Skip to content

fix: CVE-2026-12143 by updating form-data to patched versions#744

Open
sbouchet wants to merge 5 commits into
che-incubator:mainfrom
sbouchet:CVE-2026-12143
Open

fix: CVE-2026-12143 by updating form-data to patched versions#744
sbouchet wants to merge 5 commits into
che-incubator:mainfrom
sbouchet:CVE-2026-12143

Conversation

@sbouchet

@sbouchet sbouchet commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

What does this PR do?

This PR fixes CVE-2026-12143.

form-data versions are updated to 2.5.6, 3.0.5 and 4.0.6

What issues does this PR fix?

https://redhat.atlassian.net/browse/CRW-11377

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

Summary by CodeRabbit

  • Bug Fixes
    • Improved dependency consistency across the product (core, remote, launcher, and extensions) to reduce install and runtime issues.
    • Updated transitive resolution for authentication and related tooling to use consistent form-data versions.
    • Aligned bundled build/packaging and test environments so extension packaging and smoke/MCP checks behave more reliably.
  • Documentation
    • Added a changelog entry for this update.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Click here to review and test in web IDE: Contribute

@tolusha

tolusha commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

  • /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
  • /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
  • /che-ai-assistant check-pr-test-failures — Analyze failing CI checks, identify root causes, and suggest fixes
  • /che-ai-assistant help — Show this help message

@sbouchet sbouchet marked this pull request as ready for review July 2, 2026 15:30
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 995687fc-6560-44a8-9692-651657edd237

📥 Commits

Reviewing files that changed from the base of the PR and between ca77ad0 and 322542f.

⛔ Files ignored due to path filters (15)
  • code/build/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-api/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-commands/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-github-authentication/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-port/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-remote/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-resource-monitor/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/copilot/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/github-authentication/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/microsoft-authentication/package-lock.json is excluded by !**/package-lock.json
  • code/package-lock.json is excluded by !**/package-lock.json
  • code/remote/package-lock.json is excluded by !**/package-lock.json
  • code/test/mcp/package-lock.json is excluded by !**/package-lock.json
  • code/test/smoke/package-lock.json is excluded by !**/package-lock.json
  • launcher/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (24)
  • .rebase/CHANGELOG.md
  • .rebase/add/code/build/package.json
  • .rebase/add/code/extensions/copilot/package.json
  • .rebase/add/code/extensions/github-authentication/package.json
  • .rebase/add/code/extensions/microsoft-authentication/package.json
  • .rebase/add/code/package.json
  • .rebase/add/code/remote/package.json
  • .rebase/add/code/test/mcp/package.json
  • .rebase/add/code/test/smoke/package.json
  • code/build/package.json
  • code/extensions/che-api/package.json
  • code/extensions/che-commands/package.json
  • code/extensions/che-github-authentication/package.json
  • code/extensions/che-port/package.json
  • code/extensions/che-remote/package.json
  • code/extensions/che-resource-monitor/package.json
  • code/extensions/copilot/package.json
  • code/extensions/github-authentication/package.json
  • code/extensions/microsoft-authentication/package.json
  • code/package.json
  • code/remote/package.json
  • code/test/mcp/package.json
  • code/test/smoke/package.json
  • launcher/package.json
✅ Files skipped from review due to trivial changes (7)
  • .rebase/add/code/test/smoke/package.json
  • .rebase/add/code/extensions/copilot/package.json
  • .rebase/add/code/package.json
  • .rebase/add/code/remote/package.json
  • launcher/package.json
  • code/test/mcp/package.json
  • code/extensions/che-remote/package.json
🚧 Files skipped from review as they are similar to previous changes (16)
  • .rebase/add/code/extensions/github-authentication/package.json
  • code/test/smoke/package.json
  • .rebase/add/code/build/package.json
  • code/remote/package.json
  • code/extensions/copilot/package.json
  • .rebase/add/code/test/mcp/package.json
  • code/extensions/che-resource-monitor/package.json
  • code/extensions/github-authentication/package.json
  • code/extensions/microsoft-authentication/package.json
  • code/build/package.json
  • code/extensions/che-commands/package.json
  • code/extensions/che-github-authentication/package.json
  • .rebase/add/code/extensions/microsoft-authentication/package.json
  • code/extensions/che-port/package.json
  • code/package.json
  • code/extensions/che-api/package.json

📝 Walkthrough

Walkthrough

This PR updates npm overrides across .rebase templates and active code/launcher manifests to pin transitive form-data versions for @types/node-fetch, @devfile/api, @kubernetes/client-node, axios, jsdom, and @vscode/vsce. It also adds a changelog entry listing the touched package manifests.

Estimated code review effort: 2 (Simple) | ~15 minutes

Possibly related PRs

Suggested reviewers: rgrunber, azatsarynnyy, vitaliy-guliy, RomanNikitenko

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise, imperative, and clearly describes the form-data security patch.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Rebase Rules For Upstream Changes ✅ Passed PASS: all touched upstream code/ manifests have matching .rebase rules, a .rebase/CHANGELOG.md entry, and resolve_conflicts branches in rebase.sh.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sbouchet sbouchet marked this pull request as draft July 2, 2026 15:49
@sbouchet sbouchet marked this pull request as ready for review July 2, 2026 15:59
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

2 similar comments
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@sbouchet sbouchet changed the title fix: override form-data to patched versions fix: CVE-2026-12143 by updating form-data to patched versions Jul 6, 2026
sbouchet and others added 5 commits July 6, 2026 12:16
Fix CVE-2026-12143 by overriding form-data@2 to ^2.5.6, form-data@3 to
^3.0.5, and form-data@4 to ^4.0.6 across all affected package trees.

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Add .rebase/add/ rules for the form-data overrides introduced in
CVE-2026-12143 fix.

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Replace @major-scoped overrides (form-data@3, form-data@4) with
parent-scoped overrides that target the specific parent packages
pulling in vulnerable form-data versions. This is more precise and
avoids unintended side effects on unrelated dependency trees.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants