Fix CVEs by updating undici to patched versions

[sbouchet]

What does this PR do?

This PR fixes CVE-2026-1526, CVE-2026-1528 and CVE-2026-2229.

undici version is updated to latest 7.24.x

What issues does this PR fix?

https://redhat.atlassian.net/browse/CRW-10414
https://redhat.atlassian.net/browse/CRW-10416
https://redhat.atlassian.net/browse/CRW-10417
https://redhat.atlassian.net/browse/CRW-10407
https://redhat.atlassian.net/browse/CRW-10411
https://redhat.atlassian.net/browse/CRW-10412
https://redhat.atlassian.net/browse/CRW-10406
https://redhat.atlassian.net/browse/CRW-10408

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

• the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
• the corresponding items were added to the CHANGELOG.md file
• rules for automatic git rebase were added to the .rebase folder

Summary by CodeRabbit

• Chores
  • Added an override for the undici dependency (pinned to ^7.24.0) across project package configurations.
• Documentation
  • Updated the changelog to record the package override changes and the recent merge resolution.

[github-actions]

Click here to review and test in web IDE:

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 33b26ac7-adf2-4435-89ed-9bd0a6b8332f

📥 Commits

Reviewing files that changed from the base of the PR and between 69ee68b and 3b6b700.

📒 Files selected for processing (1)

• .rebase/CHANGELOG.md

---

📝 Walkthrough

Walkthrough

Adds an overrides entry for undici: "^7.24.0" to four package.json files and appends a new changelog entry to .rebase/CHANGELOG.md; minor comma/formatting adjustments accompany the package changes.

Changes

Cohort / File(s)	Summary
Rebase add package overrides .rebase/add/code/package.json, .rebase/add/code/remote/package.json	Inserted "undici": "^7.24.0" into the overrides object; adjusted trailing commas/formatting.
Main code package overrides code/package.json, code/remote/package.json	Inserted "undici": "^7.24.0" into the overrides object; adjusted trailing commas/formatting.
Changelog .rebase/CHANGELOG.md	Appended a changelog entry referencing the PR and listing the affected code/package.json and code/remote/package.json files.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• rgrunber
• azatsarynnyy
• vitaliy-guliy
• RomanNikitenko

Poem

🐰 I hopped through package.json lines,
Pushed undici into tidy confines.
Commas guided, entries meet,
Small patch, light-footed feat. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: updating undici to patched versions to fix CVEs, which is the primary objective of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-668-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-668-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-668-dev-amd64

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.rebase/CHANGELOG.md:
- Around line 6-15: The .rebase/CHANGELOG.md contains unresolved git conflict
markers (<<<<<<< undici_fixes, =======, >>>>>>> main); remove these markers and
edit the block so the file contains a single clean markdown entry (choose and
consolidate the intended PR lines—e.g., the correct PR URL and the list of
changed package.json paths) without any conflict artifacts, then save so the
file is plain markdown and free of <<<<<<< / ======= / >>>>>>> markers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9a580df3-f67d-4bae-9ea8-8970d3106383

📥 Commits

Reviewing files that changed from the base of the PR and between 22351bc and 69ee68b.

📒 Files selected for processing (1)

• .rebase/CHANGELOG.md

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-668-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-668-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-668-dev-amd64

[RomanNikitenko]

@sbouchet
changes look good to me
but
please fix conflict in the changelog file before merging

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-668-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-668-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-668-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-668-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-668-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-668-dev-amd64