Skip to content

Fix CVE-2026-42035 by updating axios to patched version#110

Open
sbouchet wants to merge 13 commits into
che-incubator:masterfrom
sbouchet:CVE-2026-42035
Open

Fix CVE-2026-42035 by updating axios to patched version#110
sbouchet wants to merge 13 commits into
che-incubator:masterfrom
sbouchet:CVE-2026-42035

Conversation

@sbouchet

@sbouchet sbouchet commented Apr 30, 2026

Copy link
Copy Markdown

What does this PR do?
This PR fixes CVE-2026-42035.
axios version is updated to 0.31.1

fixes
https://github.com/che-incubator/che-workspace-telemetry-client/security/dependabot/137
https://github.com/che-incubator/che-workspace-telemetry-client/security/dependabot/135

Summary by CodeRabbit

  • Chores
    • Upgraded HTTP library and TypeScript toolchain for improved reliability and compatibility.
    • Added a pre-build type-check step, enabled faster transpilation, and relaxed library checks to streamline builds.
    • Pinned select transitive dependencies for more predictable installs.
  • Refactor
    • Made error typings accept an optional request configuration for more flexible error handling.
  • Fix
    • Replaced insecure hashing usage with a secure fallback to ensure consistent, secure builds.

Review Change Stack

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@sbouchet sbouchet requested review from ibuziuk and l0rd as code owners April 30, 2026 14:39
@coderabbitai

coderabbitai Bot commented Apr 30, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 58ebbb89-f91b-494f-b208-1c3d12d8513f

📥 Commits

Reviewing files that changed from the base of the PR and between aa4d193 and e6f261e.

⛔ Files ignored due to path filters (1)
  • javascript/src/typescript/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (4)
  • javascript/src/typescript/package.json
  • javascript/src/typescript/src/index.ts
  • javascript/src/typescript/tsconfig.json
  • javascript/src/typescript/webpack.config.js

📝 Walkthrough

Walkthrough

Makes IRequestError.config optional, updates RequestError, enables skipLibCheck, patches Node crypto.createHash (md4→sha256), sets ts-loader to transpileOnly for client/server, adds a type-check build step, and bumps axios and TypeScript versions.

Changes

TypeScript package and build changes

Layer / File(s) Summary
RequestError typing update
javascript/src/typescript/src/index.ts
Makes IRequestError.config optional and updates the RequestError class property to config?: AxiosRequestConfig.
TypeScript compiler option
javascript/src/typescript/tsconfig.json
Adds skipLibCheck: true to compilerOptions.
Webpack crypto patch and ts-loader change
javascript/src/typescript/webpack.config.js
Monkey-patches crypto.createHash to remap md4sha256 and sets ts-loader option transpileOnly: true for .ts rules in both server and client configs.
Package metadata and scripts
javascript/src/typescript/package.json
Adds a type-check script and runs it in build; bumps axios to ^0.31.1 and typescript devDependency to 4.9.5; adds resolutions and overrides pinning node-releases and minimatch.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Poem

🐰 A tiny hop through TypeScript's glade,
Optional config in shadows laid,
Crypto remapped for steadier tread,
ts-loader whispers: transpile instead,
Dependencies raised — the build parade.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main objective of this pull request—updating axios to address CVE-2026-42035, which is the primary intent stated in the PR description and is the most significant change in the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sbouchet sbouchet requested a review from mkuznyetsov April 30, 2026 14:40
@sbouchet sbouchet self-assigned this Apr 30, 2026
@sbouchet sbouchet moved this to Ready for Review in Eclipse Che Team C Backlog Apr 30, 2026
@sbouchet sbouchet marked this pull request as draft April 30, 2026 14:53
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@sbouchet sbouchet moved this from Ready for Review to 🚧 In Progress in Eclipse Che Team C Backlog Apr 30, 2026
sbouchet and others added 3 commits May 4, 2026 16:47
Make config optional with `?:` syntax in both IRequestError interface
and RequestError class to satisfy TypeScript strict type checking.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
axios 0.31.1 ships type definitions requiring TypeScript 4.1+
(Lowercase mapped types), but the project uses TypeScript 3.1.3.
skipLibCheck avoids type-checking third-party .d.ts files.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
axios 0.31.1 type definitions use TypeScript 4.1+ syntax
(Lowercase mapped types) that cannot be parsed by TS 3.1.3.
skipLibCheck only skips type-checking, not parsing. transpileOnly
skips all type resolution in webpack builds; type checking is
still performed by ts-jest during tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sbouchet sbouchet marked this pull request as ready for review May 4, 2026 15:03
@sbouchet

