Fix CVEs by updating minimatch to patched versions

[sbouchet]

What does this PR do?

This PR fixes CVE-2026-27903, CVE-2026-27904 and CVE-2026-26996.

minimatch versions are updated to latest versions
3.1.2,3.0.5 -> 3.1.5
5.16. -> 5.1.9
9.0.5 -> 9.0.9
10.0.1-> 10.2.4 ...

What issues does this PR fix?

https://issues.redhat.com/browse/CRW-10241
https://issues.redhat.com/browse/CRW-10242
https://issues.redhat.com/browse/CRW-10305
https://issues.redhat.com/browse/CRW-10306

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

• the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
• the corresponding items were added to the CHANGELOG.md file
• rules for automatic git rebase were added to the .rebase folder

Summary by CodeRabbit

• Chores

  • Standardized minimatch dependency constraints across many modules and test suites to improve version consistency.
  • Expanded automated rebasing to better handle package manifest conflicts.

• Documentation

  • Added a changelog entry documenting recent contributor changes.

[github-actions]

Click here to review and test in web IDE:

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-659-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-659-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-659-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-659-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-659-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-659-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-659-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-659-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-659-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-659-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-659-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-659-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-659-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-659-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-659-dev-amd64

[coderabbitai]

Warning

Rate limit exceeded

@sbouchet has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 13 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4c88c349-95e8-4f28-84d3-e0a538728a77

📥 Commits

Reviewing files that changed from the base of the PR and between dbceefb and 3633012.

⛔ Files ignored due to path filters (1)

• code/build/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• .rebase/CHANGELOG.md
• .rebase/add/code/build/package.json
• code/build/package.json

📝 Walkthrough

Walkthrough

Adds minimatch version overrides across many package.json files (multiple versions: ^3.1.5, ^5.1.9, ^9.0.9, ^10.2.4), bumps a minimatch devDependency, updates .rebase/CHANGELOG.md, and extends rebase.sh conflict-resolution to apply package.json changes for additional extension and test paths.

Changes

Cohort / File(s)	Summary
Changelog \.rebase/CHANGELOG.md	Adds changelog entry documenting the contributor and affected files.
Root & Build Manifests .rebase/add/code/package.json, .rebase/override/code/package.json, code/package.json, .rebase/add/code/build/package.json, code/build/package.json, .rebase/add/code/build/npm/gyp/package.json, code/build/npm/gyp/package.json, .rebase/override/code/extensions/npm/package.json	Adds multiple overrides entries pinning minimatch (various versions) and bumps a root/dev minimatch dependency; formatting commas adjusted to accommodate new entries.
Language-feature packages .rebase/add/code/extensions/*-language-features/package.json, code/extensions/*-language-features/package.json	Adds overrides entries pinning minimatch (notably ^10.2.4 for CSS/HTML/JSON; ^3.1.5 for Markdown).
Other Extensions .rebase/add/code/extensions/{che-api,che-port,che-remote,che-resource-monitor,npm}/package.json, code/extensions/{che-api,che-port,che-remote,che-resource-monitor,npm}/package.json	Introduces minimatch overrides (mostly ^3.1.5; npm extension updated to ^5.1.9).
Test Manifests & Launcher .rebase/add/code/test/{automation,integration/browser,mcp,smoke}/package.json, code/test/{automation,integration/browser,mcp,smoke}/package.json, code/test/mcp/package.json, launcher/package.json	Adds overrides entries pinning minimatch (mostly ^3.1.5) across test suites and launcher manifest; minor JSON punctuation adjustments.
Rebase script rebase.sh	Extends conflict-resolution logic to call apply_package_changes_by_path for additional package.json paths (extensions and test manifests).

Sequence Diagram(s)

(omitted — changes are primarily manifest edits and a small script extension; no multi-component sequential flow requiring visualization)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Fix CVE-2026-31802 by updating tar to patched versions #661 — Overlapping edits to package.json overrides and .rebase/CHANGELOG.md, changes touch similar manifest entries.

Suggested reviewers

• rgrunber
• azatsarynnyy
• vitaliy-guliy
• RomanNikitenko

Poem

"🐰 I hopped through JSON fields today,
Pinning minimatch along the way,
From build to test, each package aligned,
A tidy changelog trail I signed,
🎋 Small fixes, big peace of mind."

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Fix CVEs by updating minimatch to patched versions' directly and clearly describes the main objective of the changeset: addressing CVE vulnerabilities through minimatch dependency updates.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

launcher/package.json (1)

54-55: Consider adding a CI check to prevent minimatch version regressions.

