coder/code-server
1
0
Fork 0
mirror of https://github.com/coder/code-server.git synced 2026-06-10 16:56:57 -05:00
Code Issues Packages Projects Releases 202 Wiki Activity

Fix false positive CVE alerts by setting package name to code-oss-dev (#7839)

Browse Source 
The VS Code build process sets the bundled lib/vscode/package.json name to "code-server" (from product.json nameShort), causing vulnerability scanners to misidentify it and flag non-applicable CVEs. Override the name to "code-oss-dev" in build-release.sh after merging package.json.
Fixes #7071

Signed-off-by: ka-ishimoto <ka-ishimoto@kddi.com>
This commit is contained in:
ka-ishimoto
2026-06-11 04:59:45 +09:00
committed by GitHub
parent d0d53d924e
commit 92a7dce46f
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ci/build/build-release.sh
View File

@@ -128,7 +128,9 @@ bundle_vscode() {
# Merge the package.json for the web/remote server so we can include
# dependencies, since we want to ship this via NPM.
jq --slurp '.[0] * .[1]' \
# Also override the name to prevent vulnerability scanners from
# misidentifying this package as VS Code (see #7071).
jq --slurp '.[0] * .[1] | .name = "code-oss-dev"' \
"$VSCODE_SRC_PATH/remote/package.json" \
"$VSCODE_OUT_PATH/package.json" > "$VSCODE_OUT_PATH/package.json.merged"
mv "$VSCODE_OUT_PATH/package.json.merged" "$VSCODE_OUT_PATH/package.json"