Fix CVE-2026-42035 by updating axios to patched versions

[sbouchet]

What does this PR do?

This PR fixes CVE-2026-42035 and CVE-2026-42033.
axios version are updated to 1.15.2 and 0.31.1

What issues does this PR fix?

https://redhat.atlassian.net/browse/CRW-10801
https://redhat.atlassian.net/browse/CRW-10835

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

• the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
• the corresponding items were added to the CHANGELOG.md file
• rules for automatic git rebase were added to the .rebase folder

Summary by CodeRabbit

• Chores
  • Updated HTTP client dependency in Eclipse Che API extension (pinned to a newer patch of axios).
  • Updated HTTP client dependency constraint in Eclipse Che Remote extension (axios minor/patch bump).
  • Minor formatting/whitespace cleanup in package metadata.

[github-actions]

Click here to review and test in web IDE:

[coderabbitai]

📝 Walkthrough

Walkthrough

Two extension package.json files were edited to tighten axios version constraints: che-api overrides @eclipse-che/workspace-telemetry-client axios to ^0.31.1, and che-remote updates its axios dependency to ^1.15.2. No other fields, scripts, or code were changed.

Changes

Dependency version bumps

Layer / File(s)	Summary
Dependency constraint code/extensions/che-api/package.json	Override for @eclipse-che/workspace-telemetry-client.axios changed from ^0.31.0 → ^0.31.1.
Dependency constraint code/extensions/che-remote/package.json	dependencies.axios changed from ^1.15.0 → ^1.15.2.
Sanity / Metadata .../package.json (both)	No other dependency, script, or config fields modified; whitespace tweak only in che-api overrides block.

Sequence Diagram(s)

(omitted — changes are minor dependency pin updates and do not introduce multi-component control flow)

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• downgrading axios for che-api transitive to 0.31.0 #688: Modifies the same @eclipse-che/workspace-telemetry-client axios override in code/extensions/che-api/package.json.
• Fix CVEs by updating axios to patched versions #684: Previously updated axios pins and related overrides in these package.json files.

Suggested reviewers

• rgrunber
• azatsarynnyy
• vitaliy-guliy
• RomanNikitenko

Poem

"A rabbit hops through package trees,
nudging axios to newer leaves.
Versions snug in tidy lines,
no bugs to chase, no tangled vines.
🐇📦✨"

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating axios to patched versions to fix a specific CVE vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-696-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-696-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-696-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-696-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-696-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-696-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-696-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-696-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-696-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-696-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-696-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-696-dev-amd64