sbouchet commented May 4, 2026

Copy link
Copy Markdown
Author

@mkuznyetsov worth to review this first one ? then i'll probably tackle some other critical CVEs

@sbouchet sbouchet moved this from 🚧 In Progress to Ready for Review in Eclipse Che Team C Backlog May 4, 2026
@sbouchet

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented May 20, 2026

Copy link
Copy Markdown
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@javascript/src/typescript/webpack.config.js`:
- Line 13: The webpack config currently sets transpileOnly: true (skipping type
checking); add explicit type checking by either integrating
ForkTsCheckerWebpackPlugin into webpack.config.js (import and add new
ForkTsCheckerWebpackPlugin() to plugins) so the ts-loader/transpileOnly option
keeps fast builds but type errors are reported, or add an npm script named
"type-check" that runs "tsc --noEmit" and ensure CI/build invokes it; update the
config to keep transpileOnly: true but enable ForkTsCheckerWebpackPlugin, or add
the "type-check" script and wire it into the pipeline.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c3b6b486-afde-44e7-a795-19f8f6d6bc27

📥 Commits

Reviewing files that changed from the base of the PR and between fd08244 and 506e9c8.

📒 Files selected for processing (3)
  • javascript/src/typescript/src/index.ts
  • javascript/src/typescript/tsconfig.json
  • javascript/src/typescript/webpack.config.js

Comment thread javascript/src/typescript/webpack.config.js
Axios 0.31.1 type definitions require TypeScript 4.1+ syntax (template
literal types). Webpack 4 uses md4 hashing which Node.js 22 dropped,
so redirect md4 to sha256 in webpack config.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
javascript/src/typescript/webpack.config.js (1)

2-4: ⚡ Quick win

Add an explanatory comment for the crypto monkey-patch.

This global override of crypto.createHash silently redirects md4 to sha256 for the entire Node.js process. While this is a recognized workaround for Webpack 4's incompatibility with Node.js 17+ (where md4 was removed in OpenSSL 3.0), future maintainers may not understand why it's here.

Consider adding a brief comment explaining the purpose and noting the long-term fix (upgrade to Webpack 5).

📝 Suggested comment
 const path = require('path');
+// Webpack 4 uses md4 for hashing, but Node.js 17+ removed md4 support.
+// This monkey-patch redirects md4 to sha256 as a workaround.
+// TODO: Remove once upgraded to Webpack 5 (which uses xxhash by default).
 const crypto = require('crypto');
 const cryptoOrigCreateHash = crypto.createHash;
 crypto.createHash = algorithm => cryptoOrigCreateHash(algorithm === 'md4' ? 'sha256' : algorithm);
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@javascript/src/typescript/webpack.config.js` around lines 2 - 4, Add a brief
explanatory comment immediately above the monkey-patch that overrides
crypto.createHash (cryptoOrigCreateHash / crypto.createHash = ...), stating this
globally redirects 'md4' to 'sha256' as a workaround for Webpack 4's
incompatibility with Node.js 17+ / OpenSSL 3.0 where md4 was removed, and note
this is temporary and should be removed when upgrading to Webpack 5 (or
otherwise addressed properly); keep the comment concise and include the reason,
scope (global override), and the recommended long-term fix.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@javascript/src/typescript/webpack.config.js`:
- Around line 2-4: Add a brief explanatory comment immediately above the
monkey-patch that overrides crypto.createHash (cryptoOrigCreateHash /
crypto.createHash = ...), stating this globally redirects 'md4' to 'sha256' as a
workaround for Webpack 4's incompatibility with Node.js 17+ / OpenSSL 3.0 where
md4 was removed, and note this is temporary and should be removed when upgrading
to Webpack 5 (or otherwise addressed properly); keep the comment concise and
include the reason, scope (global override), and the recommended long-term fix.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2b1dc8b1-4070-44c8-b7d3-62b4a0fc1ee3

📥 Commits

Reviewing files that changed from the base of the PR and between 506e9c8 and 66ebec2.

