From fc55b8752ee6540ab45a527b19b80aee334f18d4 Mon Sep 17 00:00:00 2001 From: Sachin Hulyalkar Date: Wed, 24 Jun 2026 09:58:55 +0000 Subject: [PATCH] fix: Override undici and ws to fix CVE-2026-6734, CVE-2026-9697, CVE-2026-12151, CVE-2026-48779 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - undici: ^7.24.0 → ^7.28.0 (CVE-2026-6734, CVE-2026-9697, CVE-2026-12151) - ws: ^7.5.11 global override (CVE-2026-48779) Regenerated package-lock overrides for all targets. --- LICENSE-THIRD-PARTY | 6 +- overrides/LICENSE-THIRD-PARTY | 6 +- .../sagemaker.series/package-lock.json | 57 ++++++++++--------- .../sagemaker.series/remote/package-lock.json | 8 +-- .../package-lock.json | 57 ++++++++++--------- .../remote/package-lock.json | 8 +-- .../web-embedded.series/package-lock.json | 57 ++++++++++--------- .../remote/package-lock.json | 8 +-- .../web-server.series/package-lock.json | 57 ++++++++++--------- .../remote/package-lock.json | 8 +-- patches/common/finding-override-tar.diff | 29 ++++++++++ patches/common/finding-override-undici.diff | 51 +++++++++++++++++ patches/common/finding-override-ws.diff | 20 +++++++ patches/sagemaker.series | 3 + patches/web-embedded-with-terminal.series | 3 + patches/web-embedded.series | 3 + patches/web-server.series | 3 + 17 files changed, 250 insertions(+), 134 deletions(-) create mode 100644 patches/common/finding-override-tar.diff create mode 100644 patches/common/finding-override-undici.diff create mode 100644 patches/common/finding-override-ws.diff diff --git a/LICENSE-THIRD-PARTY b/LICENSE-THIRD-PARTY index fa892c2e..f56861b5 100644 --- a/LICENSE-THIRD-PARTY +++ b/LICENSE-THIRD-PARTY @@ -6547,7 +6547,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ****************************** tar -7.5.11 +7.5.16 # Blue Oak Model License Version 1.0.0 @@ -6706,7 +6706,7 @@ PERFORMANCE OF THIS SOFTWARE. ****************************** undici -7.24.5 +7.28.0 MIT License Copyright (c) Matteo Collina and Undici contributors @@ -6913,7 +6913,7 @@ SOFTWARE. ****************************** ws -7.5.10 +7.5.11 The MIT License (MIT) Copyright (c) 2011 Einar Otto Stangvik diff --git a/overrides/LICENSE-THIRD-PARTY b/overrides/LICENSE-THIRD-PARTY index fa892c2e..f56861b5 100644 --- a/overrides/LICENSE-THIRD-PARTY +++ b/overrides/LICENSE-THIRD-PARTY @@ -6547,7 +6547,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ****************************** tar -7.5.11 +7.5.16 # Blue Oak Model License Version 1.0.0 @@ -6706,7 +6706,7 @@ PERFORMANCE OF THIS SOFTWARE. ****************************** undici -7.24.5 +7.28.0 MIT License Copyright (c) Matteo Collina and Undici contributors @@ -6913,7 +6913,7 @@ SOFTWARE. ****************************** ws -7.5.10 +7.5.11 The MIT License (MIT) Copyright (c) 2011 Einar Otto Stangvik diff --git a/package-lock-overrides/sagemaker.series/package-lock.json b/package-lock-overrides/sagemaker.series/package-lock.json index 10e2073f..39d98f51 100644 --- a/package-lock-overrides/sagemaker.series/package-lock.json +++ b/package-lock-overrides/sagemaker.series/package-lock.json @@ -48,7 +48,7 @@ "node-pty": "^1.1.0-beta33", "open": "^8.4.2", "tas-client-umd": "0.2.0", - "undici": "^7.24.0", + "undici": "^7.28.0", "v8-inspect-profiler": "^0.1.1", "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", @@ -148,7 +148,7 @@ "source-map": "0.6.1", "source-map-support": "^0.3.2", "style-loader": "^3.3.2", - "tar": "^7.5.10", + "tar": "^7.5.16", "ts-loader": "^9.5.1", "ts-node": "^10.9.1", "tsec": "0.2.7", @@ -4470,26 +4470,6 @@ "resolved": "https://registry.npmjs.org/commander/-/commander-2.11.0.tgz", "integrity": "sha512-b0553uYA5YAEGgyYIGYROzKQ7X5RAqedkfjiZxwi0kL1g3bOaBNNZfYkzt/CL0umgD5wc9Jec2FbB98CjkMRvQ==" }, - "node_modules/chrome-remote-interface/node_modules/ws": { - "version": "7.5.10", - "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.10.tgz", - "integrity": "sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ==", - "engines": { - "node": ">=8.3.0" - }, - "peerDependencies": { - "bufferutil": "^4.0.1", - "utf-8-validate": "^5.0.2" - }, - "peerDependenciesMeta": { - "bufferutil": { - "optional": true - }, - "utf-8-validate": { - "optional": true - } - } - }, "node_modules/chrome-trace-event": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/chrome-trace-event/-/chrome-trace-event-1.0.2.tgz", @@ -15296,9 +15276,9 @@ } }, "node_modules/tar": { - "version": "7.5.11", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz", - "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", @@ -16210,9 +16190,9 @@ "dev": true }, "node_modules/undici": { - "version": "7.24.5", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.5.tgz", - "integrity": "sha512-3IWdCpjgxp15CbJnsi/Y9TCDE7HWVN19j1hmzVhoAkY/+CJx449tVxT5wZc1Gwg8J+P0LWvzlBzxYRnHJ+1i7Q==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" @@ -17132,6 +17112,27 @@ "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8= sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", "dev": true }, + "node_modules/ws": { + "version": "7.5.11", + "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.11.tgz", + "integrity": "sha512-zS54Oen9bITtp7kp2XM3AydrCIq1D+HwJOuH+c+e4LfpL/lotP5osijd+UoMnxwAam1GN8R4KtLAyIrIcBNpiA==", + "license": "MIT", + "engines": { + "node": ">=8.3.0" + }, + "peerDependencies": { + "bufferutil": "^4.0.1", + "utf-8-validate": "^5.0.2" + }, + "peerDependenciesMeta": { + "bufferutil": { + "optional": true + }, + "utf-8-validate": { + "optional": true + } + } + }, "node_modules/xml": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/xml/-/xml-1.0.1.tgz", diff --git a/package-lock-overrides/sagemaker.series/remote/package-lock.json b/package-lock-overrides/sagemaker.series/remote/package-lock.json index eb5f0fce..47c6b51b 100644 --- a/package-lock-overrides/sagemaker.series/remote/package-lock.json +++ b/package-lock-overrides/sagemaker.series/remote/package-lock.json @@ -39,7 +39,7 @@ "native-watchdog": "^1.4.1", "node-pty": "^1.1.0-beta33", "tas-client-umd": "0.2.0", - "undici": "^7.24.0", + "undici": "^7.28.0", "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", "vscode-textmate": "9.2.0", @@ -1062,9 +1062,9 @@ } }, "node_modules/undici": { - "version": "7.24.5", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.5.tgz", - "integrity": "sha512-3IWdCpjgxp15CbJnsi/Y9TCDE7HWVN19j1hmzVhoAkY/+CJx449tVxT5wZc1Gwg8J+P0LWvzlBzxYRnHJ+1i7Q==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" diff --git a/package-lock-overrides/web-embedded-with-terminal.series/package-lock.json b/package-lock-overrides/web-embedded-with-terminal.series/package-lock.json index 35f05524..e832becd 100644 --- a/package-lock-overrides/web-embedded-with-terminal.series/package-lock.json +++ b/package-lock-overrides/web-embedded-with-terminal.series/package-lock.json @@ -47,7 +47,7 @@ "node-pty": "^1.1.0-beta33", "open": "^8.4.2", "tas-client-umd": "0.2.0", - "undici": "^7.24.0", + "undici": "^7.28.0", "v8-inspect-profiler": "^0.1.1", "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", @@ -146,7 +146,7 @@ "source-map": "0.6.1", "source-map-support": "^0.3.2", "style-loader": "^3.3.2", - "tar": "^7.5.10", + "tar": "^7.5.16", "ts-loader": "^9.5.1", "ts-node": "^10.9.1", "tsec": "0.2.7", @@ -4471,26 +4471,6 @@ "resolved": "https://registry.npmjs.org/commander/-/commander-2.11.0.tgz", "integrity": "sha512-b0553uYA5YAEGgyYIGYROzKQ7X5RAqedkfjiZxwi0kL1g3bOaBNNZfYkzt/CL0umgD5wc9Jec2FbB98CjkMRvQ==" }, - "node_modules/chrome-remote-interface/node_modules/ws": { - "version": "7.5.10", - "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.10.tgz", - "integrity": "sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ==", - "engines": { - "node": ">=8.3.0" - }, - "peerDependencies": { - "bufferutil": "^4.0.1", - "utf-8-validate": "^5.0.2" - }, - "peerDependenciesMeta": { - "bufferutil": { - "optional": true - }, - "utf-8-validate": { - "optional": true - } - } - }, "node_modules/chrome-trace-event": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/chrome-trace-event/-/chrome-trace-event-1.0.2.tgz", @@ -15262,9 +15242,9 @@ } }, "node_modules/tar": { - "version": "7.5.11", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz", - "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", @@ -16176,9 +16156,9 @@ "dev": true }, "node_modules/undici": { - "version": "7.24.5", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.5.tgz", - "integrity": "sha512-3IWdCpjgxp15CbJnsi/Y9TCDE7HWVN19j1hmzVhoAkY/+CJx449tVxT5wZc1Gwg8J+P0LWvzlBzxYRnHJ+1i7Q==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" @@ -17098,6 +17078,27 @@ "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8= sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", "dev": true }, + "node_modules/ws": { + "version": "7.5.11", + "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.11.tgz", + "integrity": "sha512-zS54Oen9bITtp7kp2XM3AydrCIq1D+HwJOuH+c+e4LfpL/lotP5osijd+UoMnxwAam1GN8R4KtLAyIrIcBNpiA==", + "license": "MIT", + "engines": { + "node": ">=8.3.0" + }, + "peerDependencies": { + "bufferutil": "^4.0.1", + "utf-8-validate": "^5.0.2" + }, + "peerDependenciesMeta": { + "bufferutil": { + "optional": true + }, + "utf-8-validate": { + "optional": true + } + } + }, "node_modules/xml": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/xml/-/xml-1.0.1.tgz", diff --git a/package-lock-overrides/web-embedded-with-terminal.series/remote/package-lock.json b/package-lock-overrides/web-embedded-with-terminal.series/remote/package-lock.json index eb85d79c..31702cbd 100644 --- a/package-lock-overrides/web-embedded-with-terminal.series/remote/package-lock.json +++ b/package-lock-overrides/web-embedded-with-terminal.series/remote/package-lock.json @@ -38,7 +38,7 @@ "native-watchdog": "^1.4.1", "node-pty": "^1.1.0-beta33", "tas-client-umd": "0.2.0", - "undici": "^7.24.0", + "undici": "^7.28.0", "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", "vscode-textmate": "9.2.0", @@ -1015,9 +1015,9 @@ } }, "node_modules/undici": { - "version": "7.24.5", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.5.tgz", - "integrity": "sha512-3IWdCpjgxp15CbJnsi/Y9TCDE7HWVN19j1hmzVhoAkY/+CJx449tVxT5wZc1Gwg8J+P0LWvzlBzxYRnHJ+1i7Q==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" diff --git a/package-lock-overrides/web-embedded.series/package-lock.json b/package-lock-overrides/web-embedded.series/package-lock.json index 35f05524..e832becd 100644 --- a/package-lock-overrides/web-embedded.series/package-lock.json +++ b/package-lock-overrides/web-embedded.series/package-lock.json @@ -47,7 +47,7 @@ "node-pty": "^1.1.0-beta33", "open": "^8.4.2", "tas-client-umd": "0.2.0", - "undici": "^7.24.0", + "undici": "^7.28.0", "v8-inspect-profiler": "^0.1.1", "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", @@ -146,7 +146,7 @@ "source-map": "0.6.1", "source-map-support": "^0.3.2", "style-loader": "^3.3.2", - "tar": "^7.5.10", + "tar": "^7.5.16", "ts-loader": "^9.5.1", "ts-node": "^10.9.1", "tsec": "0.2.7", @@ -4471,26 +4471,6 @@ "resolved": "https://registry.npmjs.org/commander/-/commander-2.11.0.tgz", "integrity": "sha512-b0553uYA5YAEGgyYIGYROzKQ7X5RAqedkfjiZxwi0kL1g3bOaBNNZfYkzt/CL0umgD5wc9Jec2FbB98CjkMRvQ==" }, - "node_modules/chrome-remote-interface/node_modules/ws": { - "version": "7.5.10", - "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.10.tgz", - "integrity": "sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ==", - "engines": { - "node": ">=8.3.0" - }, - "peerDependencies": { - "bufferutil": "^4.0.1", - "utf-8-validate": "^5.0.2" - }, - "peerDependenciesMeta": { - "bufferutil": { - "optional": true - }, - "utf-8-validate": { - "optional": true - } - } - }, "node_modules/chrome-trace-event": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/chrome-trace-event/-/chrome-trace-event-1.0.2.tgz", @@ -15262,9 +15242,9 @@ } }, "node_modules/tar": { - "version": "7.5.11", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz", - "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", @@ -16176,9 +16156,9 @@ "dev": true }, "node_modules/undici": { - "version": "7.24.5", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.5.tgz", - "integrity": "sha512-3IWdCpjgxp15CbJnsi/Y9TCDE7HWVN19j1hmzVhoAkY/+CJx449tVxT5wZc1Gwg8J+P0LWvzlBzxYRnHJ+1i7Q==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" @@ -17098,6 +17078,27 @@ "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8= sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", "dev": true }, + "node_modules/ws": { + "version": "7.5.11", + "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.11.tgz", + "integrity": "sha512-zS54Oen9bITtp7kp2XM3AydrCIq1D+HwJOuH+c+e4LfpL/lotP5osijd+UoMnxwAam1GN8R4KtLAyIrIcBNpiA==", + "license": "MIT", + "engines": { + "node": ">=8.3.0" + }, + "peerDependencies": { + "bufferutil": "^4.0.1", + "utf-8-validate": "^5.0.2" + }, + "peerDependenciesMeta": { + "bufferutil": { + "optional": true + }, + "utf-8-validate": { + "optional": true + } + } + }, "node_modules/xml": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/xml/-/xml-1.0.1.tgz", diff --git a/package-lock-overrides/web-embedded.series/remote/package-lock.json b/package-lock-overrides/web-embedded.series/remote/package-lock.json index eb85d79c..31702cbd 100644 --- a/package-lock-overrides/web-embedded.series/remote/package-lock.json +++ b/package-lock-overrides/web-embedded.series/remote/package-lock.json @@ -38,7 +38,7 @@ "native-watchdog": "^1.4.1", "node-pty": "^1.1.0-beta33", "tas-client-umd": "0.2.0", - "undici": "^7.24.0", + "undici": "^7.28.0", "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", "vscode-textmate": "9.2.0", @@ -1015,9 +1015,9 @@ } }, "node_modules/undici": { - "version": "7.24.5", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.5.tgz", - "integrity": "sha512-3IWdCpjgxp15CbJnsi/Y9TCDE7HWVN19j1hmzVhoAkY/+CJx449tVxT5wZc1Gwg8J+P0LWvzlBzxYRnHJ+1i7Q==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" diff --git a/package-lock-overrides/web-server.series/package-lock.json b/package-lock-overrides/web-server.series/package-lock.json index 1d12de9c..90accd84 100644 --- a/package-lock-overrides/web-server.series/package-lock.json +++ b/package-lock-overrides/web-server.series/package-lock.json @@ -48,7 +48,7 @@ "node-pty": "^1.1.0-beta33", "open": "^8.4.2", "tas-client-umd": "0.2.0", - "undici": "^7.24.0", + "undici": "^7.28.0", "v8-inspect-profiler": "^0.1.1", "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", @@ -148,7 +148,7 @@ "source-map": "0.6.1", "source-map-support": "^0.3.2", "style-loader": "^3.3.2", - "tar": "^7.5.10", + "tar": "^7.5.16", "ts-loader": "^9.5.1", "ts-node": "^10.9.1", "tsec": "0.2.7", @@ -4483,26 +4483,6 @@ "resolved": "https://registry.npmjs.org/commander/-/commander-2.11.0.tgz", "integrity": "sha512-b0553uYA5YAEGgyYIGYROzKQ7X5RAqedkfjiZxwi0kL1g3bOaBNNZfYkzt/CL0umgD5wc9Jec2FbB98CjkMRvQ==" }, - "node_modules/chrome-remote-interface/node_modules/ws": { - "version": "7.5.10", - "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.10.tgz", - "integrity": "sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ==", - "engines": { - "node": ">=8.3.0" - }, - "peerDependencies": { - "bufferutil": "^4.0.1", - "utf-8-validate": "^5.0.2" - }, - "peerDependenciesMeta": { - "bufferutil": { - "optional": true - }, - "utf-8-validate": { - "optional": true - } - } - }, "node_modules/chrome-trace-event": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/chrome-trace-event/-/chrome-trace-event-1.0.2.tgz", @@ -15313,9 +15293,9 @@ } }, "node_modules/tar": { - "version": "7.5.11", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz", - "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", @@ -16227,9 +16207,9 @@ "dev": true }, "node_modules/undici": { - "version": "7.24.5", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.5.tgz", - "integrity": "sha512-3IWdCpjgxp15CbJnsi/Y9TCDE7HWVN19j1hmzVhoAkY/+CJx449tVxT5wZc1Gwg8J+P0LWvzlBzxYRnHJ+1i7Q==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" @@ -17149,6 +17129,27 @@ "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8= sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", "dev": true }, + "node_modules/ws": { + "version": "7.5.11", + "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.11.tgz", + "integrity": "sha512-zS54Oen9bITtp7kp2XM3AydrCIq1D+HwJOuH+c+e4LfpL/lotP5osijd+UoMnxwAam1GN8R4KtLAyIrIcBNpiA==", + "license": "MIT", + "engines": { + "node": ">=8.3.0" + }, + "peerDependencies": { + "bufferutil": "^4.0.1", + "utf-8-validate": "^5.0.2" + }, + "peerDependenciesMeta": { + "bufferutil": { + "optional": true + }, + "utf-8-validate": { + "optional": true + } + } + }, "node_modules/xml": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/xml/-/xml-1.0.1.tgz", diff --git a/package-lock-overrides/web-server.series/remote/package-lock.json b/package-lock-overrides/web-server.series/remote/package-lock.json index eb5f0fce..47c6b51b 100644 --- a/package-lock-overrides/web-server.series/remote/package-lock.json +++ b/package-lock-overrides/web-server.series/remote/package-lock.json @@ -39,7 +39,7 @@ "native-watchdog": "^1.4.1", "node-pty": "^1.1.0-beta33", "tas-client-umd": "0.2.0", - "undici": "^7.24.0", + "undici": "^7.28.0", "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", "vscode-textmate": "9.2.0", @@ -1062,9 +1062,9 @@ } }, "node_modules/undici": { - "version": "7.24.5", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.5.tgz", - "integrity": "sha512-3IWdCpjgxp15CbJnsi/Y9TCDE7HWVN19j1hmzVhoAkY/+CJx449tVxT5wZc1Gwg8J+P0LWvzlBzxYRnHJ+1i7Q==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" diff --git a/patches/common/finding-override-tar.diff b/patches/common/finding-override-tar.diff new file mode 100644 index 00000000..e9ea9187 --- /dev/null +++ b/patches/common/finding-override-tar.diff @@ -0,0 +1,29 @@ +Override tar to ^7.5.16 to fix CVE-2026-53655. + +@generated +@generator: scripts/patches/apply-override.sh --patch common/finding-override-tar.diff --override 'direct-dev:tar=^7.5.16' --override 'global:tar=^7.5.16' +@override-package: tar@^7.5.16 + +Index: b/package.json +=================================================================== +--- a/package.json ++++ b/package.json +@@ -207,7 +207,7 @@ + "source-map": "0.6.1", + "source-map-support": "^0.3.2", + "style-loader": "^3.3.2", +- "tar": "^7.5.10", ++ "tar": "^7.5.16", + "ts-loader": "^9.5.1", + "ts-node": "^10.9.1", + "tsec": "0.2.7", +@@ -243,7 +243,8 @@ + "ip-address": "^10.1.1", + "shell-quote": "^1.8.4", + "undici": "^7.28.0", +- "ws": "^7.5.11" ++ "ws": "^7.5.11", ++ "tar": "^7.5.16" + }, + "repository": { + "type": "git", diff --git a/patches/common/finding-override-undici.diff b/patches/common/finding-override-undici.diff new file mode 100644 index 00000000..fde977b5 --- /dev/null +++ b/patches/common/finding-override-undici.diff @@ -0,0 +1,51 @@ +Override undici to ^7.28.0 to fix CVE-2026-6734, CVE-2026-9697, CVE-2026-12151. + +@generated +@generator: scripts/patches/apply-override.sh --patch common/finding-override-undici.diff --override 'direct:undici=^7.28.0' --override 'global:undici=^7.28.0' --override 'remote/package.json@direct:undici=^7.28.0' --override 'remote/package.json@global:undici=^7.28.0' +@override-package: undici@^7.28.0 + +Index: b/package.json +=================================================================== +--- a/package.json ++++ b/package.json +@@ -107,7 +107,7 @@ + "node-pty": "^1.1.0-beta33", + "open": "^8.4.2", + "tas-client-umd": "0.2.0", +- "undici": "^7.24.0", ++ "undici": "^7.28.0", + "v8-inspect-profiler": "^0.1.1", + "vscode-oniguruma": "1.7.0", + "vscode-regexpp": "^3.1.0", +@@ -241,7 +241,8 @@ + "follow-redirects": "1.16.0", + "uuid": "14.0.0", + "ip-address": "^10.1.1", +- "shell-quote": "^1.8.4" ++ "shell-quote": "^1.8.4", ++ "undici": "^7.28.0" + }, + "repository": { + "type": "git", +Index: b/remote/package.json +=================================================================== +--- a/remote/package.json ++++ b/remote/package.json +@@ -34,7 +34,7 @@ + "native-watchdog": "^1.4.1", + "node-pty": "^1.1.0-beta33", + "tas-client-umd": "0.2.0", +- "undici": "^7.24.0", ++ "undici": "^7.28.0", + "vscode-oniguruma": "1.7.0", + "vscode-regexpp": "^3.1.0", + "vscode-textmate": "9.2.0", +@@ -50,6 +50,7 @@ + "picomatch": "2.3.2", + "follow-redirects": "1.16.0", + "uuid": "14.0.0", +- "ip-address": "^10.1.1" ++ "ip-address": "^10.1.1", ++ "undici": "^7.28.0" + } + } diff --git a/patches/common/finding-override-ws.diff b/patches/common/finding-override-ws.diff new file mode 100644 index 00000000..c7f21abe --- /dev/null +++ b/patches/common/finding-override-ws.diff @@ -0,0 +1,20 @@ +Override ws to ^7.5.11 to fix CVE-2026-48779. + +@generated +@generator: scripts/patches/apply-override.sh --patch common/finding-override-ws.diff --override 'global:ws=^7.5.11' +@override-package: ws@^7.5.11 + +Index: b/package.json +=================================================================== +--- a/package.json ++++ b/package.json +@@ -242,7 +242,8 @@ + "uuid": "14.0.0", + "ip-address": "^10.1.1", + "shell-quote": "^1.8.4", +- "undici": "^7.28.0" ++ "undici": "^7.28.0", ++ "ws": "^7.5.11" + }, + "repository": { + "type": "git", diff --git a/patches/sagemaker.series b/patches/sagemaker.series index b6d9d3f1..ac28449d 100644 --- a/patches/sagemaker.series +++ b/patches/sagemaker.series @@ -58,3 +58,6 @@ sagemaker/fix-path-traversal-vscode-remote-resource.diff sagemaker/override-picomatch-post-startup-notifications.diff sagemaker/sanitize-terminal-sendtext-paths.diff sagemaker/remove-delay-shutdown-endpoint.diff +common/finding-override-undici.diff +common/finding-override-ws.diff +common/finding-override-tar.diff diff --git a/patches/web-embedded-with-terminal.series b/patches/web-embedded-with-terminal.series index 6b0faf6c..e0158695 100644 --- a/patches/web-embedded-with-terminal.series +++ b/patches/web-embedded-with-terminal.series @@ -55,3 +55,6 @@ web-embedded/fix-watch-target.diff web-embedded/remove-unused-recommended-extensions-action.diff web-embedded/remove-new-window-actions-and-profile-workspace-section.diff web-embedded/only-allow-trusted-origins-in-webviews.diff +common/finding-override-undici.diff +common/finding-override-ws.diff +common/finding-override-tar.diff diff --git a/patches/web-embedded.series b/patches/web-embedded.series index 5ae0a75f..f92166d9 100644 --- a/patches/web-embedded.series +++ b/patches/web-embedded.series @@ -57,3 +57,6 @@ web-embedded/remove-unused-recommended-extensions-action.diff web-embedded/remove-new-window-actions-and-profile-workspace-section.diff web-embedded/only-allow-trusted-origins-in-webviews.diff web-embedded/enable-ts-features.diff +common/finding-override-undici.diff +common/finding-override-ws.diff +common/finding-override-tar.diff diff --git a/patches/web-server.series b/patches/web-server.series index e8712f75..593a9bcb 100644 --- a/patches/web-server.series +++ b/patches/web-server.series @@ -39,3 +39,6 @@ web-server/embedding-events.diff web-server/proxy-uri.diff web-server/display-language.diff web-server/signature-verification.diff +common/finding-override-undici.diff +common/finding-override-ws.diff +common/finding-override-tar.diff