Fix CVE-2026-42035 by updating axios to patched version#110
Conversation
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (4)
📝 WalkthroughWalkthroughMakes IRequestError.config optional, updates RequestError, enables skipLibCheck, patches Node crypto.createHash (md4→sha256), sets ts-loader to transpileOnly for client/server, adds a type-check build step, and bumps axios and TypeScript versions. ChangesTypeScript package and build changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~40 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Make config optional with `?:` syntax in both IRequestError interface and RequestError class to satisfy TypeScript strict type checking. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
axios 0.31.1 ships type definitions requiring TypeScript 4.1+ (Lowercase mapped types), but the project uses TypeScript 3.1.3. skipLibCheck avoids type-checking third-party .d.ts files. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
axios 0.31.1 type definitions use TypeScript 4.1+ syntax (Lowercase mapped types) that cannot be parsed by TS 3.1.3. skipLibCheck only skips type-checking, not parsing. transpileOnly skips all type resolution in webpack builds; type checking is still performed by ts-jest during tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@mkuznyetsov worth to review this first one ? then i'll probably tackle some other critical CVEs |
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@javascript/src/typescript/webpack.config.js`:
- Line 13: The webpack config currently sets transpileOnly: true (skipping type
checking); add explicit type checking by either integrating
ForkTsCheckerWebpackPlugin into webpack.config.js (import and add new
ForkTsCheckerWebpackPlugin() to plugins) so the ts-loader/transpileOnly option
keeps fast builds but type errors are reported, or add an npm script named
"type-check" that runs "tsc --noEmit" and ensure CI/build invokes it; update the
config to keep transpileOnly: true but enable ForkTsCheckerWebpackPlugin, or add
the "type-check" script and wire it into the pipeline.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: c3b6b486-afde-44e7-a795-19f8f6d6bc27
📒 Files selected for processing (3)
javascript/src/typescript/src/index.tsjavascript/src/typescript/tsconfig.jsonjavascript/src/typescript/webpack.config.js
Axios 0.31.1 type definitions require TypeScript 4.1+ syntax (template literal types). Webpack 4 uses md4 hashing which Node.js 22 dropped, so redirect md4 to sha256 in webpack config. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
🧹 Nitpick comments (1)
javascript/src/typescript/webpack.config.js (1)
2-4: ⚡ Quick winAdd an explanatory comment for the crypto monkey-patch.
This global override of
crypto.createHashsilently redirectsmd4tosha256for the entire Node.js process. While this is a recognized workaround for Webpack 4's incompatibility with Node.js 17+ (where md4 was removed in OpenSSL 3.0), future maintainers may not understand why it's here.Consider adding a brief comment explaining the purpose and noting the long-term fix (upgrade to Webpack 5).
📝 Suggested comment
const path = require('path'); +// Webpack 4 uses md4 for hashing, but Node.js 17+ removed md4 support. +// This monkey-patch redirects md4 to sha256 as a workaround. +// TODO: Remove once upgraded to Webpack 5 (which uses xxhash by default). const crypto = require('crypto'); const cryptoOrigCreateHash = crypto.createHash; crypto.createHash = algorithm => cryptoOrigCreateHash(algorithm === 'md4' ? 'sha256' : algorithm);🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@javascript/src/typescript/webpack.config.js` around lines 2 - 4, Add a brief explanatory comment immediately above the monkey-patch that overrides crypto.createHash (cryptoOrigCreateHash / crypto.createHash = ...), stating this globally redirects 'md4' to 'sha256' as a workaround for Webpack 4's incompatibility with Node.js 17+ / OpenSSL 3.0 where md4 was removed, and note this is temporary and should be removed when upgrading to Webpack 5 (or otherwise addressed properly); keep the comment concise and include the reason, scope (global override), and the recommended long-term fix.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@javascript/src/typescript/webpack.config.js`:
- Around line 2-4: Add a brief explanatory comment immediately above the
monkey-patch that overrides crypto.createHash (cryptoOrigCreateHash /
crypto.createHash = ...), stating this globally redirects 'md4' to 'sha256' as a
workaround for Webpack 4's incompatibility with Node.js 17+ / OpenSSL 3.0 where
