fix: override ws to patched versions (CVE-2026-48779)#728
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThis PR updates ws to Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.rebase/CHANGELOG.md:
- Around line 5-13: The CHANGELOG entry for PR `#728` by `@sbouchet` is incomplete,
listing only 4 modified package.json files when the PR actually touched 8 or
more files according to the PR summary. Add the missing entries to the changelog
section to accurately document all modified package.json files including
code/extensions/che-api, che-commands, che-github-authentication,
che-resource-monitor, and any other packages that were changed in the PR. Ensure
the changelog entry provides a complete list of all affected files for accurate
documentation of the PR scope.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 8a7b12ac-a50f-4d02-ba12-86cd5ccc5705
⛔ Files ignored due to path filters (10)
code/build/rspack/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/che-api/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/che-commands/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/che-github-authentication/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/che-resource-monitor/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/che-terminal/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/copilot/package-lock.jsonis excluded by!**/package-lock.jsoncode/package-lock.jsonis excluded by!**/package-lock.jsoncode/remote/package-lock.jsonis excluded by!**/package-lock.jsonlauncher/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (16)
.rebase/CHANGELOG.md.rebase/add/code/build/rspack/package.json.rebase/add/code/extensions/copilot/package.json.rebase/override/code/package.json.rebase/replace/code/package.json.json.rebase/replace/code/remote/package.json.jsoncode/build/rspack/package.jsoncode/extensions/che-api/package.jsoncode/extensions/che-commands/package.jsoncode/extensions/che-github-authentication/package.jsoncode/extensions/che-resource-monitor/package.jsoncode/extensions/che-terminal/package.jsoncode/extensions/copilot/package.jsoncode/package.jsoncode/remote/package.jsonlauncher/package.json
|
Hi! I'm che-ai-assistant — I help with your pull requests. Available commands:
|
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-728-amd64 |
1 similar comment
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-728-amd64 |
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
|
/che-ai-assistant ok-pr-review Review is complete. Please check the review comments below. |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@code/package.json`:
- Around line 272-278: Remove all Git merge conflict markers (the lines starting
with `<<<<<<<`, `=======`, and `>>>>>>>`) from the overrides section in
package.json. Keep both the "ip-address" entry and the "chrome-remote-interface"
entry with their complete objects, ensuring they are properly separated by a
comma to maintain valid JSON syntax. The final result should have the
"ip-address" dependency and the "chrome-remote-interface" override object as
sibling entries in the overrides object, each followed by a comma except the
last entry.
In `@launcher/package.json`:
- Around line 58-62: The launcher/package.json file contains unresolved merge
conflict markers between lines 58-62 that make the JSON invalid and unparsable.
Remove all conflict markers (the <<<<<<< Upstream, =======, and >>>>>>> lines)
and keep both dependencies in the file by ensuring the ip-address dependency
entry is followed by a comma, allowing the ws dependency to be properly added
after it in valid JSON format.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 873b0492-6327-4fc5-b3e4-54bb48a3a347
⛔ Files ignored due to path filters (10)
code/build/rspack/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/che-api/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/che-commands/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/che-github-authentication/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/che-resource-monitor/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/che-terminal/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/copilot/package-lock.jsonis excluded by!**/package-lock.jsoncode/package-lock.jsonis excluded by!**/package-lock.jsoncode/remote/package-lock.jsonis excluded by!**/package-lock.jsonlauncher/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (16)
.rebase/CHANGELOG.md.rebase/add/code/build/rspack/package.json.rebase/add/code/extensions/copilot/package.json.rebase/override/code/package.json.rebase/replace/code/package.json.json.rebase/replace/code/remote/package.json.jsoncode/build/rspack/package.jsoncode/extensions/che-api/package.jsoncode/extensions/che-commands/package.jsoncode/extensions/che-github-authentication/package.jsoncode/extensions/che-resource-monitor/package.jsoncode/extensions/che-terminal/package.jsoncode/extensions/copilot/package.jsoncode/package.jsoncode/remote/package.jsonlauncher/package.json
✅ Files skipped from review due to trivial changes (5)
- code/remote/package.json
- .rebase/replace/code/remote/package.json.json
- code/extensions/che-github-authentication/package.json
- .rebase/replace/code/package.json.json
- code/extensions/che-commands/package.json
🚧 Files skipped from review as they are similar to previous changes (8)
- code/extensions/che-terminal/package.json
- code/extensions/che-api/package.json
- .rebase/override/code/package.json
- .rebase/add/code/extensions/copilot/package.json
- code/extensions/che-resource-monitor/package.json
- code/build/rspack/package.json
- .rebase/add/code/build/rspack/package.json
- code/extensions/copilot/package.json
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
tolusha
left a comment
There was a problem hiding this comment.
