Fix CVE-2026-29074 by updating svgo to patched version

[sbouchet]

What does this PR do?

This PR fixes CVE-2026-29074.

svgo version is updated to latest 2.8.2

What issues does this PR fix?

https://redhat.atlassian.net/browse/CRW-10422
https://redhat.atlassian.net/browse/CRW-10425

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

• the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
• the corresponding items were added to the CHANGELOG.md file
• rules for automatic git rebase were added to the .rebase folder

Summary by CodeRabbit

Chores

• Added svgo library as a project dependency.

[github-actions]

Click here to review and test in web IDE:

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f8df3e60-b4cc-449b-8bce-e192570644ed

📥 Commits

Reviewing files that changed from the base of the PR and between 326f665 and 07980b6.

⛔ Files ignored due to path filters (1)

• code/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• .rebase/CHANGELOG.md
• .rebase/add/code/package.json
• code/package.json

---

📝 Walkthrough

Walkthrough

This PR adds the svgo SVG optimization library as a dependency to the project across the codebase and documents the addition in the changelog to track the dependency version change.

Changes

Cohort / File(s)	Summary
Changelog Update .rebase/CHANGELOG.md	Added changelog entry for PR #670 documenting the code/package.json modification.
Dependency Addition .rebase/add/code/package.json, code/package.json	Added svgo dependency at version ^2.8.1 to the dependencies section, enabling SVG optimization capabilities.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• rgrunber
• azatsarynnyy
• vitaliy-guliy
• RomanNikitenko

Poem

🐰 With whiskers twitching, I hop with glee,
For svgo comes to optimize,
Our SVGs now clean and light,
Vectors trimmed with such delight!
A tiny change, but oh so bright! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly summarizes the main change: fixing a CVE vulnerability by updating the svgo dependency to a patched version, which aligns with the primary objective of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can approve the review once all CodeRabbit's comments are resolved.

Enable the reviews.request_changes_workflow setting to automatically approve the review once all CodeRabbit's comments are resolved.

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-670-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-670-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-670-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-670-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-670-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-670-dev-amd64