github-authentication/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-resource-monitor/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-terminal/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/copilot/package-lock.json is excluded by !**/package-lock.json
  • code/package-lock.json is excluded by !**/package-lock.json
  • code/remote/package-lock.json is excluded by !**/package-lock.json
  • launcher/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (16)
  • .rebase/CHANGELOG.md
  • .rebase/add/code/build/rspack/package.json
  • .rebase/add/code/extensions/copilot/package.json
  • .rebase/override/code/package.json
  • .rebase/replace/code/package.json.json
  • .rebase/replace/code/remote/package.json.json
  • code/build/rspack/package.json
  • code/extensions/che-api/package.json
  • code/extensions/che-commands/package.json
  • code/extensions/che-github-authentication/package.json
  • code/extensions/che-resource-monitor/package.json
  • code/extensions/che-terminal/package.json
  • code/extensions/copilot/package.json
  • code/package.json
  • code/remote/package.json
  • launcher/package.json

Comment thread .rebase/CHANGELOG.md
@tolusha

tolusha commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

  • /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
  • /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
  • /che-ai-assistant help — Show this help message

@github-actions

Copy link
Copy Markdown
Contributor

1 similar comment
@github-actions

Copy link
Copy Markdown
Contributor

sbouchet and others added 2 commits June 23, 2026 17:02
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@sbouchet sbouchet marked this pull request as ready for review June 23, 2026 15:03
@sbouchet

sbouchet commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

/che-ai-assistant ok-pr-review

Review is complete. Please check the review comments below.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@code/package.json`:
- Around line 272-278: Remove all Git merge conflict markers (the lines starting
with `<<<<<<<`, `=======`, and `>>>>>>>`) from the overrides section in
package.json. Keep both the "ip-address" entry and the "chrome-remote-interface"
entry with their complete objects, ensuring they are properly separated by a
comma to maintain valid JSON syntax. The final result should have the
"ip-address" dependency and the "chrome-remote-interface" override object as
sibling entries in the overrides object, each followed by a comma except the
last entry.

In `@launcher/package.json`:
- Around line 58-62: The launcher/package.json file contains unresolved merge
conflict markers between lines 58-62 that make the JSON invalid and unparsable.
Remove all conflict markers (the <<<<<<< Upstream, =======, and >>>>>>> lines)
and keep both dependencies in the file by ensuring the ip-address dependency
entry is followed by a comma, allowing the ws dependency to be properly added
after it in valid JSON format.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 873b0492-6327-4fc5-b3e4-54bb48a3a347

📥 Commits

Reviewing files that changed from the base of the PR and between 950a2a5 and 5b1a3f6.

⛔ Files ignored due to path filters (10)
  • code/build/rspack/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-api/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-commands/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-github-authentication/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-resource-monitor/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-terminal/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/copilot/package-lock.json is excluded by !**/package-lock.json
  • code/package-lock.json is excluded by !**/package-lock.json
  • code/remote/package-lock.json is excluded by !**/package-lock.json
  • launcher/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (16)
  • .rebase/CHANGELOG.md
  • .rebase/add/code/build/rspack/package.json
  • .rebase/add/code/extensions/copilot/package.json
  • .rebase/override/code/package.json
  • .rebase/replace/code/package.json.json
  • .rebase/replace/code/remote/package.json.json
  • code/build/rspack/package.json
  • code/extensions/che-api/package.json
  • code/extensions/che-commands/package.json
  • code/extensions/che-github-authentication/package.json
  • code/extensions/che-resource-monitor/package.json
  • code/extensions/che-terminal/package.json
  • code/extensions/copilot/package.json
  • code/package.json
  • code/remote/package.json
  • launcher/package.json
✅ Files skipped from review due to trivial changes (5)
  • code/remote/package.json
  • .rebase/replace/code/remote/package.json.json
  • code/extensions/che-github-authentication/package.json
  • .rebase/replace/code/package.json.json
  • code/extensions/che-commands/package.json
🚧 Files skipped from review as they are similar to previous changes (8)
  • code/extensions/che-terminal/package.json
  • code/extensions/che-api/package.json
  • .rebase/override/code/package.json
  • .rebase/add/code/extensions/copilot/package.json
  • code/extensions/che-resource-monitor/package.json
  • code/build/rspack/package.json
  • .rebase/add/code/build/rspack/package.json
  • code/extensions/copilot/package.json

Comment thread code/package.json Outdated
Comment thread launcher/package.json Outdated
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

@tolusha tolusha left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 Comprehensive PR Review (Summary + Standard + Deep + Impact)

Overall verdict: ✅ Approve - Clean, thorough CVE-2026-48779 security fix with systematic coverage.

Key Strengths

  • ✅ Complete CVE coverage - all ws instances updated to patched versions (8.21.0 for v8, 7.5.11 for v7)
  • ✅ Proper v7/v8 compatibility split for chrome-remote-interface and webpack-bundle-analyzer
  • ✅ Rebase workflow files correctly configured for future upstream merges
  • ✅ Supply chain integrity verified - consistent SHA-512 hashes across all 10 lock files
  • ✅ Security-sensitive paths fully covered (browser-server WebSocket, terminal sessions, extension host)

Minor Items for Consideration (Non-Blocking)

1. Incomplete CHANGELOG documentation
.rebase/CHANGELOG.md lists 4 modified files but the PR changes package.json in 5 additional locations (che-api, che-commands, che-github-authentication, che-resource-monitor, launcher). Consider adding these for future conflict resolution context.

2. Missing newline at EOF
.rebase/override/code/package.json shows \ No newline at end of file - can cause noisy diffs with some tooling.

3. Inconsistent version pinning
code/extensions/che-terminal/package.json:45 uses exact pin "ws": "8.21.0" while all others use "ws": "^8.21.0". This means future patch releases (e.g., 8.21.1) won't auto-update in che-terminal. May be intentional - verify if this matches project conventions.

4. Empty test plan
The "How to test this PR?" section is empty. Suggest documenting verification approach (e.g., npm ls ws, smoke tests, manual WebSocket connectivity test).

Systemic Observations (Technical Debt, Not PR-Specific)

  1. Distributed override pattern: ws version maintained across 10 package.json + 6 .rebase/ files with no single source of truth. Consider centralized mechanism or CI check for future CVE fixes.

  2. Fragile rebase replace rules: .rebase/replace/*.json use exact string matching - if upstream changes ws version format, replacement silently fails.

These are pre-existing architectural constraints worth noting for future improvements.


Review details: 4 review stages completed (summary, standard, deep analysis, impact assessment). All findings documented in /home/user/.claude/ok-pr-review/repos/che-incubator/che-code/728-*.md.

🤖 Automated review via ok-pr-review plugin

@tolusha

tolusha commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Suggestion: Add caret to che-terminal ws version

File: code/extensions/che-terminal/package.json:45

Consider changing from exact pin to caret for consistency with the rest of the codebase:

-    "ws": "8.21.0"
+    "ws": "^8.21.0"

This would allow automatic security patch updates (e.g., ws 8.21.1) to be picked up alongside other locations. If exact pinning is intentional for direct dependencies in extensions, disregard this suggestion.

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@github-actions

Copy link
Copy Markdown
Contributor

1 similar comment
@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor

Comment thread .rebase/replace/code/package.json.json Outdated
Comment thread .rebase/replace/code/remote/package.json.json Outdated
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@github-actions

Copy link
Copy Markdown
Contributor

@RomanNikitenko

Copy link
Copy Markdown
Collaborator

Tested rebase rules using skills from the #681

Screenshot 2026-06-25 at 15 45 22

@sbouchet sbouchet merged commit 6f42535 into che-incubator:main Jun 25, 2026
14 checks passed
@sbouchet sbouchet deleted the CVE-2026-48779 branch June 25, 2026 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants