Skip to content

fix: override form-data to patched versions#744

Open
sbouchet wants to merge 6 commits into
che-incubator:mainfrom
sbouchet:CVE-2026-12143
Open

fix: override form-data to patched versions#744
sbouchet wants to merge 6 commits into
che-incubator:mainfrom
sbouchet:CVE-2026-12143

Conversation

@sbouchet

@sbouchet sbouchet commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

What does this PR do?

This PR fixes CVE-2026-12143.

form-data versions are updated to 2.5.6, 3.0.5 and 4.0.6

What issues does this PR fix?

https://redhat.atlassian.net/browse/CRW-11377

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

Summary by CodeRabbit

  • Bug Fixes
    • Improved dependency consistency across core, remote, launcher, and extensions to reduce install/runtime issues.
    • Updated transitive package versions used by authentication, remote, and test components for better compatibility and stability.
    • Aligned several build and packaging overrides so bundled tools resolve to the expected versions.

sbouchet and others added 4 commits July 2, 2026 11:29
Fix CVE-2026-12143 by overriding form-data@2 to ^2.5.6, form-data@3 to
^3.0.5, and form-data@4 to ^4.0.6 across all affected package trees.

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Add .rebase/add/ rules for the form-data overrides introduced in
CVE-2026-12143 fix.

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Replace @major-scoped overrides (form-data@3, form-data@4) with
parent-scoped overrides that target the specific parent packages
pulling in vulnerable form-data versions. This is more precise and
avoids unintended side effects on unrelated dependency trees.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Click here to review and test in web IDE: Contribute

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@tolusha

tolusha commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

  • /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
  • /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
  • /che-ai-assistant check-pr-test-failures — Analyze failing CI checks, identify root causes, and suggest fixes
  • /che-ai-assistant help — Show this help message

@sbouchet sbouchet marked this pull request as ready for review July 2, 2026 15:30
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 661c1eea-e3a0-409a-8b93-016dd1c8cca4

📥 Commits

Reviewing files that changed from the base of the PR and between 5a55387 and ca77ad0.

⛔ Files ignored due to path filters (15)
  • code/build/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-api/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-commands/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-github-authentication/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-port/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-remote/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-resource-monitor/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/copilot/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/github-authentication/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/microsoft-authentication/package-lock.json is excluded by !**/package-lock.json
  • code/package-lock.json is excluded by !**/package-lock.json
  • code/remote/package-lock.json is excluded by !**/package-lock.json
  • code/test/mcp/package-lock.json is excluded by !**/package-lock.json
  • code/test/smoke/package-lock.json is excluded by !**/package-lock.json
  • launcher/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (24)
  • .rebase/CHANGELOG.md
  • .rebase/add/code/build/package.json
  • .rebase/add/code/extensions/copilot/package.json
  • .rebase/add/code/extensions/github-authentication/package.json
  • .rebase/add/code/extensions/microsoft-authentication/package.json
  • .rebase/add/code/package.json
  • .rebase/add/code/remote/package.json
  • .rebase/add/code/test/mcp/package.json
  • .rebase/add/code/test/smoke/package.json
  • code/build/package.json
  • code/extensions/che-api/package.json
  • code/extensions/che-commands/package.json
  • code/extensions/che-github-authentication/package.json
  • code/extensions/che-port/package.json
  • code/extensions/che-remote/package.json
  • code/extensions/che-resource-monitor/package.json
  • code/extensions/copilot/package.json
  • code/extensions/github-authentication/package.json
  • code/extensions/microsoft-authentication/package.json
  • code/package.json
  • code/remote/package.json
  • code/test/mcp/package.json
  • code/test/smoke/package.json
  • launcher/package.json

📝 Walkthrough

Walkthrough

This PR extends npm overrides sections across numerous package.json files (both .rebase/add templates and actual code/launcher manifests) to pin the transitive form-data dependency to patched versions (^3.0.5 or ^4.0.6) for packages including @types/node-fetch, @devfile/api, @kubernetes/client-node, axios, jsdom, and @vscode/vsce. A changelog entry documents the change and lists affected files.

Estimated code review effort: 2 (Simple) | ~15 minutes

Possibly related PRs

Suggested reviewers: rgrunber, azatsarynnyy, vitaliy-guliy, RomanNikitenko

Poem
A rabbit hopped through JSON trees,
Pinning form-data with practiced ease,
Overrides stacked, versions locked tight,
No vulnerable path left in sight,
Hop, commit, ship — CVEs put to flight! 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately describes the main change: overriding form-data to patched versions.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Rebase Rules For Upstream Changes ✅ Passed All touched upstream code/ package.json files have matching .rebase add rules, changelog entry, and resolve_conflicts branches in rebase.sh.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sbouchet sbouchet marked this pull request as draft July 2, 2026 15:49
@sbouchet sbouchet marked this pull request as ready for review July 2, 2026 15:59
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

1 similar comment
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants