From 491ff12df6be5be3b850fa2d2f855b5c6f8bd31c Mon Sep 17 00:00:00 2001 From: Austin Jang Date: Tue, 14 Apr 2026 20:40:55 +0000 Subject: [PATCH 1/2] Update the Electron version to 40.6.0 to resolve the CVE-2026-2441 --- patched-vscode/package.json | 2 +- patched-vscode/remote/yarn.lock | 6 +- .../electron-main/utilityProcess.ts | 2 +- .../contrib/files/browser/fileActions.ts | 2 +- .../terminal/browser/terminalInstance.ts | 2 +- patched-vscode/yarn.lock | 12 +- patches/electron-update.patch | 201 +++++++++--------- 7 files changed, 118 insertions(+), 109 deletions(-) diff --git a/patched-vscode/package.json b/patched-vscode/package.json index b7d6b2854..fd855d510 100644 --- a/patched-vscode/package.json +++ b/patched-vscode/package.json @@ -149,7 +149,7 @@ "cssnano": "^6.0.3", "debounce": "^1.0.0", "deemon": "^1.8.0", - "electron": "38.7.1", + "electron": "40.6.0", "eslint": "8.36.0", "eslint-plugin-header": "3.1.1", "eslint-plugin-jsdoc": "^46.5.0", diff --git a/patched-vscode/remote/yarn.lock b/patched-vscode/remote/yarn.lock index 43918876c..867443074 100644 --- a/patched-vscode/remote/yarn.lock +++ b/patched-vscode/remote/yarn.lock @@ -587,9 +587,9 @@ strip-json-comments@~2.0.1: integrity sha1-PFMZQukIwml8DsNEhYwobHygpgo= tar-fs@^2.0.0: - version "2.1.3" - resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-2.1.3.tgz#fb3b8843a26b6f13a08e606f7922875eb1fbbf92" - integrity sha512-090nwYJDmlhwFwEW3QQl+vaNnxsO2yVsd45eTKRBzSzu+hlb1w2K9inVq5b0ngXuLVqQ4ApvsUHHnu/zQNkWAg== + version "2.1.2" + resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-2.1.2.tgz#425f154f3404cb16cb8ff6e671d45ab2ed9596c5" + integrity sha512-EsaAXwxmx8UB7FRKqeozqEPop69DXcmYwTQwXvyAPF352HJsPdkVhvTaDPYqfNgruveJIJy3TA2l+2zj8LJIJA== dependencies: chownr "^1.1.1" mkdirp-classic "^0.5.2" diff --git a/patched-vscode/src/vs/platform/utilityProcess/electron-main/utilityProcess.ts b/patched-vscode/src/vs/platform/utilityProcess/electron-main/utilityProcess.ts index bfa2c0cb4..9e65cff8c 100644 --- a/patched-vscode/src/vs/platform/utilityProcess/electron-main/utilityProcess.ts +++ b/patched-vscode/src/vs/platform/utilityProcess/electron-main/utilityProcess.ts @@ -128,7 +128,7 @@ export interface IUtilityProcessCrashEvent extends IUtilityProcessExitBaseEvent /** * The reason of the utility process crash. */ - readonly reason: 'clean-exit' | 'abnormal-exit' | 'killed' | 'crashed' | 'oom' | 'launch-failed' | 'integrity-failure'; + readonly reason: 'clean-exit' | 'abnormal-exit' | 'killed' | 'crashed' | 'oom' | 'launch-failed' | 'integrity-failure' | 'memory-eviction'; } export interface IUtilityProcessInfo { diff --git a/patched-vscode/src/vs/workbench/contrib/files/browser/fileActions.ts b/patched-vscode/src/vs/workbench/contrib/files/browser/fileActions.ts index 465138485..3d5a5fcba 100644 --- a/patched-vscode/src/vs/workbench/contrib/files/browser/fileActions.ts +++ b/patched-vscode/src/vs/workbench/contrib/files/browser/fileActions.ts @@ -60,7 +60,7 @@ import { KeyChord, KeyCode, KeyMod } from 'vs/base/common/keyCodes'; import { Categories } from 'vs/platform/action/common/actionCommonCategories'; import { ILocalizedString } from 'vs/platform/action/common/action'; import { VSBuffer } from 'vs/base/common/buffer'; -import { getPathForFile } from '../../../../platform/dnd/browser/dnd.js'; +import { getPathForFile } from '../../../../platform/dnd/browser/dnd'; export const NEW_FILE_COMMAND_ID = 'explorer.newFile'; export const NEW_FILE_LABEL = nls.localize2('newFile', "New File..."); diff --git a/patched-vscode/src/vs/workbench/contrib/terminal/browser/terminalInstance.ts b/patched-vscode/src/vs/workbench/contrib/terminal/browser/terminalInstance.ts index a330f9dd9..5cf13eedf 100644 --- a/patched-vscode/src/vs/workbench/contrib/terminal/browser/terminalInstance.ts +++ b/patched-vscode/src/vs/workbench/contrib/terminal/browser/terminalInstance.ts @@ -31,7 +31,7 @@ import { IClipboardService } from 'vs/platform/clipboard/common/clipboardService import { ICommandService } from 'vs/platform/commands/common/commands'; import { IConfigurationService } from 'vs/platform/configuration/common/configuration'; import { IContextKey, IContextKeyService } from 'vs/platform/contextkey/common/contextkey'; -import { CodeDataTransfers, containsDragType, getPathForFile } from '../../../../platform/dnd/browser/dnd.js'; +import { CodeDataTransfers, containsDragType, getPathForFile } from '../../../../platform/dnd/browser/dnd'; import { FileSystemProviderCapabilities, IFileService } from 'vs/platform/files/common/files'; import { IInstantiationService } from 'vs/platform/instantiation/common/instantiation'; import { ServiceCollection } from 'vs/platform/instantiation/common/serviceCollection'; diff --git a/patched-vscode/yarn.lock b/patched-vscode/yarn.lock index 4d02c39b1..04ea9592e 100644 --- a/patched-vscode/yarn.lock +++ b/patched-vscode/yarn.lock @@ -4732,9 +4732,9 @@ form-data@^3.0.0: mime-types "^2.1.12" form-data@^4.0.0: - version "4.0.4" - resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.4.tgz#784cdcce0669a9d68e94d11ac4eea98088edd2c4" - integrity sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow== + version "4.0.0" + resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.0.tgz#93919daeaf361ee529584b9b31664dc12c9fa452" + integrity sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww== dependencies: asynckit "^0.4.0" combined-stream "^1.0.8" @@ -10665,9 +10665,9 @@ write@1.0.3: mkdirp "^0.5.1" ws@^7.2.0: - version "8.17.1" - resolved "https://registry.yarnpkg.com/ws/-/ws-8.17.1.tgz#9293da530bb548febc95371d90f9c878727d919b" - integrity sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ== + version "7.4.6" + resolved "https://registry.yarnpkg.com/ws/-/ws-7.4.6.tgz#5654ca8ecdeee47c33a9a4bf6d28e2be2980377c" + integrity sha512-YmhHDO4MzaDLB+M9ym/mDA5z0naX8j7SIlT8f8z+I0VtzsRbekxEutHSme7NPS2qE8StCYQNUnfWdXta/Yu85A== xml2js@^0.4.19: version "0.4.23" diff --git a/patches/electron-update.patch b/patches/electron-update.patch index 72c655925..c08d2e46e 100644 --- a/patches/electron-update.patch +++ b/patches/electron-update.patch @@ -2,12 +2,12 @@ Index: sagemaker-code-editor/vscode/package.json =================================================================== --- sagemaker-code-editor.orig/vscode/package.json +++ sagemaker-code-editor/vscode/package.json -@@ -149,7 +149,7 @@ "devDependencies": { +@@ -149,7 +149,7 @@ "cssnano": "^6.0.3", "debounce": "^1.0.0", "deemon": "^1.8.0", - "electron": "29.4.0", -+ "electron": "38.7.1", ++ "electron": "40.6.0", "eslint": "8.36.0", "eslint-plugin-header": "3.1.1", "eslint-plugin-jsdoc": "^46.5.0", @@ -15,7 +15,7 @@ Index: sagemaker-code-editor/vscode/src/vs/platform/dnd/browser/dnd.ts =================================================================== --- sagemaker-code-editor.orig/vscode/src/vs/platform/dnd/browser/dnd.ts +++ sagemaker-code-editor/vscode/src/vs/platform/dnd/browser/dnd.ts -@@ -12,7 +12,7 @@ +@@ -12,7 +12,7 @@ import { VSBuffer } from 'vs/base/common