⛔ Files ignored due to path filters (2)
  • javascript/src/typescript/package-lock.json is excluded by !**/package-lock.json
  • javascript/src/typescript/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (2)
  • javascript/src/typescript/package.json
  • javascript/src/typescript/webpack.config.js

sbouchet and others added 6 commits May 27, 2026 16:50
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
…mment

Upgraded jest, @types/jest, and ts-jest to v29 to eliminate the ts-jest
version compatibility warning. Regenerated yarn.lock with yarn classic
(v1 format) to match CI. Removed stale package-lock.json. Added
explanatory comment on the webpack md4→sha256 workaround.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
CI runs Node 12.22.7; jest 29 requires Node >=14.15. Jest 27 supports
Node 12 and ts-jest 27 supports TypeScript 4.x without warnings.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
node-releases 2.0.46 (transitive via browserslist/babel/jest) requires
Node >=18 which is incompatible with CI's Node 12.22.7. Pin to 2.0.19
via yarn resolutions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
minimatch 10.x requires Node 18+. Pin to v9.0.9 via yarn resolutions
to maintain Node 12.22.7 compatibility in CI.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
minimatch 9.0.9 still requires Node >=14. Use v3.1.5 which supports
any Node version and is compatible with both v3 and v5 ranges in deps.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
javascript/src/typescript/package.json (1)

10-13: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Mirror Yarn resolutions with npm overrides to ensure the security pins apply in npm-based installs (lines 10-13 + 55-58).

This package uses npm for build/prepare, but only pins transitive deps via Yarn-only "resolutions" (node-releases: 2.0.19, minimatch: 9.0.9) and has no npm "overrides" block, so npm installs can bypass these remediation constraints.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@javascript/src/typescript/package.json` around lines 10 - 13, Add an npm
"overrides" section to package.json mirroring the existing Yarn "resolutions" so
npm installs apply the same pinned versions; specifically add an "overrides"
object that pins "node-releases" to "2.0.19" and "minimatch" to "9.0.9"
(matching the "resolutions" entries) and ensure this block is valid JSON at
top-level alongside "resolutions", "scripts" (build/test/prepare), and other
metadata so npm-based installs honor the security fixes.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@javascript/src/typescript/package.json`:
- Around line 10-13: Add an npm "overrides" section to package.json mirroring
the existing Yarn "resolutions" so npm installs apply the same pinned versions;
specifically add an "overrides" object that pins "node-releases" to "2.0.19" and
"minimatch" to "9.0.9" (matching the "resolutions" entries) and ensure this
block is valid JSON at top-level alongside "resolutions", "scripts"
(build/test/prepare), and other metadata so npm-based installs honor the
security fixes.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c3abb673-a377-4919-bc52-0cd11b55e7be

📥 Commits

Reviewing files that changed from the base of the PR and between 66ebec2 and 16c1266.

⛔ Files ignored due to path filters (1)
  • javascript/src/typescript/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (2)
  • javascript/src/typescript/package.json
  • javascript/src/typescript/webpack.config.js
🚧 Files skipped from review as they are similar to previous changes (1)
  • javascript/src/typescript/webpack.config.js

npm uses 'overrides' instead of yarn's 'resolutions' to pin dependency
versions. Mirror the node-releases@2.0.19 and minimatch@3.1.5 pins so
npm-based installs also respect the Node 12 compatibility constraints.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sbouchet

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown

Actionable comments posted: 0

@sbouchet

Copy link
Copy Markdown
Author

@coderabbitai resolve

@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown
✅ Actions performed

Comments resolved. Approval is disabled; enable reviews.request_changes_workflow to allow explicit top-level @coderabbitai resolve or @coderabbitai approve commands.

@sbouchet

Copy link
Copy Markdown
Author

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown
✅ Actions performed

Full review triggered.

@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown

Actionable comments posted: 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant