From 7d687ab55b7d994d1fd64679f07790560fff810c Mon Sep 17 00:00:00 2001 From: Sachin Hulyalkar Date: Wed, 24 Jun 2026 11:57:37 +0000 Subject: [PATCH] fix: Regenerate lockfiles and override undici, ws, tar, form-data for CVEs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Fix npm ci failure: regenerate package-lock-overrides to include http-proxy - undici: ^7.24.0 → ^7.28.0 (CVE-2026-6734, CVE-2026-9697, CVE-2026-12151) - ws: ^8.20.1 → ^8.21.0, chrome-remote-interface/ws: ^7.5.11 (CVE-2026-48779) - form-data: ^4.0.6 (CVE-2026-12143) - tar: ^7.5.16 (CVE-2026-53655) Regenerated package-lock overrides for all targets. --- LICENSE-THIRD-PARTY | 55 ++++++++-- overrides/LICENSE-THIRD-PARTY | 55 ++++++++-- .../sagemaker.series/package-lock.json | 101 ++++++++++-------- .../sagemaker.series/remote/package-lock.json | 67 ++++++++++-- .../package-lock.json | 66 +++++------- .../remote/package-lock.json | 26 ++--- .../web-embedded.series/package-lock.json | 66 +++++------- .../remote/package-lock.json | 26 ++--- .../web-server.series/package-lock.json | 66 +++++------- .../remote/package-lock.json | 20 ++-- .../common/finding-override-form-data.diff | 20 ++++ .../finding-override-github-copilot.diff | 12 +-- patches/common/finding-override-tar.diff | 42 ++++++++ patches/common/finding-override-undici.diff | 42 ++++++++ patches/common/finding-override-ws.diff | 24 +++-- patches/sagemaker.series | 3 + patches/web-embedded-with-terminal.series | 3 + patches/web-embedded.series | 3 + patches/web-server.series | 3 + 19 files changed, 466 insertions(+), 234 deletions(-) create mode 100644 patches/common/finding-override-form-data.diff create mode 100644 patches/common/finding-override-tar.diff create mode 100644 patches/common/finding-override-undici.diff diff --git a/LICENSE-THIRD-PARTY b/LICENSE-THIRD-PARTY index 96131fc..f80cb05 100644 --- a/LICENSE-THIRD-PARTY +++ b/LICENSE-THIRD-PARTY @@ -3979,6 +3979,47 @@ GitHub Copilot CLI License Use of the Software may require access to GitHub services and is subject to the applicable GitHub Terms of Service and GitHub Copilot terms. This License governs only rights related to the Software and does not grant any rights to access or use GitHub services. +****************************** + +@github/copilot-linuxmusl-x64 +1.0.50 +GitHub Copilot CLI License + +1. License Grant + Subject to the terms of this License, GitHub grants you a non‑exclusive, non‑transferable, royalty‑free license to install and run copies of the GitHub Copilot CLI (the “Software”). Subject to Section 2 below, GitHub also grants you the right to reproduce and redistribute unmodified copies of the Software as part of an application or service. + +2. Redistribution Rights and Conditions + You may reproduce and redistribute the Software only in accordance with all of the following conditions: + The Software is distributed only in unmodified form; + The Software is redistributed solely as part of an application or service that provides material functionality beyond the Software itself; + The Software is not distributed on a standalone basis or as a primary product; + You include a copy of this License and retain all applicable copyright, trademark, and attribution notices; and + Your application or service is licensed independently of the Software. + Nothing in this License restricts your choice of license for your application or service, including distribution under an open source license. This License applies solely to the Software and does not modify or supersede the license terms governing your application or its source code. + +3. Scope Limitations + This License does not grant you the right to: + Modify, adapt, translate, or create derivative works of the Software; + Redistribute the Software except as expressly permitted in Section 2; + Remove, alter, or obscure any proprietary notices included in the Software; or + Use GitHub trademarks, logos, or branding except as necessary to identify the Software. + +4. Reservation of Rights + GitHub and its licensors retain all right, title, and interest in and to the Software. All rights not expressly granted by this License are reserved. + +5. Disclaimer of Warranty + THE SOFTWARE IS PROVIDED “AS IS,” WITHOUT WARRANTY OF ANY KIND, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON‑INFRINGEMENT. THE ENTIRE RISK ARISING OUT OF USE OF THE SOFTWARE REMAINS WITH YOU. + +6. Limitation of Liability + TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL GITHUB OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES ARISING OUT OF OR RELATING TO THIS LICENSE OR THE USE OR DISTRIBUTION OF THE SOFTWARE, WHETHER IN CONTRACT, TORT, OR OTHERWISE. + +7. Termination + This License terminates automatically if you fail to comply with its terms. Upon termination, you must cease all use and distribution of the Software. + +8. Notice Regarding GitHub Services (Informational Only) + Use of the Software may require access to GitHub services and is subject to the applicable GitHub Terms of Service and GitHub Copilot terms. This License governs only rights related to the Software and does not grant any rights to access or use GitHub services. + + ****************************** @github/copilot-sdk @@ -6918,7 +6959,7 @@ IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ****************************** form-data -4.0.5 +4.0.6 Copyright (c) 2012 Felix Geisendörfer (felix@debuggable.com) and contributors Permission is hereby granted, free of charge, to any person obtaining a copy @@ -7146,7 +7187,7 @@ SOFTWARE. ****************************** hasown -2.0.2 +2.0.4 MIT License Copyright (c) Jordan Harband and contributors @@ -9041,7 +9082,7 @@ SOFTWARE. ****************************** shell-quote -1.8.3 +1.8.4 The MIT License Copyright (c) 2013 James Halliday (mail@substack.net) @@ -9173,7 +9214,7 @@ IN THE SOFTWARE. ****************************** tar -7.5.11 +7.5.16 # Blue Oak Model License Version 1.0.0 @@ -9451,7 +9492,7 @@ THE SOFTWARE. ****************************** undici -7.24.4 +7.28.0 MIT License Copyright (c) Matteo Collina and Undici contributors @@ -9882,7 +9923,7 @@ SOFTWARE. ****************************** ws -7.5.10 +7.5.11 The MIT License (MIT) Copyright (c) 2011 Einar Otto Stangvik @@ -9909,7 +9950,7 @@ SOFTWARE. ****************************** ws -8.20.1 +8.21.0 Copyright (c) 2011 Einar Otto Stangvik Copyright (c) 2013 Arnout Kazemier and contributors Copyright (c) 2016 Luigi Pinca and contributors diff --git a/overrides/LICENSE-THIRD-PARTY b/overrides/LICENSE-THIRD-PARTY index 96131fc..f80cb05 100644 --- a/overrides/LICENSE-THIRD-PARTY +++ b/overrides/LICENSE-THIRD-PARTY @@ -3979,6 +3979,47 @@ GitHub Copilot CLI License Use of the Software may require access to GitHub services and is subject to the applicable GitHub Terms of Service and GitHub Copilot terms. This License governs only rights related to the Software and does not grant any rights to access or use GitHub services. +****************************** + +@github/copilot-linuxmusl-x64 +1.0.50 +GitHub Copilot CLI License + +1. License Grant + Subject to the terms of this License, GitHub grants you a non‑exclusive, non‑transferable, royalty‑free license to install and run copies of the GitHub Copilot CLI (the “Software”). Subject to Section 2 below, GitHub also grants you the right to reproduce and redistribute unmodified copies of the Software as part of an application or service. + +2. Redistribution Rights and Conditions + You may reproduce and redistribute the Software only in accordance with all of the following conditions: + The Software is distributed only in unmodified form; + The Software is redistributed solely as part of an application or service that provides material functionality beyond the Software itself; + The Software is not distributed on a standalone basis or as a primary product; + You include a copy of this License and retain all applicable copyright, trademark, and attribution notices; and + Your application or service is licensed independently of the Software. + Nothing in this License restricts your choice of license for your application or service, including distribution under an open source license. This License applies solely to the Software and does not modify or supersede the license terms governing your application or its source code. + +3. Scope Limitations + This License does not grant you the right to: + Modify, adapt, translate, or create derivative works of the Software; + Redistribute the Software except as expressly permitted in Section 2; + Remove, alter, or obscure any proprietary notices included in the Software; or + Use GitHub trademarks, logos, or branding except as necessary to identify the Software. + +4. Reservation of Rights + GitHub and its licensors retain all right, title, and interest in and to the Software. All rights not expressly granted by this License are reserved. + +5. Disclaimer of Warranty + THE SOFTWARE IS PROVIDED “AS IS,” WITHOUT WARRANTY OF ANY KIND, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON‑INFRINGEMENT. THE ENTIRE RISK ARISING OUT OF USE OF THE SOFTWARE REMAINS WITH YOU. + +6. Limitation of Liability + TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL GITHUB OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES ARISING OUT OF OR RELATING TO THIS LICENSE OR THE USE OR DISTRIBUTION OF THE SOFTWARE, WHETHER IN CONTRACT, TORT, OR OTHERWISE. + +7. Termination + This License terminates automatically if you fail to comply with its terms. Upon termination, you must cease all use and distribution of the Software. + +8. Notice Regarding GitHub Services (Informational Only) + Use of the Software may require access to GitHub services and is subject to the applicable GitHub Terms of Service and GitHub Copilot terms. This License governs only rights related to the Software and does not grant any rights to access or use GitHub services. + + ****************************** @github/copilot-sdk @@ -6918,7 +6959,7 @@ IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ****************************** form-data -4.0.5 +4.0.6 Copyright (c) 2012 Felix Geisendörfer (felix@debuggable.com) and contributors Permission is hereby granted, free of charge, to any person obtaining a copy @@ -7146,7 +7187,7 @@ SOFTWARE. ****************************** hasown -2.0.2 +2.0.4 MIT License Copyright (c) Jordan Harband and contributors @@ -9041,7 +9082,7 @@ SOFTWARE. ****************************** shell-quote -1.8.3 +1.8.4 The MIT License Copyright (c) 2013 James Halliday (mail@substack.net) @@ -9173,7 +9214,7 @@ IN THE SOFTWARE. ****************************** tar -7.5.11 +7.5.16 # Blue Oak Model License Version 1.0.0 @@ -9451,7 +9492,7 @@ THE SOFTWARE. ****************************** undici -7.24.4 +7.28.0 MIT License Copyright (c) Matteo Collina and Undici contributors @@ -9882,7 +9923,7 @@ SOFTWARE. ****************************** ws -7.5.10 +7.5.11 The MIT License (MIT) Copyright (c) 2011 Einar Otto Stangvik @@ -9909,7 +9950,7 @@ SOFTWARE. ****************************** ws -8.20.1 +8.21.0 Copyright (c) 2011 Einar Otto Stangvik Copyright (c) 2013 Arnout Kazemier and contributors Copyright (c) 2016 Luigi Pinca and contributors diff --git a/package-lock-overrides/sagemaker.series/package-lock.json b/package-lock-overrides/sagemaker.series/package-lock.json index 7c2be75..97d32f8 100644 --- a/package-lock-overrides/sagemaker.series/package-lock.json +++ b/package-lock-overrides/sagemaker.series/package-lock.json @@ -49,6 +49,7 @@ "@xterm/headless": "^6.1.0-beta.197", "@xterm/xterm": "^6.1.0-beta.197", "chrome-remote-interface": "^0.33.0", + "http-proxy": "^1.18.1", "http-proxy-agent": "^7.0.0", "https-proxy-agent": "^7.0.2", "jschardet": "3.1.4", @@ -60,12 +61,13 @@ "open": "^10.1.2", "playwright-core": "1.59.1", "ssh2": "^1.16.0", + "tar": "^7.5.16", "tas-client": "0.3.1", - "undici": "^7.24.0", + "undici": "^7.28.0", "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", "vscode-textmate": "^9.3.2", - "ws": "^8.20.1", + "ws": "^8.21.0", "yauzl": "^3.0.0", "yazl": "^2.4.3" }, @@ -78,6 +80,7 @@ "@types/debug": "^4.1.5", "@types/eslint": "^9.6.1", "@types/gulp-svgmin": "^1.2.1", + "@types/http-proxy": "^1.17.15", "@types/http-proxy-agent": "^2.0.1", "@types/kerberos": "^1.1.2", "@types/minimist": "^1.2.1", @@ -162,7 +165,7 @@ "sinon-test": "^3.1.3", "source-map": "0.6.1", "source-map-support": "^0.5.21", - "tar": "^7.5.9", + "tar": "^7.5.16", "tsec": "0.2.7", "tslib": "^2.6.3", "typescript": "^6.0.0-dev.20260416", @@ -2664,6 +2667,16 @@ "dev": true, "license": "MIT" }, + "node_modules/@types/http-proxy": { + "version": "1.17.17", + "resolved": "https://registry.npmjs.org/@types/http-proxy/-/http-proxy-1.17.17.tgz", + "integrity": "sha512-ED6LB+Z1AVylNTu7hdzuBqOgMnvG/ld6wGCG8wFnAzKX5uyW2K3WD52v0gnLCTK/VLpXtKckgWuyScYK6cSPaw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@types/node": "*" + } + }, "node_modules/@types/http-proxy-agent": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/@types/http-proxy-agent/-/http-proxy-agent-2.0.1.tgz", @@ -2753,23 +2766,6 @@ "form-data": "^3.0.0" } }, - "node_modules/@types/node-fetch/node_modules/form-data": { - "version": "3.0.4", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-3.0.4.tgz", - "integrity": "sha512-f0cRzm6dkyVYV3nPoooP8XlccPQukegwhAnpoLcXy+X+A8KfpGOoXwDr9FLZd3wzgLaBGQBE3lY93Zm/i1JvIQ==", - "dev": true, - "license": "MIT", - "dependencies": { - "asynckit": "^0.4.0", - "combined-stream": "^1.0.8", - "es-set-tostringtag": "^2.1.0", - "hasown": "^2.0.2", - "mime-types": "^2.1.35" - }, - "engines": { - "node": ">= 6" - } - }, "node_modules/@types/responselike": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/@types/responselike/-/responselike-1.0.0.tgz", @@ -5706,9 +5702,10 @@ "integrity": "sha512-b0553uYA5YAEGgyYIGYROzKQ7X5RAqedkfjiZxwi0kL1g3bOaBNNZfYkzt/CL0umgD5wc9Jec2FbB98CjkMRvQ==" }, "node_modules/chrome-remote-interface/node_modules/ws": { - "version": "7.5.10", - "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.10.tgz", - "integrity": "sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ==", + "version": "7.5.11", + "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.11.tgz", + "integrity": "sha512-zS54Oen9bITtp7kp2XM3AydrCIq1D+HwJOuH+c+e4LfpL/lotP5osijd+UoMnxwAam1GN8R4KtLAyIrIcBNpiA==", + "license": "MIT", "engines": { "node": ">=8.3.0" }, @@ -7785,6 +7782,12 @@ "through": "~2.3.1" } }, + "node_modules/eventemitter3": { + "version": "4.0.7", + "resolved": "https://registry.npmjs.org/eventemitter3/-/eventemitter3-4.0.7.tgz", + "integrity": "sha512-8guHBZCwKnFhYdHr2ysuRWErTwhoN2X8XELRlrRwpmfeY2jjuUN4taQMsULKUVo1K4DvZl+0pgfyoysHxvmvEw==", + "license": "MIT" + }, "node_modules/events": { "version": "3.3.0", "resolved": "https://registry.npmjs.org/events/-/events-3.3.0.tgz", @@ -8732,16 +8735,16 @@ } }, "node_modules/form-data": { - "version": "4.0.5", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz", - "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==", + "version": "4.0.6", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.6.tgz", + "integrity": "sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==", "license": "MIT", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.8", "es-set-tostringtag": "^2.1.0", - "hasown": "^2.0.2", - "mime-types": "^2.1.12" + "hasown": "^2.0.4", + "mime-types": "^2.1.35" }, "engines": { "node": ">= 6" @@ -11021,9 +11024,10 @@ } }, "node_modules/hasown": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", - "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.4.tgz", + "integrity": "sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==", + "license": "MIT", "dependencies": { "function-bind": "^1.1.2" }, @@ -11153,6 +11157,20 @@ "url": "https://opencollective.com/express" } }, + "node_modules/http-proxy": { + "version": "1.18.1", + "resolved": "https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.1.tgz", + "integrity": "sha512-7mz/721AbnJwIVbnaSv1Cz3Am0ZLT/UBwkC92VlxhXv/k/BBQfM2fXElQNC27BVGr0uwUpplYPQM9LnaBMR5NQ==", + "license": "MIT", + "dependencies": { + "eventemitter3": "^4.0.0", + "follow-redirects": "^1.0.0", + "requires-port": "^1.0.0" + }, + "engines": { + "node": ">=8.0.0" + } + }, "node_modules/http-proxy-agent": { "version": "7.0.2", "resolved": "https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-7.0.2.tgz", @@ -15917,8 +15935,7 @@ "node_modules/requires-port": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/requires-port/-/requires-port-1.0.0.tgz", - "integrity": "sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==", - "dev": true + "integrity": "sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==" }, "node_modules/resolve": { "version": "1.22.1", @@ -17777,9 +17794,9 @@ } }, "node_modules/tar": { - "version": "7.5.11", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz", - "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", @@ -18612,9 +18629,9 @@ "dev": true }, "node_modules/undici": { - "version": "7.24.4", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.4.tgz", - "integrity": "sha512-BM/JzwwaRXxrLdElV2Uo6cTLEjhSb3WXboncJamZ15NgUURmvlXvxa6xkwIOILIjPNo9i8ku136ZvWV0Uly8+w==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" @@ -19393,9 +19410,9 @@ "dev": true }, "node_modules/ws": { - "version": "8.20.1", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz", - "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==", + "version": "8.21.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz", + "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==", "license": "MIT", "engines": { "node": ">=10.0.0" diff --git a/package-lock-overrides/sagemaker.series/remote/package-lock.json b/package-lock-overrides/sagemaker.series/remote/package-lock.json index 20fb39e..3c6fb49 100644 --- a/package-lock-overrides/sagemaker.series/remote/package-lock.json +++ b/package-lock-overrides/sagemaker.series/remote/package-lock.json @@ -36,6 +36,7 @@ "@xterm/headless": "^6.1.0-beta.197", "@xterm/xterm": "^6.1.0-beta.197", "cookie": "^0.7.0", + "http-proxy": "^1.18.1", "http-proxy-agent": "^7.0.0", "https-proxy-agent": "^7.0.2", "jschardet": "3.1.4", @@ -47,7 +48,7 @@ "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", "vscode-textmate": "^9.3.2", - "ws": "^8.20.1", + "ws": "^8.21.0", "yauzl": "^3.0.0", "yazl": "^2.4.3" } @@ -961,6 +962,12 @@ "node": ">=8" } }, + "node_modules/eventemitter3": { + "version": "4.0.7", + "resolved": "https://registry.npmjs.org/eventemitter3/-/eventemitter3-4.0.7.tgz", + "integrity": "sha512-8guHBZCwKnFhYdHr2ysuRWErTwhoN2X8XELRlrRwpmfeY2jjuUN4taQMsULKUVo1K4DvZl+0pgfyoysHxvmvEw==", + "license": "MIT" + }, "node_modules/fd-slicer": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/fd-slicer/-/fd-slicer-1.1.0.tgz", @@ -974,6 +981,26 @@ "resolved": "https://registry.npmjs.org/file-uri-to-path/-/file-uri-to-path-1.0.0.tgz", "integrity": "sha512-0Zt+s3L7Vf1biwWZ29aARiVYLx7iMGnEUl9x33fbB/j3jR81u/O2LbqK+Bm1CDSNDKVtJ/YjwY7TUd5SkeLQLw==" }, + "node_modules/follow-redirects": { + "version": "1.16.0", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz", + "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==", + "funding": [ + { + "type": "individual", + "url": "https://github.com/sponsors/RubenVerborgh" + } + ], + "license": "MIT", + "engines": { + "node": ">=4.0" + }, + "peerDependenciesMeta": { + "debug": { + "optional": true + } + } + }, "node_modules/fs-extra": { "version": "11.2.0", "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-11.2.0.tgz", @@ -992,6 +1019,20 @@ "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz", "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==" }, + "node_modules/http-proxy": { + "version": "1.18.1", + "resolved": "https://registry.npmjs.org/http-proxy/-/http-proxy-1.18.1.tgz", + "integrity": "sha512-7mz/721AbnJwIVbnaSv1Cz3Am0ZLT/UBwkC92VlxhXv/k/BBQfM2fXElQNC27BVGr0uwUpplYPQM9LnaBMR5NQ==", + "license": "MIT", + "dependencies": { + "eventemitter3": "^4.0.0", + "follow-redirects": "^1.0.0", + "requires-port": "^1.0.0" + }, + "engines": { + "node": ">=8.0.0" + } + }, "node_modules/http-proxy-agent": { "version": "7.0.0", "resolved": "https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-7.0.0.tgz", @@ -1202,6 +1243,12 @@ "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz", "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==" }, + "node_modules/requires-port": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/requires-port/-/requires-port-1.0.0.tgz", + "integrity": "sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==", + "license": "MIT" + }, "node_modules/safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", @@ -1273,9 +1320,9 @@ } }, "node_modules/tar": { - "version": "7.5.13", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.13.tgz", - "integrity": "sha512-tOG/7GyXpFevhXVh8jOPJrmtRpOTsYqUIkVdVooZYJS/z8WhfQUX8RJILmeuJNinGAMSu1veBr4asSHFt5/hng==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", @@ -1328,9 +1375,9 @@ "license": "Unlicense" }, "node_modules/undici": { - "version": "7.24.4", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.4.tgz", - "integrity": "sha512-BM/JzwwaRXxrLdElV2Uo6cTLEjhSb3WXboncJamZ15NgUURmvlXvxa6xkwIOILIjPNo9i8ku136ZvWV0Uly8+w==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" @@ -1389,9 +1436,9 @@ "license": "MIT" }, "node_modules/ws": { - "version": "8.20.1", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz", - "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==", + "version": "8.21.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz", + "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==", "license": "MIT", "engines": { "node": ">=10.0.0" diff --git a/package-lock-overrides/web-embedded-with-terminal.series/package-lock.json b/package-lock-overrides/web-embedded-with-terminal.series/package-lock.json index 7c2be75..3316f50 100644 --- a/package-lock-overrides/web-embedded-with-terminal.series/package-lock.json +++ b/package-lock-overrides/web-embedded-with-terminal.series/package-lock.json @@ -60,12 +60,13 @@ "open": "^10.1.2", "playwright-core": "1.59.1", "ssh2": "^1.16.0", + "tar": "^7.5.16", "tas-client": "0.3.1", - "undici": "^7.24.0", + "undici": "^7.28.0", "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", "vscode-textmate": "^9.3.2", - "ws": "^8.20.1", + "ws": "^8.21.0", "yauzl": "^3.0.0", "yazl": "^2.4.3" }, @@ -162,7 +163,7 @@ "sinon-test": "^3.1.3", "source-map": "0.6.1", "source-map-support": "^0.5.21", - "tar": "^7.5.9", + "tar": "^7.5.16", "tsec": "0.2.7", "tslib": "^2.6.3", "typescript": "^6.0.0-dev.20260416", @@ -2753,23 +2754,6 @@ "form-data": "^3.0.0" } }, - "node_modules/@types/node-fetch/node_modules/form-data": { - "version": "3.0.4", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-3.0.4.tgz", - "integrity": "sha512-f0cRzm6dkyVYV3nPoooP8XlccPQukegwhAnpoLcXy+X+A8KfpGOoXwDr9FLZd3wzgLaBGQBE3lY93Zm/i1JvIQ==", - "dev": true, - "license": "MIT", - "dependencies": { - "asynckit": "^0.4.0", - "combined-stream": "^1.0.8", - "es-set-tostringtag": "^2.1.0", - "hasown": "^2.0.2", - "mime-types": "^2.1.35" - }, - "engines": { - "node": ">= 6" - } - }, "node_modules/@types/responselike": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/@types/responselike/-/responselike-1.0.0.tgz", @@ -5706,9 +5690,10 @@ "integrity": "sha512-b0553uYA5YAEGgyYIGYROzKQ7X5RAqedkfjiZxwi0kL1g3bOaBNNZfYkzt/CL0umgD5wc9Jec2FbB98CjkMRvQ==" }, "node_modules/chrome-remote-interface/node_modules/ws": { - "version": "7.5.10", - "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.10.tgz", - "integrity": "sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ==", + "version": "7.5.11", + "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.11.tgz", + "integrity": "sha512-zS54Oen9bITtp7kp2XM3AydrCIq1D+HwJOuH+c+e4LfpL/lotP5osijd+UoMnxwAam1GN8R4KtLAyIrIcBNpiA==", + "license": "MIT", "engines": { "node": ">=8.3.0" }, @@ -8732,16 +8717,16 @@ } }, "node_modules/form-data": { - "version": "4.0.5", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz", - "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==", + "version": "4.0.6", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.6.tgz", + "integrity": "sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==", "license": "MIT", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.8", "es-set-tostringtag": "^2.1.0", - "hasown": "^2.0.2", - "mime-types": "^2.1.12" + "hasown": "^2.0.4", + "mime-types": "^2.1.35" }, "engines": { "node": ">= 6" @@ -11021,9 +11006,10 @@ } }, "node_modules/hasown": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", - "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.4.tgz", + "integrity": "sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==", + "license": "MIT", "dependencies": { "function-bind": "^1.1.2" }, @@ -17777,9 +17763,9 @@ } }, "node_modules/tar": { - "version": "7.5.11", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz", - "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", @@ -18612,9 +18598,9 @@ "dev": true }, "node_modules/undici": { - "version": "7.24.4", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.4.tgz", - "integrity": "sha512-BM/JzwwaRXxrLdElV2Uo6cTLEjhSb3WXboncJamZ15NgUURmvlXvxa6xkwIOILIjPNo9i8ku136ZvWV0Uly8+w==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" @@ -19393,9 +19379,9 @@ "dev": true }, "node_modules/ws": { - "version": "8.20.1", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz", - "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==", + "version": "8.21.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz", + "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==", "license": "MIT", "engines": { "node": ">=10.0.0" diff --git a/package-lock-overrides/web-embedded-with-terminal.series/remote/package-lock.json b/package-lock-overrides/web-embedded-with-terminal.series/remote/package-lock.json index 7b0bfc6..0fb1c5c 100644 --- a/package-lock-overrides/web-embedded-with-terminal.series/remote/package-lock.json +++ b/package-lock-overrides/web-embedded-with-terminal.series/remote/package-lock.json @@ -47,7 +47,7 @@ "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", "vscode-textmate": "^9.3.2", - "ws": "^8.20.1", + "ws": "^8.21.0", "yauzl": "^3.0.0", "yazl": "^2.4.3" } @@ -1209,9 +1209,9 @@ "license": "MIT" }, "node_modules/shell-quote": { - "version": "1.8.3", - "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.3.tgz", - "integrity": "sha512-ObmnIF4hXNg1BqhnHmgbDETF8dLPCggZWBjkQfhZpbszZnYur5DUljTcCHii5LC3J5E0yeO/1LIMyH+UvHQgyw==", + "version": "1.8.4", + "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.4.tgz", + "integrity": "sha512-VsC6n6vz1ihYYyZZwX7YZSF5l5x36ca17OC+a69h94YqB7X6XLwf+5MOgynYir2SLFUbl8gIYvBo8K8RoNQ6bQ==", "license": "MIT", "engines": { "node": ">= 0.4" @@ -1273,9 +1273,9 @@ } }, "node_modules/tar": { - "version": "7.5.13", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.13.tgz", - "integrity": "sha512-tOG/7GyXpFevhXVh8jOPJrmtRpOTsYqUIkVdVooZYJS/z8WhfQUX8RJILmeuJNinGAMSu1veBr4asSHFt5/hng==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", @@ -1328,9 +1328,9 @@ "license": "Unlicense" }, "node_modules/undici": { - "version": "7.24.4", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.4.tgz", - "integrity": "sha512-BM/JzwwaRXxrLdElV2Uo6cTLEjhSb3WXboncJamZ15NgUURmvlXvxa6xkwIOILIjPNo9i8ku136ZvWV0Uly8+w==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" @@ -1389,9 +1389,9 @@ "license": "MIT" }, "node_modules/ws": { - "version": "8.20.1", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz", - "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==", + "version": "8.21.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz", + "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==", "license": "MIT", "engines": { "node": ">=10.0.0" diff --git a/package-lock-overrides/web-embedded.series/package-lock.json b/package-lock-overrides/web-embedded.series/package-lock.json index 7c2be75..3316f50 100644 --- a/package-lock-overrides/web-embedded.series/package-lock.json +++ b/package-lock-overrides/web-embedded.series/package-lock.json @@ -60,12 +60,13 @@ "open": "^10.1.2", "playwright-core": "1.59.1", "ssh2": "^1.16.0", + "tar": "^7.5.16", "tas-client": "0.3.1", - "undici": "^7.24.0", + "undici": "^7.28.0", "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", "vscode-textmate": "^9.3.2", - "ws": "^8.20.1", + "ws": "^8.21.0", "yauzl": "^3.0.0", "yazl": "^2.4.3" }, @@ -162,7 +163,7 @@ "sinon-test": "^3.1.3", "source-map": "0.6.1", "source-map-support": "^0.5.21", - "tar": "^7.5.9", + "tar": "^7.5.16", "tsec": "0.2.7", "tslib": "^2.6.3", "typescript": "^6.0.0-dev.20260416", @@ -2753,23 +2754,6 @@ "form-data": "^3.0.0" } }, - "node_modules/@types/node-fetch/node_modules/form-data": { - "version": "3.0.4", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-3.0.4.tgz", - "integrity": "sha512-f0cRzm6dkyVYV3nPoooP8XlccPQukegwhAnpoLcXy+X+A8KfpGOoXwDr9FLZd3wzgLaBGQBE3lY93Zm/i1JvIQ==", - "dev": true, - "license": "MIT", - "dependencies": { - "asynckit": "^0.4.0", - "combined-stream": "^1.0.8", - "es-set-tostringtag": "^2.1.0", - "hasown": "^2.0.2", - "mime-types": "^2.1.35" - }, - "engines": { - "node": ">= 6" - } - }, "node_modules/@types/responselike": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/@types/responselike/-/responselike-1.0.0.tgz", @@ -5706,9 +5690,10 @@ "integrity": "sha512-b0553uYA5YAEGgyYIGYROzKQ7X5RAqedkfjiZxwi0kL1g3bOaBNNZfYkzt/CL0umgD5wc9Jec2FbB98CjkMRvQ==" }, "node_modules/chrome-remote-interface/node_modules/ws": { - "version": "7.5.10", - "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.10.tgz", - "integrity": "sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ==", + "version": "7.5.11", + "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.11.tgz", + "integrity": "sha512-zS54Oen9bITtp7kp2XM3AydrCIq1D+HwJOuH+c+e4LfpL/lotP5osijd+UoMnxwAam1GN8R4KtLAyIrIcBNpiA==", + "license": "MIT", "engines": { "node": ">=8.3.0" }, @@ -8732,16 +8717,16 @@ } }, "node_modules/form-data": { - "version": "4.0.5", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz", - "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==", + "version": "4.0.6", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.6.tgz", + "integrity": "sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==", "license": "MIT", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.8", "es-set-tostringtag": "^2.1.0", - "hasown": "^2.0.2", - "mime-types": "^2.1.12" + "hasown": "^2.0.4", + "mime-types": "^2.1.35" }, "engines": { "node": ">= 6" @@ -11021,9 +11006,10 @@ } }, "node_modules/hasown": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", - "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.4.tgz", + "integrity": "sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==", + "license": "MIT", "dependencies": { "function-bind": "^1.1.2" }, @@ -17777,9 +17763,9 @@ } }, "node_modules/tar": { - "version": "7.5.11", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz", - "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", @@ -18612,9 +18598,9 @@ "dev": true }, "node_modules/undici": { - "version": "7.24.4", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.4.tgz", - "integrity": "sha512-BM/JzwwaRXxrLdElV2Uo6cTLEjhSb3WXboncJamZ15NgUURmvlXvxa6xkwIOILIjPNo9i8ku136ZvWV0Uly8+w==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" @@ -19393,9 +19379,9 @@ "dev": true }, "node_modules/ws": { - "version": "8.20.1", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz", - "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==", + "version": "8.21.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz", + "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==", "license": "MIT", "engines": { "node": ">=10.0.0" diff --git a/package-lock-overrides/web-embedded.series/remote/package-lock.json b/package-lock-overrides/web-embedded.series/remote/package-lock.json index 7b0bfc6..0fb1c5c 100644 --- a/package-lock-overrides/web-embedded.series/remote/package-lock.json +++ b/package-lock-overrides/web-embedded.series/remote/package-lock.json @@ -47,7 +47,7 @@ "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", "vscode-textmate": "^9.3.2", - "ws": "^8.20.1", + "ws": "^8.21.0", "yauzl": "^3.0.0", "yazl": "^2.4.3" } @@ -1209,9 +1209,9 @@ "license": "MIT" }, "node_modules/shell-quote": { - "version": "1.8.3", - "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.3.tgz", - "integrity": "sha512-ObmnIF4hXNg1BqhnHmgbDETF8dLPCggZWBjkQfhZpbszZnYur5DUljTcCHii5LC3J5E0yeO/1LIMyH+UvHQgyw==", + "version": "1.8.4", + "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.4.tgz", + "integrity": "sha512-VsC6n6vz1ihYYyZZwX7YZSF5l5x36ca17OC+a69h94YqB7X6XLwf+5MOgynYir2SLFUbl8gIYvBo8K8RoNQ6bQ==", "license": "MIT", "engines": { "node": ">= 0.4" @@ -1273,9 +1273,9 @@ } }, "node_modules/tar": { - "version": "7.5.13", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.13.tgz", - "integrity": "sha512-tOG/7GyXpFevhXVh8jOPJrmtRpOTsYqUIkVdVooZYJS/z8WhfQUX8RJILmeuJNinGAMSu1veBr4asSHFt5/hng==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", @@ -1328,9 +1328,9 @@ "license": "Unlicense" }, "node_modules/undici": { - "version": "7.24.4", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.4.tgz", - "integrity": "sha512-BM/JzwwaRXxrLdElV2Uo6cTLEjhSb3WXboncJamZ15NgUURmvlXvxa6xkwIOILIjPNo9i8ku136ZvWV0Uly8+w==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" @@ -1389,9 +1389,9 @@ "license": "MIT" }, "node_modules/ws": { - "version": "8.20.1", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz", - "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==", + "version": "8.21.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz", + "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==", "license": "MIT", "engines": { "node": ">=10.0.0" diff --git a/package-lock-overrides/web-server.series/package-lock.json b/package-lock-overrides/web-server.series/package-lock.json index cd7080b..97d32f8 100644 --- a/package-lock-overrides/web-server.series/package-lock.json +++ b/package-lock-overrides/web-server.series/package-lock.json @@ -61,12 +61,13 @@ "open": "^10.1.2", "playwright-core": "1.59.1", "ssh2": "^1.16.0", + "tar": "^7.5.16", "tas-client": "0.3.1", - "undici": "^7.24.0", + "undici": "^7.28.0", "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", "vscode-textmate": "^9.3.2", - "ws": "^8.20.1", + "ws": "^8.21.0", "yauzl": "^3.0.0", "yazl": "^2.4.3" }, @@ -164,7 +165,7 @@ "sinon-test": "^3.1.3", "source-map": "0.6.1", "source-map-support": "^0.5.21", - "tar": "^7.5.9", + "tar": "^7.5.16", "tsec": "0.2.7", "tslib": "^2.6.3", "typescript": "^6.0.0-dev.20260416", @@ -2765,23 +2766,6 @@ "form-data": "^3.0.0" } }, - "node_modules/@types/node-fetch/node_modules/form-data": { - "version": "3.0.4", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-3.0.4.tgz", - "integrity": "sha512-f0cRzm6dkyVYV3nPoooP8XlccPQukegwhAnpoLcXy+X+A8KfpGOoXwDr9FLZd3wzgLaBGQBE3lY93Zm/i1JvIQ==", - "dev": true, - "license": "MIT", - "dependencies": { - "asynckit": "^0.4.0", - "combined-stream": "^1.0.8", - "es-set-tostringtag": "^2.1.0", - "hasown": "^2.0.2", - "mime-types": "^2.1.35" - }, - "engines": { - "node": ">= 6" - } - }, "node_modules/@types/responselike": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/@types/responselike/-/responselike-1.0.0.tgz", @@ -5718,9 +5702,10 @@ "integrity": "sha512-b0553uYA5YAEGgyYIGYROzKQ7X5RAqedkfjiZxwi0kL1g3bOaBNNZfYkzt/CL0umgD5wc9Jec2FbB98CjkMRvQ==" }, "node_modules/chrome-remote-interface/node_modules/ws": { - "version": "7.5.10", - "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.10.tgz", - "integrity": "sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ==", + "version": "7.5.11", + "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.11.tgz", + "integrity": "sha512-zS54Oen9bITtp7kp2XM3AydrCIq1D+HwJOuH+c+e4LfpL/lotP5osijd+UoMnxwAam1GN8R4KtLAyIrIcBNpiA==", + "license": "MIT", "engines": { "node": ">=8.3.0" }, @@ -8750,16 +8735,16 @@ } }, "node_modules/form-data": { - "version": "4.0.5", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz", - "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==", + "version": "4.0.6", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.6.tgz", + "integrity": "sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==", "license": "MIT", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.8", "es-set-tostringtag": "^2.1.0", - "hasown": "^2.0.2", - "mime-types": "^2.1.12" + "hasown": "^2.0.4", + "mime-types": "^2.1.35" }, "engines": { "node": ">= 6" @@ -11039,9 +11024,10 @@ } }, "node_modules/hasown": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", - "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.4.tgz", + "integrity": "sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==", + "license": "MIT", "dependencies": { "function-bind": "^1.1.2" }, @@ -17808,9 +17794,9 @@ } }, "node_modules/tar": { - "version": "7.5.11", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz", - "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", @@ -18643,9 +18629,9 @@ "dev": true }, "node_modules/undici": { - "version": "7.24.4", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.4.tgz", - "integrity": "sha512-BM/JzwwaRXxrLdElV2Uo6cTLEjhSb3WXboncJamZ15NgUURmvlXvxa6xkwIOILIjPNo9i8ku136ZvWV0Uly8+w==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" @@ -19424,9 +19410,9 @@ "dev": true }, "node_modules/ws": { - "version": "8.20.1", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz", - "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==", + "version": "8.21.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz", + "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==", "license": "MIT", "engines": { "node": ">=10.0.0" diff --git a/package-lock-overrides/web-server.series/remote/package-lock.json b/package-lock-overrides/web-server.series/remote/package-lock.json index 1fb6e0a..3c6fb49 100644 --- a/package-lock-overrides/web-server.series/remote/package-lock.json +++ b/package-lock-overrides/web-server.series/remote/package-lock.json @@ -48,7 +48,7 @@ "vscode-oniguruma": "1.7.0", "vscode-regexpp": "^3.1.0", "vscode-textmate": "^9.3.2", - "ws": "^8.20.1", + "ws": "^8.21.0", "yauzl": "^3.0.0", "yazl": "^2.4.3" } @@ -1320,9 +1320,9 @@ } }, "node_modules/tar": { - "version": "7.5.13", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.13.tgz", - "integrity": "sha512-tOG/7GyXpFevhXVh8jOPJrmtRpOTsYqUIkVdVooZYJS/z8WhfQUX8RJILmeuJNinGAMSu1veBr4asSHFt5/hng==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", @@ -1375,9 +1375,9 @@ "license": "Unlicense" }, "node_modules/undici": { - "version": "7.24.4", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.4.tgz", - "integrity": "sha512-BM/JzwwaRXxrLdElV2Uo6cTLEjhSb3WXboncJamZ15NgUURmvlXvxa6xkwIOILIjPNo9i8ku136ZvWV0Uly8+w==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "license": "MIT", "engines": { "node": ">=20.18.1" @@ -1436,9 +1436,9 @@ "license": "MIT" }, "node_modules/ws": { - "version": "8.20.1", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz", - "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==", + "version": "8.21.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz", + "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==", "license": "MIT", "engines": { "node": ">=10.0.0" diff --git a/patches/common/finding-override-form-data.diff b/patches/common/finding-override-form-data.diff new file mode 100644 index 0000000..8b4fa7a --- /dev/null +++ b/patches/common/finding-override-form-data.diff @@ -0,0 +1,20 @@ +Override form-data to ^4.0.6 to fix CVE-2026-12143. + +@generated +@generator: scripts/patches/apply-override.sh --patch common/finding-override-form-data.diff --override 'global:form-data=^4.0.6' +@override-package: form-data@^4.0.6 + +Index: b/package.json +=================================================================== +--- a/package.json ++++ b/package.json +@@ -261,7 +261,8 @@ + "ws": "^7.5.11" + }, + "@github/copilot": "^1.0.43", +- "undici": "^7.28.0" ++ "undici": "^7.28.0", ++ "form-data": "^4.0.6" + }, + "repository": { + "type": "git", diff --git a/patches/common/finding-override-github-copilot.diff b/patches/common/finding-override-github-copilot.diff index ad0fd0c..83a9864 100644 --- a/patches/common/finding-override-github-copilot.diff +++ b/patches/common/finding-override-github-copilot.diff @@ -9,12 +9,12 @@ Index: b/package.json =================================================================== --- a/package.json +++ b/package.json -@@ -255,7 +255,8 @@ - "follow-redirects": "^1.16.0", - "uuid": "^14.0.0", - "ip-address": "^10.1.1", -- "axios": "^1.15.2" -+ "axios": "^1.15.2", +@@ -258,7 +258,8 @@ + "axios": "^1.15.2", + "chrome-remote-interface": { + "ws": "^7.5.11" +- } ++ }, + "@github/copilot": "^1.0.43" }, "repository": { diff --git a/patches/common/finding-override-tar.diff b/patches/common/finding-override-tar.diff new file mode 100644 index 0000000..15d25af --- /dev/null +++ b/patches/common/finding-override-tar.diff @@ -0,0 +1,42 @@ +Override tar to ^7.5.16 to fix CVE-2026-53655. + +@generated +@generator: scripts/patches/apply-override.sh --patch common/finding-override-tar.diff --override 'direct:tar=^7.5.16' --override 'direct-dev:tar=^7.5.16' --override 'remote/package.json@global:tar=^7.5.16' +@override-package: tar@^7.5.16 + +Index: b/package.json +=================================================================== +--- a/package.json ++++ b/package.json +@@ -140,7 +140,8 @@ + "vscode-textmate": "^9.3.2", + "ws": "^8.21.0", + "yauzl": "^3.0.0", +- "yazl": "^2.4.3" ++ "yazl": "^2.4.3", ++ "tar": "^7.5.16" + }, + "devDependencies": { + "@playwright/cli": "^0.1.9", +@@ -236,7 +237,7 @@ + "sinon-test": "^3.1.3", + "source-map": "0.6.1", + "source-map-support": "^0.5.21", +- "tar": "^7.5.9", ++ "tar": "^7.5.16", + "tsec": "0.2.7", + "tslib": "^2.6.3", + "typescript": "^6.0.0-dev.20260416", +Index: b/remote/package.json +=================================================================== +--- a/remote/package.json ++++ b/remote/package.json +@@ -56,6 +56,7 @@ + "uuid": "^14.0.0", + "ip-address": "^10.1.1", + "@github/copilot": "^1.0.43", +- "undici": "^7.28.0" ++ "undici": "^7.28.0", ++ "tar": "^7.5.16" + } + } diff --git a/patches/common/finding-override-undici.diff b/patches/common/finding-override-undici.diff new file mode 100644 index 0000000..8f3c53c --- /dev/null +++ b/patches/common/finding-override-undici.diff @@ -0,0 +1,42 @@ +Override undici to ^7.28.0 to fix CVE-2026-6734, CVE-2026-9697, CVE-2026-12151. + +@generated +@generator: scripts/patches/apply-override.sh --patch common/finding-override-undici.diff --override 'direct:undici=^7.28.0' --override 'global:undici=^7.28.0' --override 'remote/package.json@global:undici=^7.28.0' +@override-package: undici@^7.28.0 + +Index: b/package.json +=================================================================== +--- a/package.json ++++ b/package.json +@@ -134,7 +134,7 @@ + "playwright-core": "1.59.1", + "ssh2": "^1.16.0", + "tas-client": "0.3.1", +- "undici": "^7.24.0", ++ "undici": "^7.28.0", + "vscode-oniguruma": "1.7.0", + "vscode-regexpp": "^3.1.0", + "vscode-textmate": "^9.3.2", +@@ -260,7 +260,8 @@ + "chrome-remote-interface": { + "ws": "^7.5.11" + }, +- "@github/copilot": "^1.0.43" ++ "@github/copilot": "^1.0.43", ++ "undici": "^7.28.0" + }, + "repository": { + "type": "git", +Index: b/remote/package.json +=================================================================== +--- a/remote/package.json ++++ b/remote/package.json +@@ -55,6 +55,7 @@ + }, + "uuid": "^14.0.0", + "ip-address": "^10.1.1", +- "@github/copilot": "^1.0.43" ++ "@github/copilot": "^1.0.43", ++ "undici": "^7.28.0" + } + } diff --git a/patches/common/finding-override-ws.diff b/patches/common/finding-override-ws.diff index 0653b05..5d58546 100644 --- a/patches/common/finding-override-ws.diff +++ b/patches/common/finding-override-ws.diff @@ -1,9 +1,9 @@ -Override ws to ^8.20.1. -Remove when upstream Code-OSS updates ws to >= 8.20.1. +Override ws to ^8.21.0 and nested chrome-remote-interface ws to ^7.5.11 to fix CVE-2026-48779. @generated -@generator: scripts/patches/apply-override.sh --patch common/finding-override-ws.diff --override 'direct:ws=^8.20.1' --override 'remote/package.json@direct:ws=^8.20.1' -@override-package: ws@^8.20.1 +@generator: scripts/patches/apply-override.sh --patch common/finding-override-ws.diff --override 'direct:ws=^8.21.0' --override 'remote/package.json@direct:ws=^8.21.0' --override 'nested:chrome-remote-interface:ws=^7.5.11' +@override-package: ws@^8.21.0 +@override-package: ws@^7.5.11 Index: b/package.json =================================================================== @@ -14,10 +14,22 @@ Index: b/package.json "vscode-regexpp": "^3.1.0", "vscode-textmate": "^9.3.2", - "ws": "^8.19.0", -+ "ws": "^8.20.1", ++ "ws": "^8.21.0", "yauzl": "^3.0.0", "yazl": "^2.4.3" }, +@@ -255,7 +255,10 @@ + "follow-redirects": "^1.16.0", + "uuid": "^14.0.0", + "ip-address": "^10.1.1", +- "axios": "^1.15.2" ++ "axios": "^1.15.2", ++ "chrome-remote-interface": { ++ "ws": "^7.5.11" ++ } + }, + "repository": { + "type": "git", Index: b/remote/package.json =================================================================== --- a/remote/package.json @@ -27,7 +39,7 @@ Index: b/remote/package.json "vscode-regexpp": "^3.1.0", "vscode-textmate": "^9.3.2", - "ws": "^8.19.0", -+ "ws": "^8.20.1", ++ "ws": "^8.21.0", "yauzl": "^3.0.0", "yazl": "^2.4.3" }, diff --git a/patches/sagemaker.series b/patches/sagemaker.series index a23e156..8d24aa6 100644 --- a/patches/sagemaker.series +++ b/patches/sagemaker.series @@ -69,3 +69,6 @@ common/ghsa-credential-provider-host-match.diff common/ghsa-snippets-path-traversal.diff common/ghsa-remote-hosts-loopback.diff common/add-openvsx-verification-check.diff +common/finding-override-undici.diff +common/finding-override-form-data.diff +common/finding-override-tar.diff diff --git a/patches/web-embedded-with-terminal.series b/patches/web-embedded-with-terminal.series index 22b7e60..2470dd7 100644 --- a/patches/web-embedded-with-terminal.series +++ b/patches/web-embedded-with-terminal.series @@ -66,3 +66,6 @@ common/ghsa-credential-provider-host-match.diff common/ghsa-snippets-path-traversal.diff common/ghsa-remote-hosts-loopback.diff common/add-openvsx-verification-check.diff +common/finding-override-undici.diff +common/finding-override-form-data.diff +common/finding-override-tar.diff diff --git a/patches/web-embedded.series b/patches/web-embedded.series index f85d772..080d86f 100644 --- a/patches/web-embedded.series +++ b/patches/web-embedded.series @@ -69,3 +69,6 @@ common/ghsa-credential-provider-host-match.diff common/ghsa-snippets-path-traversal.diff common/ghsa-remote-hosts-loopback.diff common/add-openvsx-verification-check.diff +common/finding-override-undici.diff +common/finding-override-form-data.diff +common/finding-override-tar.diff diff --git a/patches/web-server.series b/patches/web-server.series index 8709405..9d1cd89 100644 --- a/patches/web-server.series +++ b/patches/web-server.series @@ -48,3 +48,6 @@ common/ghsa-credential-provider-host-match.diff common/ghsa-snippets-path-traversal.diff common/ghsa-remote-hosts-loopback.diff common/add-openvsx-verification-check.diff +common/finding-override-undici.diff +common/finding-override-form-data.diff +common/finding-override-tar.diff