import { ResourceMap } from 'vs/base/common/map'; import { parse } from 'vs/base/common/marshalling'; import { Schemas } from 'vs/base/common/network'; @@ -24,11 +24,10 @@ Index: sagemaker-code-editor/vscode/src/vs/platform/dnd/browser/dnd.ts import { URI } from 'vs/base/common/uri'; import { localize } from 'vs/nls'; import { IDialogService } from 'vs/platform/dialogs/common/dialogs'; -@@ -406,6 +406,18 @@ - } - } +@@ -407,4 +407,16 @@ export class LocalSelectionTransfer { + } } -+ + +/** + * A helper to get access to Electrons `webUtils.getPathForFile` function + * in a safe way without crashing the application when running in the web. @@ -40,14 +39,13 @@ Index: sagemaker-code-editor/vscode/src/vs/platform/dnd/browser/dnd.ts + + return undefined; +} - ++ //#endregion - Index: sagemaker-code-editor/vscode/src/vs/workbench/contrib/terminal/browser/terminalTabsList.ts =================================================================== --- sagemaker-code-editor.orig/vscode/src/vs/workbench/contrib/terminal/browser/terminalTabsList.ts +++ sagemaker-code-editor/vscode/src/vs/workbench/contrib/terminal/browser/terminalTabsList.ts -@@ -38,7 +38,7 @@ +@@ -38,7 +38,7 @@ import { InputBox, MessageType } from 'v import { createSingleCallFunction } from 'vs/base/common/functional'; import { IKeyboardEvent } from 'vs/base/browser/keyboardEvent'; import { KeyCode } from 'vs/base/common/keyCodes'; @@ -56,24 +54,23 @@ Index: sagemaker-code-editor/vscode/src/vs/workbench/contrib/terminal/browser/te import { terminalStrings } from 'vs/workbench/contrib/terminal/common/terminalStrings'; import { ILifecycleService } from 'vs/workbench/services/lifecycle/common/lifecycle'; import { IProcessDetails } from 'vs/platform/terminal/common/terminalProcess'; -@@ -733,9 +733,9 @@ class TerminalTabsDragAndDrop extends Disposable - resource = URI.file(JSON.parse(rawCodeFiles)[0]); - } - +@@ -733,9 +733,9 @@ class TerminalTabsDragAndDrop extends Di + resource = URI.file(JSON.parse(rawCodeFiles)[0]); + } + - if (!resource && e.dataTransfer.files.length > 0 && e.dataTransfer.files[0].path /* Electron only */) { -- // Check if the file was dragged from the filesystem -- resource = URI.file(e.dataTransfer.files[0].path); + if (!resource && e.dataTransfer.files.length > 0 && getPathForFile(e.dataTransfer.files[0])) { -+ // Check if the file was dragged from the filesystem + // Check if the file was dragged from the filesystem +- resource = URI.file(e.dataTransfer.files[0].path); + resource = URI.file(getPathForFile(e.dataTransfer.files[0])!); - } - - if (!resource) { + } + + if (!resource) { Index: sagemaker-code-editor/vscode/src/vs/workbench/contrib/terminal/browser/terminalInstance.ts =================================================================== --- sagemaker-code-editor.orig/vscode/src/vs/workbench/contrib/terminal/browser/terminalInstance.ts +++ sagemaker-code-editor/vscode/src/vs/workbench/contrib/terminal/browser/terminalInstance.ts -@@ -31,7 +31,7 @@ +@@ -31,7 +31,7 @@ import { IClipboardService } from 'vs/pl import { ICommandService } from 'vs/platform/commands/common/commands'; import { IConfigurationService } from 'vs/platform/configuration/common/configuration'; import { IContextKey, IContextKeyService } from 'vs/platform/contextkey/common/contextkey'; @@ -82,35 +79,34 @@ Index: sagemaker-code-editor/vscode/src/vs/workbench/contrib/terminal/browser/te import { FileSystemProviderCapabilities, IFileService } from 'vs/platform/files/common/files'; import { IInstantiationService } from 'vs/platform/instantiation/common/instantiation'; import { ServiceCollection } from 'vs/platform/instantiation/common/serviceCollection'; -@@ -2372,9 +2372,9 @@ class TerminalInstanceDragAndDropController extends Disposable - path = URI.file(JSON.parse(rawCodeFiles)[0]); - } - +@@ -2372,9 +2372,9 @@ class TerminalInstanceDragAndDropControl + path = URI.file(JSON.parse(rawCodeFiles)[0]); + } + - if (!path && e.dataTransfer.files.length > 0 && e.dataTransfer.files[0].path /* Electron only */) { -- // Check if the file was dragged from the filesystem -- path = URI.file(e.dataTransfer.files[0].path); + if (!path && e.dataTransfer.files.length > 0 && getPathForFile(e.dataTransfer.files[0])) { -+ // Check if the file was dragged from the filesystem + // Check if the file was dragged from the filesystem +- path = URI.file(e.dataTransfer.files[0].path); + path = URI.file(getPathForFile(e.dataTransfer.files[0])!); - } - - if (!path) { + } + + if (!path) { Index: sagemaker-code-editor/vscode/src/vs/workbench/contrib/files/browser/fileActions.ts =================================================================== --- sagemaker-code-editor.orig/vscode/src/vs/workbench/contrib/files/browser/fileActions.ts +++ sagemaker-code-editor/vscode/src/vs/workbench/contrib/files/browser/fileActions.ts -@@ -60,6 +60,7 @@ +@@ -60,6 +60,7 @@ import { KeyChord, KeyCode, KeyMod } fro import { Categories } from 'vs/platform/action/common/actionCommonCategories'; import { ILocalizedString } from 'vs/platform/action/common/action'; import { VSBuffer } from 'vs/base/common/buffer'; +import { getPathForFile } from '../../../../platform/dnd/browser/dnd'; - + export const NEW_FILE_COMMAND_ID = 'explorer.newFile'; export const NEW_FILE_LABEL = nls.localize2('newFile', "New File..."); -@@ -1121,7 +1122,20 @@ export const pasteFileHandler = async ( - const message = toPaste.files.length > 1 ? - nls.localize('confirmMultiPasteNative', "Are you sure you want to paste the following {0} items?", toPaste.files.length) : - nls.localize('confirmPasteNative', "Are you sure you want to paste '{0}'?", basename(toPaste.type === 'paths' ? toPaste.files[0].fsPath : toPaste.files[0].name)); +@@ -1121,7 +1122,20 @@ export const pasteFileHandler = async (a + const message = toPaste.files.length > 1 ? + nls.localize('confirmMultiPasteNative', "Are you sure you want to paste the following {0} items?", toPaste.files.length) : + nls.localize('confirmPasteNative', "Are you sure you want to paste '{0}'?", basename(toPaste.type === 'paths' ? toPaste.files[0].fsPath : toPaste.files[0].name)); - const detail = toPaste.files.length > 1 ? getFileNamesMessage(toPaste.files.map(item => toPaste.type === 'paths' ? item.path : (item as File).name)) : undefined; + const detail = toPaste.files.length > 1 ? getFileNamesMessage(toPaste.files.map(item => { + if (URI.isUri(item)) { @@ -126,99 +122,112 @@ Index: sagemaker-code-editor/vscode/src/vs/workbench/contrib/files/browser/fileA + + return item.name; + })) : undefined; - const confirmation = await dialogService.confirm({ - message, - detail, -@@ -1273,13 +1287,13 @@ + const confirmation = await dialogService.confirm({ + message, + detail, +@@ -1273,13 +1287,13 @@ type FilesToPaste = async function getFilesToPaste(fileList: FileList | undefined, clipboardService: IClipboardService): Promise { - if (fileList && fileList.length > 0) { - // with a `fileList` we support natively pasting file from disk from clipboard + if (fileList && fileList.length > 0) { + // with a `fileList` we support natively pasting file from disk from clipboard - const resources = [...fileList].filter(file => !!file.path && isAbsolute(file.path)).map(file => URI.file(file.path)); + const resources = [...fileList].map(file => getPathForFile(file)).filter(filePath => !!filePath && isAbsolute(filePath)).map((filePath) => URI.file(filePath!)); - if (resources.length) { - return { type: 'paths', files: resources, }; - } - - // Support pasting files that we can't read from disk + if (resources.length) { + return { type: 'paths', files: resources, }; + } + + // Support pasting files that we can't read from disk - return { type: 'data', files: [...fileList].filter(file => !file.path) }; + return { type: 'data', files: [...fileList].filter(file => !getPathForFile(file)) }; - } else { - // otherwise we fallback to reading resources from our clipboard service - return { type: 'paths', files: resources.distinctParents(await clipboardService.readResources(), resource => resource) }; + } else { + // otherwise we fallback to reading resources from our clipboard service + return { type: 'paths', files: resources.distinctParents(await clipboardService.readResources(), resource => resource) }; Index: sagemaker-code-editor/vscode/src/vs/base/parts/ipc/electron-main/ipcMain.ts =================================================================== --- sagemaker-code-editor.orig/vscode/src/vs/base/parts/ipc/electron-main/ipcMain.ts +++ sagemaker-code-editor/vscode/src/vs/base/parts/ipc/electron-main/ipcMain.ts -@@ -111,7 +111,7 @@ - - const sender = event.senderFrame; - +@@ -111,7 +111,7 @@ class ValidatedIpcMain implements Event. + + const sender = event.senderFrame; + - const url = sender.url; + const url = sender?.url; - // `url` can be `undefined` when running tests from playwright https://github.com/microsoft/vscode/issues/147301 - // and `url` can be `about:blank` when reloading the window - // from performance tab of devtools https://github.com/electron/electron/issues/39427. -@@ -133,7 +133,7 @@ - return false; // unexpected sender - } - + // `url` can be `undefined` when running tests from playwright https://github.com/microsoft/vscode/issues/147301 + // and `url` can be `about:blank` when reloading the window + // from performance tab of devtools https://github.com/electron/electron/issues/39427. +@@ -133,7 +133,7 @@ class ValidatedIpcMain implements Event. + return false; // unexpected sender + } + - if (sender.parent !== null) { + if (sender?.parent !== null) { - onUnexpectedError(`Refused to handle ipcMain event for channel '${channel}' because sender of origin '${host}' is not a main frame.`); - return false; // unexpected frame - } + onUnexpectedError(`Refused to handle ipcMain event for channel '${channel}' because sender of origin '${host}' is not a main frame.`); + return false; // unexpected frame + } Index: sagemaker-code-editor/vscode/src/vs/platform/menubar/electron-main/menubar.ts =================================================================== --- sagemaker-code-editor.orig/vscode/src/vs/platform/menubar/electron-main/menubar.ts +++ sagemaker-code-editor/vscode/src/vs/platform/menubar/electron-main/menubar.ts @@ -3,7 +3,7 @@ - * Licensed under the MIT License. See License.txt in the project root for license information. - *--------------------------------------------------------------------------------------------*/ - + * Licensed under the MIT License. See License.txt in the project