Fix CVE-2025-7783 by updating form-data to patched versions

[sbouchet]

What does this PR do?

This PR fixes CVE-2025-7783.

form-data versions are updated to latest versions:
3.0.x -> 3.0.4
4.0.x -> 4.0.5

What issues does this PR fix?

https://github.com/che-incubator/che-code/security/dependabot/37
https://github.com/che-incubator/che-code/security/dependabot/86
https://github.com/che-incubator/che-code/security/dependabot/41

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

• the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
• the corresponding items were added to the CHANGELOG.md file
• rules for automatic git rebase were added to the .rebase folder

Summary by CodeRabbit

• Chores
  • Updated dependency resolution configurations across multiple modules to standardize package versions.
  • Enhanced build conflict resolution handling for improved reliability during integration processes.

[github-actions]

Click here to review and test in web IDE:

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d7725ad4-ff7c-4b09-9c62-16fd9a65e5ff

📥 Commits

Reviewing files that changed from the base of the PR and between 326f665 and efebca6.

⛔ Files ignored due to path filters (3)

• code/extensions/github-authentication/package-lock.json is excluded by !**/package-lock.json
• code/extensions/notebook-renderers/package-lock.json is excluded by !**/package-lock.json
• code/test/smoke/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (8)

• .rebase/CHANGELOG.md
• .rebase/add/code/extensions/github-authentication/package.json
• .rebase/add/code/extensions/notebook-renderers/package.json
• .rebase/add/code/test/smoke/package.json
• code/extensions/github-authentication/package.json
• code/extensions/notebook-renderers/package.json
• code/test/smoke/package.json
• rebase.sh

---

📝 Walkthrough

Walkthrough

This PR introduces npm dependency overrides for the form-data package across multiple package.json files in the codebase (github-authentication, notebook-renderers, and smoke test directories), specifying version constraints. The rebase script is updated to automatically handle conflicts for these package.json files during rebasing.

Changes

Cohort / File(s)	Summary
Changelog .rebase/CHANGELOG.md	Added entry for PR #669 documenting the form-data dependency override changes across three package.json paths.
Rebase Configuration .rebase/add/code/extensions/github-authentication/package.json, .rebase/add/code/extensions/notebook-renderers/package.json, .rebase/add/code/test/smoke/package.json	New override configuration files added to force specific form-data versions (^3.0.4, ^4.0.5, and ^3.0.4 respectively) during package resolution.
Package Overrides code/extensions/github-authentication/package.json, code/extensions/notebook-renderers/package.json, code/test/smoke/package.json	Added overrides entries to existing package.json files constraining form-data dependency versions to ^3.0.4, ^4.0.5, and ^3.0.4 respectively.
Rebase Script rebase.sh	Extended resolve_conflicts() function with automatic conflict resolution handlers for the three updated package.json files, preventing manual intervention during rebasing.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Fix CVEs by updating undici to patched versions #668 — Both PRs modify package.json overrides entries and extend rebase conflict-resolution rules to handle additional package.json paths.

Suggested reviewers

• rgrunber
• azatsarynnyy
• vitaliy-guliy
• RomanNikitenko

Poem

🐰 Hopping through dependencies with care,
Form-data versions pinned everywhere,
Three packages tamed with overrides true,
Rebase conflicts solved—no more ado!
A rabbit's code rebases smooth and fair. 🌱

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main change: fixing CVE-2025-7783 by updating form-data to patched versions, which aligns with the PR's core objective.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sbouchet]

@coderabbitai help

[coderabbitai]

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

CodeRabbit commands

These commands are invoked using PR/Issue comments.

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai evaluate custom pre-merge check --instructions <custom-checks-instructions> --name <custom-checks-title> [--mode <error|warning>] to validate the custom pre-merge checks instructions. Defaults to error when --mode is omitted.
  • @coderabbitai ignore pre-merge checks to override pre-merge checks and get an approval on PR.
  • @coderabbitai run pre-merge checks to run pre-merge checks on the pull request.
  • @coderabbitai plan to generate a coding prompt for all unresolved human review comments in this PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai fix merge conflict to automatically resolve merge conflicts.
• @coderabbitai autofix to automatically fix issues identified in unresolved review comments.
• @coderabbitai resolve to resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai generate configuration to create a PR that adds the current resolved configuration as .coderabbit.yaml (or show it if already present).
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit configuration file (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, support, documentation and community

• Visit our status page to check the current availability of CodeRabbit.
• Create a ticket on our support page for assistance with any issues or questions.
• Visit our documentation site for detailed information on how to use CodeRabbit.
• Join our Discord community to connect with other users and get help from the community.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-669-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-669-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-669-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-669-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-669-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-669-dev-amd64

[sbouchet]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.