-
Notifications
You must be signed in to change notification settings - Fork 6.3k
-
Hi Team,
We are using this code server extension in our docker container with below steps to install in container.
Downloading from release -linux-arm64 version
Extracting the tar and coping code-server folder into /use/bin/
And we have added command in supervisor.conf to run code-server with port and host
To summarize above steps I am following standalone release section from install page.
Recently we are receiving vulnerability related to npm and when I checked it is showing version 1.0.1 installed. Which is there inside the extension/package.json file.. as we are extracting the deployed tar file vulnerability is getting popped up from code-server folder. Now I am not sure how to get the latest version there in the deployed file.
Please can someone suggest anything? Or is there any other approach that I should follow?
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 2 comments 4 replies
-
Which package are you seeing the vulnerability for? Usually anything in the extensions directory is a false positive (see #6332). The extensions have names that collide with npm packages, so the tools think they are vulnerable, but really they are unrelated.
Beta Was this translation helpful? Give feedback.
All reactions
-
There are so many the total counts for CVE list is 31 from our Mend (qualys) security scan report. Some of them like only npm have 7 CVE popping up.
Below are the packages -
Pug-code-gen
Pug
Npm
Markdown
Jason
Ini
Handlebars
Grunt
Diff
Debug
Brace-expansion
I have gone through the thread but couldn't understand how can I mark them as false positive. I know it's false positive but qualys scan says it's positive and I am not able to convince our vulnerability scan department further. Is there any approach that I can try? Like deleting the folder for above packages? Being a developer I should not say deleting the specific package from package folder will help me but say for an example I am installing npm separately then should I delete npm extension library?
Further details -
All the vulnerability description starts with below
Nodejs (npm) Security Update for 'package_name' (GHSA-some_randome_number)
Beta Was this translation helpful? Give feedback.
All reactions
-
If your team is not willing or is unable to mark false positives as false positives (I am not familiar with Mend), then maybe you could try deleting the entire lib/vscode/extensions directory before running the scanner.
Beta Was this translation helpful? Give feedback.
All reactions
-
Deleting the entire extension folder is not helpful. So I have deleted all the affected packages.json file from the extension folder. That was I was able to remove most of all but 1.
There is on more CVE that couldn't fix - CVE-2025-47269
NodeJs (npm) security update for code-server (GHSA-p483-wpfp-42cj)
Currently I am using latest code-server 1.104.0
In the report it is pointing to below path
/Lib/vscode/package.json
Why the CVE suggestion is saying use the code-server 4.99.4 ?
I tried deleting that package.json 😂 , it has started throwing so many warnings afterwards.. It should not be deleted..
Please suggest something on this last CVE
Beta Was this translation helpful? Give feedback.
All reactions
-
That is another false positive caused by #7071
Beta Was this translation helpful? Give feedback.
All reactions
-
By the way, if you are trying to run code-server with these deleted package.json files, I am not sure that will work. It may cause the builtin extensions to not load at all. They should only be deleted for the scanner and not when distributed to end users.
Possibly you could try renaming the names in the package.json files instead, but I am not sure that will work.
Beta Was this translation helpful? Give feedback.