🤖 Comprehensive PR Review (Summary + Standard + Deep + Impact)
Overall verdict: ✅ Approve - Clean, thorough CVE-2026-48779 security fix with systematic coverage.
Key Strengths
- ✅ Complete CVE coverage - all ws instances updated to patched versions (8.21.0 for v8, 7.5.11 for v7)
- ✅ Proper v7/v8 compatibility split for chrome-remote-interface and webpack-bundle-analyzer
- ✅ Rebase workflow files correctly configured for future upstream merges
- ✅ Supply chain integrity verified - consistent SHA-512 hashes across all 10 lock files
- ✅ Security-sensitive paths fully covered (browser-server WebSocket, terminal sessions, extension host)
Minor Items for Consideration (Non-Blocking)
1. Incomplete CHANGELOG documentation
.rebase/CHANGELOG.md lists 4 modified files but the PR changes package.json in 5 additional locations (che-api, che-commands, che-github-authentication, che-resource-monitor, launcher). Consider adding these for future conflict resolution context.
2. Missing newline at EOF
.rebase/override/code/package.json shows \ No newline at end of file - can cause noisy diffs with some tooling.
3. Inconsistent version pinning
code/extensions/che-terminal/package.json:45 uses exact pin "ws": "8.21.0" while all others use "ws": "^8.21.0". This means future patch releases (e.g., 8.21.1) won't auto-update in che-terminal. May be intentional - verify if this matches project conventions.
4. Empty test plan
The "How to test this PR?" section is empty. Suggest documenting verification approach (e.g., npm ls ws, smoke tests, manual WebSocket connectivity test).
Systemic Observations (Technical Debt, Not PR-Specific)
-
Distributed override pattern: ws version maintained across 10 package.json + 6 .rebase/ files with no single source of truth. Consider centralized mechanism or CI check for future CVE fixes.
-
Fragile rebase replace rules:
.rebase/replace/*.jsonuse exact string matching - if upstream changes ws version format, replacement silently fails.
These are pre-existing architectural constraints worth noting for future improvements.
Review details: 4 review stages completed (summary, standard, deep analysis, impact assessment). All findings documented in /home/user/.claude/ok-pr-review/repos/che-incubator/che-code/728-*.md.
🤖 Automated review via ok-pr-review plugin
Suggestion: Add caret to che-terminal ws versionFile: Consider changing from exact pin to caret for consistency with the rest of the codebase: - "ws": "8.21.0"
+ "ws": "^8.21.0"This would allow automatic security patch updates (e.g., ws 8.21.1) to be picked up alongside other locations. If exact pinning is intentional for direct dependencies in extensions, disregard this suggestion. |
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-728-amd64 |
1 similar comment
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-728-amd64 |
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-728-amd64 |
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-728-amd64 |
|
Tested rebase rules using skills from the #681
|

What does this PR do?
This PR fixes CVE-2026-48779 and CVE-2026-45736
wsversion is updated to8.21.0What issues does this PR fix?
https://redhat.atlassian.net/browse/CRW-11279
https://redhat.atlassian.net/browse/CRW-11392
How to test this PR?
Does this PR contain changes that override default upstream Code-OSS behavior?
git rebasewere added to the .rebase folderSummary by CodeRabbit