From bb5ac4e6302c2827b88e3fdf3442cc795709a196 Mon Sep 17 00:00:00 2001 From: Stephane Bouchet Date: Thu, 2 Apr 2026 10:52:57 +0200 Subject: [PATCH 1/3] Fix CVE-2026-4926 by updating path-to-regexp to patched version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Override path-to-regexp to 8.4.0 in code/package.json and code/test/mcp/package.json to fix a ReDoS vulnerability (CVSS 7.5) affecting versions 8.0.0–8.3.0. Co-Authored-By: Claude Opus 4.6 --- code/package-lock.json | 6 +++--- code/package.json | 3 ++- code/test/mcp/package-lock.json | 11 ++++++----- code/test/mcp/package.json | 3 ++- 4 files changed, 13 insertions(+), 10 deletions(-) diff --git a/code/package-lock.json b/code/package-lock.json index 277fcd6adbc..282a07cfc0a 100644 --- a/code/package-lock.json +++ b/code/package-lock.json @@ -13231,9 +13231,9 @@ } }, "node_modules/path-to-regexp": { - "version": "8.3.0", - "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz", - "integrity": "sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==", + "version": "8.4.0", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.4.0.tgz", + "integrity": "sha512-PuseHIvAnz3bjrM2rGJtSgo1zjgxapTLZ7x2pjhzWwlp4SJQgK3f3iZIQwkpEnBaKz6seKBADpM4B4ySkuYypg==", "dev": true, "license": "MIT", "funding": { diff --git a/code/package.json b/code/package.json index cae3330842d..d55fdf58774 100644 --- a/code/package.json +++ b/code/package.json @@ -241,7 +241,8 @@ "node-addon-api": "7.1.0" }, "@vscode/test-web": { - "tar-fs": "3.1.1" + "tar-fs": "3.1.1", + "path-to-regexp": "8.4.0" }, "prebuild-install": { "tar-fs": "2.1.4" diff --git a/code/test/mcp/package-lock.json b/code/test/mcp/package-lock.json index 2db151830dd..567e127cca3 100644 --- a/code/test/mcp/package-lock.json +++ b/code/test/mcp/package-lock.json @@ -2168,12 +2168,13 @@ "license": "MIT" }, "node_modules/path-to-regexp": { - "version": "8.2.0", - "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.2.0.tgz", - "integrity": "sha512-TdrF7fW9Rphjq4RjrW0Kp2AW0Ahwu9sRGTkS6bvDi0SCwZlEZYmcfDbEsTz8RVk0EHIS/Vd1bv3JhG+1xZuAyQ==", + "version": "8.4.0", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.4.0.tgz", + "integrity": "sha512-PuseHIvAnz3bjrM2rGJtSgo1zjgxapTLZ7x2pjhzWwlp4SJQgK3f3iZIQwkpEnBaKz6seKBADpM4B4ySkuYypg==", "license": "MIT", - "engines": { - "node": ">=16" + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" } }, "node_modules/path-type": { diff --git a/code/test/mcp/package.json b/code/test/mcp/package.json index 6a4ce3a25bf..9c1ce5c120b 100644 --- a/code/test/mcp/package.json +++ b/code/test/mcp/package.json @@ -31,6 +31,7 @@ "overrides": { "qs": "6.14.1", "ajv": "6.14.0", - "minimatch": "^3.1.5" + "minimatch": "^3.1.5", + "path-to-regexp": "8.4.0" } } From 141af7ba872c329a397583824ea176d286cd81fb Mon Sep 17 00:00:00 2001 From: Stephane Bouchet Date: Thu, 2 Apr 2026 11:05:23 +0200 Subject: [PATCH 2/3] Add rebase rules for CVE-2026-4926 path-to-regexp override Co-Authored-By: Claude Opus 4.6 Signed-off-by: Stephane Bouchet --- .rebase/CHANGELOG.md | 7 +++++++ .rebase/add/code/package.json | 3 ++- .rebase/add/code/test/mcp/package.json | 3 ++- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.rebase/CHANGELOG.md b/.rebase/CHANGELOG.md index a32873fca48..be0fb5ff39b 100644 --- a/.rebase/CHANGELOG.md +++ b/.rebase/CHANGELOG.md @@ -2,6 +2,13 @@ The file to keep a list of changed files which will potentionaly help to resolve rebase conflicts. +#### @sbouchet +https://github.com/che-incubator/che-code/pull/ + +- code/package.json +- code/test/mcp/package.json +--- + #### @sbouchet https://github.com/che-incubator/che-code/pull/659 diff --git a/.rebase/add/code/package.json b/.rebase/add/code/package.json index 0827ddc1d72..6ba42e0a86a 100644 --- a/.rebase/add/code/package.json +++ b/.rebase/add/code/package.json @@ -19,7 +19,8 @@ "nanoid": "3.3.8" }, "@vscode/test-web": { - "tar-fs": "3.1.1" + "tar-fs": "3.1.1", + "path-to-regexp": "8.4.0" }, "prebuild-install": { "tar-fs": "2.1.4" diff --git a/.rebase/add/code/test/mcp/package.json b/.rebase/add/code/test/mcp/package.json index 17bc7c3cc6c..69770e0f6f6 100644 --- a/.rebase/add/code/test/mcp/package.json +++ b/.rebase/add/code/test/mcp/package.json @@ -2,6 +2,7 @@ "overrides": { "qs": "6.14.1", "ajv": "6.14.0", - "minimatch": "^3.1.5" + "minimatch": "^3.1.5", + "path-to-regexp": "8.4.0" } } From dcc9cd9155b169e63834f7c2baf82e38eebfc634 Mon Sep 17 00:00:00 2001 From: Stephane Bouchet Date: Thu, 2 Apr 2026 11:25:56 +0200 Subject: [PATCH 3/3] Updated changelog for CVE-2026-4926 path-to-regexp override Signed-off-by: Stephane Bouchet --- .rebase/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.rebase/CHANGELOG.md b/.rebase/CHANGELOG.md index be0fb5ff39b..771d7a87115 100644 --- a/.rebase/CHANGELOG.md +++ b/.rebase/CHANGELOG.md @@ -3,7 +3,7 @@ The file to keep a list of changed files which will potentionaly help to resolve rebase conflicts. #### @sbouchet -https://github.com/che-incubator/che-code/pull/ +https://github.com/che-incubator/che-code/pull/677 - code/package.json - code/test/mcp/package.json