The current dependency "^3.1.5" resolves to safe versions across the codebase (3.1.5, 5.1.9, 7.4.9, 9.0.9, 10.2.4—all at or above patched minima). Adding automated CI validation to fail if a lockfile resolution unexpectedly introduces a vulnerable minimatch version would be a useful safeguard against future regressions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@launcher/package.json` around lines 54 - 55, Add a CI job that parses the
project's lockfile(s) (package-lock.json, yarn.lock or pnpm-lock.yaml) and fails
the run if the resolved version of the "minimatch" dependency (the "minimatch"
entry referenced in package.json) falls below the safe minimum (ensure resolved
version >= 3.1.5 or matches your approved set of patched versions); implement
this by adding a workflow step that extracts the resolved minimatch version from
lockfile(s) and exits non‑zero on violation, or use an existing security/audit
action configured to reject vulnerable minimatch ranges.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.rebase/CHANGELOG.md:
- Line 6: Change the heading "#### `@sbouchet`" so it only steps one level deeper
than the preceding header (replace "#### `@sbouchet`" with a single-step deeper
heading, e.g. "## `@sbouchet`" or "### `@sbouchet`" to match the surrounding
headings) to fix the markdown heading-level jump MD001.

In `@rebase.sh`:
- Around line 540-555: The override_json_file function unconditionally runs rm
"$filename.tmp" which can fail under set -e when no .rebase/override/$filename
or .rebase/add/$filename was created; change the cleanup to a defensive remove
so missing temp files don't abort the script (e.g., use a conditional test or a
force/remove-without-error behavior) and keep the rest of override_json_file
logic intact so it still removes the temp only when present; reference
override_json_file and the .rebase/override/.rebase/add metadata checks to
locate where to replace the unconditional rm.

---

Nitpick comments:
In `@launcher/package.json`:
- Around line 54-55: Add a CI job that parses the project's lockfile(s)
(package-lock.json, yarn.lock or pnpm-lock.yaml) and fails the run if the
resolved version of the "minimatch" dependency (the "minimatch" entry referenced
in package.json) falls below the safe minimum (ensure resolved version >= 3.1.5
or matches your approved set of patched versions); implement this by adding a
workflow step that extracts the resolved minimatch version from lockfile(s) and
exits non‑zero on violation, or use an existing security/audit action configured
to reject vulnerable minimatch ranges.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 988ff1e7-e27a-4d90-9a73-4a38094bbd33

📥 Commits

Reviewing files that changed from the base of the PR and between 91038b3 and 611148e.

⛔ Files ignored due to path filters (17)

• code/build/npm/gyp/package-lock.json is excluded by !**/package-lock.json
• code/build/package-lock.json is excluded by !**/package-lock.json
• code/extensions/che-api/package-lock.json is excluded by !**/package-lock.json
• code/extensions/che-port/package-lock.json is excluded by !**/package-lock.json
• code/extensions/che-remote/package-lock.json is excluded by !**/package-lock.json
• code/extensions/che-resource-monitor/package-lock.json is excluded by !**/package-lock.json
• code/extensions/css-language-features/package-lock.json is excluded by !**/package-lock.json
• code/extensions/html-language-features/package-lock.json is excluded by !**/package-lock.json
• code/extensions/json-language-features/package-lock.json is excluded by !**/package-lock.json
• code/extensions/markdown-language-features/package-lock.json is excluded by !**/package-lock.json
• code/extensions/npm/package-lock.json is excluded by !**/package-lock.json
• code/package-lock.json is excluded by !**/package-lock.json
• code/test/automation/package-lock.json is excluded by !**/package-lock.json
• code/test/integration/browser/package-lock.json is excluded by !**/package-lock.json
• code/test/mcp/package-lock.json is excluded by !**/package-lock.json
• code/test/smoke/package-lock.json is excluded by !**/package-lock.json
• launcher/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (32)

• .rebase/CHANGELOG.md
• .rebase/add/code/build/npm/gyp/package.json
• .rebase/add/code/build/package.json
• .rebase/add/code/extensions/css-language-features/package.json
• .rebase/add/code/extensions/html-language-features/package.json
• .rebase/add/code/extensions/json-language-features/package.json
• .rebase/add/code/extensions/markdown-language-features/package.json
• .rebase/add/code/package.json
• .rebase/add/code/test/automation/package.json
• .rebase/add/code/test/integration/browser/package.json
• .rebase/add/code/test/mcp/package.json
• .rebase/add/code/test/smoke/package.json
• .rebase/override/code/extensions/npm/package.json
• .rebase/override/code/package.json
• code/build/npm/gyp/package.json
• code/build/package.json
• code/extensions/che-api/package.json
• code/extensions/che-port/package.json
• code/extensions/che-remote/package.json
• code/extensions/che-resource-monitor/package.json
• code/extensions/css-language-features/package.json
• code/extensions/html-language-features/package.json
• code/extensions/json-language-features/package.json
• code/extensions/markdown-language-features/package.json
• code/extensions/npm/package.json
• code/package.json
• code/test/automation/package.json
• code/test/integration/browser/package.json
• code/test/mcp/package.json
• code/test/smoke/package.json
• launcher/package.json
• rebase.sh

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-659-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-659-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-659-dev-amd64

[coderabbitai]

🧹 Nitpick comments (1)

.rebase/add/code/build/npm/gyp/package.json (1)

4-5: Remove this rebase-add patch; it is redundant.

The entire overrides section in .rebase/add/code/build/npm/gyp/package.json matches the target file exactly (glob: 10.5.0, tar: ^7.5.11, minimatch: ^9.0.9), making this patch a no-op. Removing it reduces rebase rule maintenance with no functional impact.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.rebase/add/code/build/npm/gyp/package.json around lines 4 - 5, Remove the
redundant rebase-add patch that inserts an overrides section identical to the
target; specifically delete the patch that adds overrides with entries "glob":
"10.5.0", "tar": "^7.5.11", and "minimatch": "^9.0.9" (or remove that overrides
block from the patch), so the rebase rules no longer include a no-op change and
maintenance burden is reduced.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.rebase/add/code/build/npm/gyp/package.json:
- Around line 4-5: Remove the redundant rebase-add patch that inserts an
overrides section identical to the target; specifically delete the patch that
adds overrides with entries "glob": "10.5.0", "tar": "^7.5.11", and "minimatch":
"^9.0.9" (or remove that overrides block from the patch), so the rebase rules no
longer include a no-op change and maintenance burden is reduced.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ea53557f-6910-49cd-968d-d57e9179783b

📥 Commits

Reviewing files that changed from the base of the PR and between 611148e and dbceefb.

⛔ Files ignored due to path filters (2)

• code/build/npm/gyp/package-lock.json is excluded by !**/package-lock.json
• code/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (5)

• .rebase/CHANGELOG.md
• .rebase/add/code/build/npm/gyp/package.json
• .rebase/add/code/package.json
• code/build/npm/gyp/package.json
• code/package.json

🚧 Files skipped from review as they are similar to previous changes (2)

• code/package.json
• code/build/npm/gyp/package.json

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-659-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-659-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-659-dev-amd64

[sbouchet]

🧹 Nitpick comments (1)

.rebase/add/code/build/npm/gyp/package.json (1)> 4-5: Remove this rebase-add patch; it is redundant.

The entire overrides section in .rebase/add/code/build/npm/gyp/package.json matches the target file exactly (glob: 10.5.0, tar: ^7.5.11, minimatch: ^9.0.9), making this patch a no-op. Removing it reduces rebase rule maintenance with no functional impact.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.rebase/add/code/build/npm/gyp/package.json around lines 4 - 5, Remove the
redundant rebase-add patch that inserts an overrides section identical to the
target; specifically delete the patch that adds overrides with entries "glob":
"10.5.0", "tar": "^7.5.11", and "minimatch": "^9.0.9" (or remove that overrides
block from the patch), so the rebase rules no longer include a no-op change and
maintenance burden is reduced.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.rebase/add/code/build/npm/gyp/package.json:
- Around line 4-5: Remove the redundant rebase-add patch that inserts an
overrides section identical to the target; specifically delete the patch that
adds overrides with entries "glob": "10.5.0", "tar": "^7.5.11", and "minimatch":
"^9.0.9" (or remove that overrides block from the patch), so the rebase rules no
longer include a no-op change and maintenance burden is reduced.

ℹ️ Review info

@coderabbitai
the target branch is not the current code base, but upstream vscode from https://github.com/microsoft/vscode/blob/main/build/npm/gyp/package.json
current codebase is the result of applying rebase rules to upstream

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

Let me check the upstream vscode build/npm/gyp/package.json file directly.

@sbouchet, you're absolutely right — I apologize for the incorrect review comment. I mistakenly compared the .rebase/add/code/build/npm/gyp/package.json patch against the final codebase (which is the result of applying rebase rules to upstream), rather than against the upstream vscode source at microsoft/vscode/blob/main/build/npm/gyp/package.json.

Since the upstream build/npm/gyp/package.json does not include a minimatch override entry, the .rebase/add patch is necessary and correct — it is not a no-op. The patch is what introduces "minimatch": "^9.0.9" on top of the upstream file to produce the patched che-code version.

I'll retract the nitpick comment.

---

✏️ Learnings added

Learnt from: sbouchet
URL: https://github.com/che-incubator/che-code/pull/659

Timestamp: 2026-03-18T15:17:26.593Z
Learning: In the che-incubator/che-code repository, the `.rebase/` directory contains rebase rules (under `.rebase/add/`, `.rebase/override/`, etc.) that are applied ON TOP of the upstream microsoft/vscode source code to produce the final che-code codebase. When reviewing files under `.rebase/add/` or `.rebase/override/`, comparisons must be made against the upstream vscode source (e.g., https://github.com/microsoft/vscode), NOT against the current che-code codebase, which is already the result of applying those rebase rules.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-659-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-659-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-659-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-659-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-659-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-659-dev-amd64