Skip to content

Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) #589

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sbouchet merged 7 commits into from
Nov 4, 2025
Merged

Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) #589

sbouchet merged 7 commits into from
Nov 4, 2025

Conversation

@sbouchet
Copy link
Collaborator

@sbouchet sbouchet commented Oct 22, 2025
edited
Loading

What does this PR do?

Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

What issues does this PR fix?

Updated form-data across multiple packages to address critical security vulnerability where unsafe random function was used for choosing boundary values.

Vulnerability Details:

  • Advisory: GHSA-fjxv-7rqg-78g4
  • Severity: Critical
  • CWE-330: Use of Insufficiently Random Values
  • Affected versions: <2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3

Packages Updated:

  • code/package-lock.json
  • code/extensions/che-activity-tracker/package-lock.json
  • code/extensions/che-api/package-lock.json
  • code/extensions/che-commands/package-lock.json
  • code/extensions/che-port/package-lock.json
  • code/extensions/che-remote/package-lock.json

The form-data package is used as a transitive dependency through:

  • @types/node-fetch
  • axios
  • jsdom

Verification: npm audit confirms the critical form-data vulnerability has been resolved. Vulnerability count reduced from 14 to 13.

Generated-by: Claude CLI

🤖 Generated with Claude Code

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

@sbouchet @claude
Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)
74b42df 
Updated form-data across multiple packages to address critical security
vulnerability where unsafe random function was used for choosing boundary
values.

Vulnerability Details:
- Advisory: GHSA-fjxv-7rqg-78g4
- Severity: Critical
- CWE-330: Use of Insufficiently Random Values
- Affected versions: <2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3

Packages Updated:
- code/package-lock.json
- code/extensions/che-activity-tracker/package-lock.json
- code/extensions/che-api/package-lock.json
- code/extensions/che-commands/package-lock.json
- code/extensions/che-port/package-lock.json
- code/extensions/che-remote/package-lock.json

The form-data package is used as a transitive dependency through:
- @types/node-fetch
- axios
- jsdom

Verification: npm audit confirms the critical form-data vulnerability
has been resolved. Vulnerability count reduced from 14 to 13.

Generated-by: Claude CLI

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@github-actions
Copy link

github-actions bot commented Oct 22, 2025
edited
Loading

Click here to review and test in web IDE: Contribute

@github-actions
Copy link

github-actions bot commented Oct 22, 2025

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-589-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-589-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-589-dev-amd64

@sbouchet sbouchet self-assigned this Oct 22, 2025
@sbouchet sbouchet moved this to 🚧 In Progress in Eclipse Che Team C Backlog Oct 22, 2025
@sbouchet sbouchet marked this pull request as ready for review October 28, 2025 10:00
@sbouchet sbouchet moved this from 🚧 In Progress to Ready for Review in Eclipse Che Team C Backlog Oct 28, 2025
RomanNikitenko
RomanNikitenko reviewed Oct 28, 2025
View reviewed changes
@github-actions
Copy link

github-actions bot commented Oct 28, 2025

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-589-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-589-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-589-dev-amd64

RomanNikitenko
RomanNikitenko reviewed Oct 29, 2025
View reviewed changes
@sbouchet sbouchet marked this pull request as draft October 30, 2025 18:20
@github-actions
Copy link

github-actions bot commented Oct 30, 2025

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-589-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-589-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-589-dev-amd64

@sbouchet sbouchet marked this pull request as ready for review October 31, 2025 12:21
@sbouchet
Copy link
Collaborator Author

sbouchet commented Oct 31, 2025
edited
Loading

@RomanNikitenko please re-review my last changes.
updated directly axios in some extensions
override all vulnerable form-data in others places.

@RomanNikitenko
Copy link
Collaborator

RomanNikitenko commented Oct 31, 2025

@sbouchet
+1 to update axios version

But I should mention that axios instance is passed to the devWorkspaceGenerator library.

Some time ago we had a problem, see devfile/devworkspace-generator#201
So - maybe it makes sense to update the axios version for that library as well.

