Fix false positive CVE alerts by setting package name to code-oss-dev (#7839 )

The VS Code build process sets the bundled lib/vscode/package.json name to "code-server" (from product.json nameShort), causing vulnerability scanners to misidentify it and flag non-applicable CVEs. Override the name to "code-oss-dev" in build-release.sh after merging package.json. Fixes #7071 Signed-off-by: ka-ishimoto <ka-ishimoto@kddi.com>
2026-06-11 20:47:10 +02:00 · 2026-06-10 11:59:45 -08:00
2 changed files with 4 additions and 2 deletions
--- a/ci/build/build-release.sh
+++ b/ci/build/build-release.sh
@@ -128,7 +128,9 @@ bundle_vscode() {
  # Merge the package.json for the web/remote server so we can include
  # dependencies, since we want to ship this via NPM.
-  jq --slurp '.[0] * .[1]' \
+  # Also override the name to prevent vulnerability scanners from
  # misidentifying this package as VS Code (see #7071).
  jq --slurp '.[0] * .[1] | .name = "code-oss-dev"' \
    "$VSCODE_SRC_PATH/remote/package.json" \
    "$VSCODE_OUT_PATH/package.json" > "$VSCODE_OUT_PATH/package.json.merged"
  mv "$VSCODE_OUT_PATH/package.json.merged" "$VSCODE_OUT_PATH/package.json"
--- a/lib/vscode
+++ b/lib/vscode