Skip to content

Fix handlebars vulnerabilities by overriding to patched version#679

Open
sbouchet wants to merge 1 commit intoche-incubator:mainfrom
sbouchet:handlebars_fixes
Open

Fix handlebars vulnerabilities by overriding to patched version#679
sbouchet wants to merge 1 commit intoche-incubator:mainfrom
sbouchet:handlebars_fixes

Conversation

@sbouchet
Copy link
Copy Markdown
Collaborator

@sbouchet sbouchet commented Apr 3, 2026
edited by coderabbitai bot
Loading

What does this PR do?

Override handlebars to 4.7.9 in che-api, che-port, che-remote, che-resource-monitor, and launcher to fix 8 vulnerabilities including critical JS injection (CVSS 9.8) and multiple high severity issues affecting versions 4.0.0-4.7.8.

Especially fixing:

CVE-2026-33937
CVE-2026-33938
CVE-2026-33939
CVE-2026-33940
CVE-2026-33941

What issues does this PR fix?

https://redhat.atlassian.net/browse/CRW-10614
https://redhat.atlassian.net/browse/CRW-10615
https://redhat.atlassian.net/browse/CRW-10616
https://redhat.atlassian.net/browse/CRW-10617
https://redhat.atlassian.net/browse/CRW-10618
https://redhat.atlassian.net/browse/CRW-10619
https://redhat.atlassian.net/browse/CRW-10620
https://redhat.atlassian.net/browse/CRW-10621
https://redhat.atlassian.net/browse/CRW-10622
https://redhat.atlassian.net/browse/CRW-10623

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

Summary by CodeRabbit

  • Chores
    • Updated dependency pinning across application modules to ensure consistent library versions.

@sbouchet @claude
Fix handlebars vulnerabilities by overriding to 4.7.9
9601d85 
Override handlebars to 4.7.9 in che-api, che-port, che-remote,
che-resource-monitor, and launcher to fix 8 vulnerabilities
including critical JS injection (CVSS 9.8) and multiple high
severity issues affecting versions 4.0.0-4.7.8.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 3, 2026
edited
Loading

Click here to review and test in web IDE: Contribute

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Apr 3, 2026

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 56f0c7c5-379d-4054-84b7-418914908625

📥 Commits

Reviewing files that changed from the base of the PR and between e76fa85 and 9601d85.

⛔ Files ignored due to path filters (5)
  • code/extensions/che-api/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-port/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-remote/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/che-resource-monitor/package-lock.json is excluded by !**/package-lock.json
  • launcher/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (5)
  • code/extensions/che-api/package.json
  • code/extensions/che-port/package.json
  • code/extensions/che-remote/package.json
  • code/extensions/che-resource-monitor/package.json
  • launcher/package.json
📝 Walkthrough

Walkthrough

This change pins the handlebars dependency to version 4.7.9 by adding an override entry in the overrides section of five package.json files across the codebase: four extension packages (che-api, che-port, che-remote, che-resource-monitor) and the launcher package. Each file receives an identical override configuration alongside the existing minimatch override. No other dependencies, scripts, or configuration fields are modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

  • rgrunber
  • azatsarynnyy
  • vitaliy-guliy
  • RomanNikitenko
🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title directly addresses the main change: pinning handlebars to 4.7.9 across multiple components to resolve vulnerabilities.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 3, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-679-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-679-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-679-dev-amd64

@sbouchet sbouchet self-assigned this Apr 3, 2026
@sbouchet sbouchet moved this to Unplanned Tasks in Eclipse Che Team C Backlog Apr 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rgrunber rgrunber Awaiting requested review from rgrunber rgrunber is a code owner

@azatsarynnyy azatsarynnyy Awaiting requested review from azatsarynnyy azatsarynnyy is a code owner

@RomanNikitenko RomanNikitenko Awaiting requested review from RomanNikitenko RomanNikitenko is a code owner

@vitaliy-guliy vitaliy-guliy Awaiting requested review from vitaliy-guliy vitaliy-guliy is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@sbouchet sbouchet

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sbouchet