Skip to content

[7.111.x] Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) #591

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
RomanNikitenko merged 1 commit into from
Nov 6, 2025
Merged

[7.111.x] Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) #591

RomanNikitenko merged 1 commit into from
Nov 6, 2025

Conversation

@sbouchet
Copy link
Collaborator

@sbouchet sbouchet commented Nov 4, 2025

Updated form-data across multiple packages to address critical security vulnerability where unsafe random function was used for choosing boundary
values.

Vulnerability Details:

  • Advisory: GHSA-fjxv-7rqg-78g4
  • Severity: Critical
  • CWE-330: Use of Insufficiently Random Values
  • Affected versions: <2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3

Packages Updated:

  • code/package-lock.json
  • code/extensions/che-activity-tracker/package-lock.json
  • code/extensions/che-api/package-lock.json
  • code/extensions/che-commands/package-lock.json
  • code/extensions/che-port/package-lock.json
  • code/extensions/che-remote/package-lock.json

The form-data package is used as a transitive dependency through:

  • @types/node-fetch
  • axios
  • jsdom

Verification: npm audit confirms the critical form-data vulnerability has been resolved. Vulnerability count reduced from 14 to 13.

Generated-by: Claude CLI

🤖 Generated with Claude Code

What does this PR do?

backport of #589

What issues does this PR fix?

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

@sbouchet @claude
Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) (che-incu…
c45bd35 
…bator#589)

* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

Updated form-data across multiple packages to address critical security
vulnerability where unsafe random function was used for choosing
boundary
values.

Vulnerability Details:
- Advisory: GHSA-fjxv-7rqg-78g4
- Severity: Critical
- CWE-330: Use of Insufficiently Random Values
- Affected versions: <2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3

Packages Updated:
- code/package-lock.json
- code/extensions/che-activity-tracker/package-lock.json
- code/extensions/che-api/package-lock.json
- code/extensions/che-commands/package-lock.json
- code/extensions/che-port/package-lock.json
- code/extensions/che-remote/package-lock.json

The form-data package is used as a transitive dependency through:
- @types/node-fetch
- axios
- jsdom

Verification: npm audit confirms the critical form-data vulnerability
has been resolved. Vulnerability count reduced from 14 to 13.

Generated-by: Claude CLI

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

Signed-off-by: Stephane Bouchet <[email protected]>

* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

Signed-off-by: Stephane Bouchet <[email protected]>

* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

Signed-off-by: Stephane Bouchet <[email protected]>

* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

Signed-off-by: Stephane Bouchet <[email protected]>

* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

Signed-off-by: Stephane Bouchet <[email protected]>

* update che devworkspace-generator version

Signed-off-by: Stephane Bouchet <[email protected]>

---------

Signed-off-by: Stephane Bouchet <[email protected]>
Co-authored-by: Claude <[email protected]>
@github-actions
Copy link

github-actions bot commented Nov 4, 2025
edited
Loading

Click here to review and test in web IDE: Contribute

@sbouchet sbouchet self-assigned this Nov 4, 2025
@sbouchet sbouchet moved this to Ready for Review in Eclipse Che Team C Backlog Nov 4, 2025
@sbouchet sbouchet changed the title Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) [7.111.x] Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) Nov 4, 2025
@github-actions
Copy link

github-actions bot commented Nov 4, 2025

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-591-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-591-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-591-dev-amd64

@RomanNikitenko
Copy link
Collaborator

RomanNikitenko commented Nov 5, 2025

@SkorikSergey
it's backport PR to the release branch - please review when you have a chance

@RomanNikitenko RomanNikitenko merged commit 4f93601 into che-incubator:7.111.x Nov 6, 2025
14 checks passed
@sbouchet sbouchet deleted the 7.111_GHSA-fjxv-7rqg-78g4 branch November 10, 2025 10:17
@sbouchet sbouchet moved this from Ready for Review to ✅ Done in Eclipse Che Team C Backlog Nov 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RomanNikitenko RomanNikitenko RomanNikitenko approved these changes

@azatsarynnyy azatsarynnyy Awaiting requested review from azatsarynnyy azatsarynnyy is a code owner

@vitaliy-guliy vitaliy-guliy Awaiting requested review from vitaliy-guliy vitaliy-guliy is a code owner

+1 more reviewer

@SkorikSergey SkorikSergey SkorikSergey approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@sbouchet sbouchet

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sbouchet @RomanNikitenko @SkorikSergey