fix: override form-data to patched versions#744
Conversation
Fix CVE-2026-12143 by overriding form-data@2 to ^2.5.6, form-data@3 to ^3.0.5, and form-data@4 to ^4.0.6 across all affected package trees. Signed-off-by: Stephane Bouchet <sbouchet@redhat.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Add .rebase/add/ rules for the form-data overrides introduced in CVE-2026-12143 fix. Signed-off-by: Stephane Bouchet <sbouchet@redhat.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Replace @major-scoped overrides (form-data@3, form-data@4) with parent-scoped overrides that target the specific parent packages pulling in vulnerable form-data versions. This is more precise and avoids unintended side effects on unrelated dependency trees. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
|
Hi! I'm che-ai-assistant — I help with your pull requests. Available commands:
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (15)
📒 Files selected for processing (24)
📝 WalkthroughWalkthroughThis PR extends npm Estimated code review effort: 2 (Simple) | ~15 minutes Possibly related PRs
Suggested reviewers: Poem 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-744-amd64 |
1 similar comment
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-744-amd64 |
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-744-amd64 |
What does this PR do?
This PR fixes CVE-2026-12143.
form-dataversions are updated to2.5.6,3.0.5and4.0.6What issues does this PR fix?
https://redhat.atlassian.net/browse/CRW-11377
How to test this PR?
Does this PR contain changes that override default upstream Code-OSS behavior?
git rebasewere added to the .rebase folderSummary by CodeRabbit