Skip to content

CRW-9679: Fix CVE-2025-64756 by updating glob to 10.5.0 #611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sbouchet wants to merge 3 commits into
base: main
Choose a base branch
from
Open

CRW-9679: Fix CVE-2025-64756 by updating glob to 10.5.0 #611

sbouchet wants to merge 3 commits into from

Conversation

@sbouchet
Copy link
Collaborator

@sbouchet sbouchet commented Dec 17, 2025
edited
Loading

What does this PR do?

Updated @vscode/test-cli and @vscode/test-web packages which include the patched glob@10.5.0 version, addressing CVE-2025-64756 (glob CLI command injection vulnerability).

🤖 Generated with Claude Code

What issues does this PR fix?

https://issues.redhat.com/browse/CRW-9679

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

@sbouchet @claude
Fix CVE-2025-64756 by updating glob to 10.5.0
8174e3e 
Updated @vscode/test-cli and @vscode/test-web packages which include
the patched glob@10.5.0 version, addressing CVE-2025-64756 (glob CLI
command injection vulnerability).

Additional changes:
- Added TypeScript as dev dependency to che-api, che-port, and
  che-resource-monitor extensions

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@openshift-ci-robot
Copy link

openshift-ci-robot commented Dec 17, 2025
edited by openshift-ci bot
Loading

@sbouchet: This pull request references CRW-9679 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the vulnerability to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What does this PR do?

Updated @vscode/test-cli and @vscode/test-web packages which include the patched glob@10.5.0 version, addressing CVE-2025-64756 (glob CLI command injection vulnerability).

Additional changes:

  • Added TypeScript as dev dependency to che-api, che-port, and che-resource-monitor extensions

🤖 Generated with Claude Code

What issues does this PR fix?

https://issues.redhat.com/browse/CRW-9679

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@github-actions
Copy link

github-actions bot commented Dec 17, 2025
edited
Loading

Click here to review and test in web IDE: Contribute

@sbouchet
added rebase rules
bcc2fa5 
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@openshift-ci-robot
Copy link

openshift-ci-robot commented Dec 17, 2025
edited by openshift-ci bot
Loading

@sbouchet: This pull request references CRW-9679 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the vulnerability to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What does this PR do?

Updated @vscode/test-cli and @vscode/test-web packages which include the patched glob@10.5.0 version, addressing CVE-2025-64756 (glob CLI command injection vulnerability).

🤖 Generated with Claude Code

What issues does this PR fix?

https://issues.redhat.com/browse/CRW-9679

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@sbouchet sbouchet marked this pull request as ready for review December 17, 2025 11:01
@github-actions
Copy link

github-actions bot commented Dec 18, 2025

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-611-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-611-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-611-dev-amd64

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@azatsarynnyy azatsarynnyy Awaiting requested review from azatsarynnyy azatsarynnyy is a code owner

@RomanNikitenko RomanNikitenko Awaiting requested review from RomanNikitenko RomanNikitenko is a code owner

@vitaliy-guliy vitaliy-guliy Awaiting requested review from vitaliy-guliy vitaliy-guliy is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sbouchet @openshift-ci-robot