@github-actions
Copy link

github-actions bot commented Oct 31, 2025

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-589-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-589-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-589-dev-amd64

sbouchet added a commit to sbouchet/devworkspace-generator that referenced this pull request Oct 31, 2025
@sbouchet
Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)
78aa530 
see also che-incubator/che-code#589

Signed-off-by: Stephane Bouchet <[email protected]>
@sbouchet sbouchet mentioned this pull request Oct 31, 2025
Merged
svor pushed a commit to devfile/devworkspace-generator that referenced this pull request Oct 31, 2025
@sbouchet
Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) (#271)
252c290 
see also che-incubator/che-code#589

Signed-off-by: Stephane Bouchet <[email protected]>
@sbouchet
Copy link
Collaborator Author

sbouchet commented Oct 31, 2025

@sbouchet +1 to update axios version

But I should mention that axios instance is passed to the devWorkspaceGenerator library.

Some time ago we had a problem, see devfile/devworkspace-generator#201 So - maybe it makes sense to update the axios version for that library as well.

PR merged : devfile/devworkspace-generator#271 (comment)

@RomanNikitenko
Copy link
Collaborator

RomanNikitenko commented Oct 31, 2025
edited
Loading

@sbouchet +1 to update axios version
But I should mention that axios instance is passed to the devWorkspaceGenerator library.
Some time ago we had a problem, see devfile/devworkspace-generator#201 So - maybe it makes sense to update the axios version for that library as well.

PR merged : devfile/devworkspace-generator#271 (comment)

Great!
now @eclipse-che/che-devworkspace-generator version should be updated on the che-code side to pick up those changes

@github-actions
Copy link

github-actions bot commented Nov 3, 2025

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-589-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-589-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-589-dev-amd64

@sbouchet sbouchet merged commit a847288 into che-incubator:main Nov 4, 2025
12 of 13 checks passed
@sbouchet sbouchet deleted the GHSA-fjxv-7rqg-78g4 branch November 4, 2025 13:46
@sbouchet sbouchet mentioned this pull request Nov 4, 2025
Merged
3 tasks
@sbouchet sbouchet moved this from Ready for Review to ✅ Done in Eclipse Che Team C Backlog Nov 4, 2025
RomanNikitenko pushed a commit that referenced this pull request Nov 6, 2025
@sbouchet @claude
Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4) (#589) (#591
4f93601 
)

* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)

Updated form-data across multiple packages to address critical security
vulnerability where unsafe random function was used for choosing
boundary
values.

Vulnerability Details:
- Advisory: GHSA-fjxv-7rqg-78g4
- Severity: Critical
- CWE-330: Use of Insufficiently Random Values
- Affected versions: <2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3

Packages Updated:
- code/package-lock.json
- code/extensions/che-activity-tracker/package-lock.json
- code/extensions/che-api/package-lock.json
- code/extensions/che-commands/package-lock.json
- code/extensions/che-port/package-lock.json
- code/extensions/che-remote/package-lock.json

The form-data package is used as a transitive dependency through:
- @types/node-fetch
- axios
- jsdom

Verification: npm audit confirms the critical form-data vulnerability
has been resolved. Vulnerability count reduced from 14 to 13.

Generated-by: Claude CLI

🤖 Generated with [Claude Code](https://claude.com/claude-code)



* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)



* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)



* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)



* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)



* Fix critical CVE in form-data package (GHSA-fjxv-7rqg-78g4)



* update che devworkspace-generator version



---------

Signed-off-by: Stephane Bouchet <[email protected]>
Co-authored-by: Claude <[email protected]>
This was referenced Nov 11, 2025
Merged
Merged
@RomanNikitenko
Copy link
Collaborator

RomanNikitenko commented Nov 11, 2025

@sbouchet
I've created the following PRs to fix some problems related to the current PR

please review them

One more question: I see there is still 2.3.3 version of the form-data is used in the launcher
Any reason why it was not fixed within the current PR?

@sbouchet
Copy link
Collaborator Author

sbouchet commented Nov 12, 2025

One more question: I see there is still 2.3.3 version of the form-data is used in the launcher Any reason why it was not fixed within the current PR?

hum. claude AI didn't see it and me too. need to create another PR for it :(

@sbouchet sbouchet mentioned this pull request Nov 12, 2025
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RomanNikitenko RomanNikitenko RomanNikitenko approved these changes

@azatsarynnyy azatsarynnyy Awaiting requested review from azatsarynnyy azatsarynnyy is a code owner

@vitaliy-guliy vitaliy-guliy Awaiting requested review from vitaliy-guliy vitaliy-guliy is a code owner

Assignees

@sbouchet sbouchet

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sbouchet @RomanNikitenko