md4 was removed, and note this is temporary and should be removed when upgrading
to Webpack 5 (or otherwise addressed properly); keep the comment concise and
include the reason, scope (global override), and the recommended long-term fix.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 2b1dc8b1-4070-44c8-b7d3-62b4a0fc1ee3
⛔ Files ignored due to path filters (2)
javascript/src/typescript/package-lock.jsonis excluded by!**/package-lock.jsonjavascript/src/typescript/yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (2)
javascript/src/typescript/package.jsonjavascript/src/typescript/webpack.config.js
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
…mment Upgraded jest, @types/jest, and ts-jest to v29 to eliminate the ts-jest version compatibility warning. Regenerated yarn.lock with yarn classic (v1 format) to match CI. Removed stale package-lock.json. Added explanatory comment on the webpack md4→sha256 workaround. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
CI runs Node 12.22.7; jest 29 requires Node >=14.15. Jest 27 supports Node 12 and ts-jest 27 supports TypeScript 4.x without warnings. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
node-releases 2.0.46 (transitive via browserslist/babel/jest) requires Node >=18 which is incompatible with CI's Node 12.22.7. Pin to 2.0.19 via yarn resolutions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
minimatch 10.x requires Node 18+. Pin to v9.0.9 via yarn resolutions to maintain Node 12.22.7 compatibility in CI. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
minimatch 9.0.9 still requires Node >=14. Use v3.1.5 which supports any Node version and is compatible with both v3 and v5 ranges in deps. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
javascript/src/typescript/package.json (1)
10-13:⚠️ Potential issue | 🟠 Major | ⚡ Quick winMirror Yarn
resolutionswith npmoverridesto ensure the security pins apply in npm-based installs (lines 10-13 + 55-58).This package uses npm for
build/prepare, but only pins transitive deps via Yarn-only"resolutions"(node-releases: 2.0.19,minimatch: 9.0.9) and has no npm"overrides"block, so npm installs can bypass these remediation constraints.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@javascript/src/typescript/package.json` around lines 10 - 13, Add an npm "overrides" section to package.json mirroring the existing Yarn "resolutions" so npm installs apply the same pinned versions; specifically add an "overrides" object that pins "node-releases" to "2.0.19" and "minimatch" to "9.0.9" (matching the "resolutions" entries) and ensure this block is valid JSON at top-level alongside "resolutions", "scripts" (build/test/prepare), and other metadata so npm-based installs honor the security fixes.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@javascript/src/typescript/package.json`:
- Around line 10-13: Add an npm "overrides" section to package.json mirroring
the existing Yarn "resolutions" so npm installs apply the same pinned versions;
specifically add an "overrides" object that pins "node-releases" to "2.0.19" and
"minimatch" to "9.0.9" (matching the "resolutions" entries) and ensure this
block is valid JSON at top-level alongside "resolutions", "scripts"
(build/test/prepare), and other metadata so npm-based installs honor the
security fixes.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: c3abb673-a377-4919-bc52-0cd11b55e7be
⛔ Files ignored due to path filters (1)
javascript/src/typescript/yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (2)
javascript/src/typescript/package.jsonjavascript/src/typescript/webpack.config.js
🚧 Files skipped from review as they are similar to previous changes (1)
- javascript/src/typescript/webpack.config.js
npm uses 'overrides' instead of yarn's 'resolutions' to pin dependency versions. Mirror the node-releases@2.0.19 and minimatch@3.1.5 pins so npm-based installs also respect the Node 12 compatibility constraints. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
|
Actionable comments posted: 0 |
|
@coderabbitai resolve |
✅ Actions performedComments resolved. Approval is disabled; enable |
|
@coderabbitai full review |
✅ Actions performedFull review triggered. |
|
Actionable comments posted: 0 |
What does this PR do?
This PR fixes CVE-2026-42035.
axios version is updated to 0.31.1
fixes
https://github.com/che-incubator/che-workspace-telemetry-client/security/dependabot/137
https://github.com/che-incubator/che-workspace-telemetry-client/security/dependabot/135
Summary by CodeRabbit