root for license information. + *--------------------------------------------------------------------------------------------*/ + -import { app, BrowserWindow, KeyboardEvent, Menu, MenuItem, MenuItemConstructorOptions, WebContents } from 'electron'; +import { app, BrowserWindow, BaseWindow, KeyboardEvent, Menu, MenuItem, MenuItemConstructorOptions, WebContents } from 'electron'; import { WorkbenchActionExecutedClassification, WorkbenchActionExecutedEvent } from 'vs/base/common/actions'; import { RunOnceScheduler } from 'vs/base/common/async'; import { CancellationToken } from 'vs/base/common/cancellation'; -@@ -62,7 +62,7 @@ - - private keybindings: { [commandId: string]: IMenubarKeybinding }; - +@@ -62,7 +62,7 @@ export class Menubar { + + private keybindings: { [commandId: string]: IMenubarKeybinding }; + - private readonly fallbackMenuHandlers: { [id: string]: (menuItem: MenuItem, browserWindow: BrowserWindow | undefined, event: KeyboardEvent) => void } = Object.create(null); + private readonly fallbackMenuHandlers: { [id: string]: (menuItem: MenuItem, browserWindow: BaseWindow | undefined, event: KeyboardEvent) => void } = Object.create(null); - - constructor( - @IUpdateService private readonly updateService: IUpdateService, -@@ -285,7 +285,7 @@ - const dockMenu = new Menu(); - dockMenu.append(new MenuItem({ label: this.mnemonicLabel(nls.localize({ key: 'miNewWindow', comment: ['&& denotes a mnemonic'] }, "New &&Window")), click: () => this.windowsMainService.openEmptyWindow({ context: OpenContext.DOCK }) })); - + + constructor( + @IUpdateService private readonly updateService: IUpdateService, +@@ -285,7 +285,7 @@ export class Menubar { + const dockMenu = new Menu(); + dockMenu.append(new MenuItem({ label: this.mnemonicLabel(nls.localize({ key: 'miNewWindow', comment: ['&& denotes a mnemonic'] }, "New &&Window")), click: () => this.windowsMainService.openEmptyWindow({ context: OpenContext.DOCK }) })); + - app.dock.setMenu(dockMenu); + app.dock!.setMenu(dockMenu); - } - - // File -@@ -741,8 +741,8 @@ - return new MenuItem(this.withKeybinding(commandId, options)); - } - + } + + // File +@@ -741,8 +741,8 @@ export class Menubar { + return new MenuItem(this.withKeybinding(commandId, options)); + } + - private makeContextAwareClickHandler(click: (menuItem: MenuItem, win: BrowserWindow, event: KeyboardEvent) => void, contextSpecificHandlers: IMenuItemClickHandler): (menuItem: MenuItem, win: BrowserWindow | undefined, event: KeyboardEvent) => void { - return (menuItem: MenuItem, win: BrowserWindow | undefined, event: KeyboardEvent) => { + private makeContextAwareClickHandler(click: (menuItem: MenuItem, win: BaseWindow, event: KeyboardEvent) => void, contextSpecificHandlers: IMenuItemClickHandler): (menuItem: MenuItem, win: BaseWindow | undefined, event: KeyboardEvent) => void { + return (menuItem: MenuItem, win: BaseWindow | undefined, event: KeyboardEvent) => { - - // No Active Window - const activeWindow = BrowserWindow.getFocusedWindow(); + + // No Active Window + const activeWindow = BrowserWindow.getFocusedWindow(); +Index: sagemaker-code-editor/vscode/src/vs/platform/utilityProcess/electron-main/utilityProcess.ts +=================================================================== +--- sagemaker-code-editor.orig/vscode/src/vs/platform/utilityProcess/electron-main/utilityProcess.ts ++++ sagemaker-code-editor/vscode/src/vs/platform/utilityProcess/electron-main/utilityProcess.ts +@@ -128,7 +128,7 @@ export interface IUtilityProcessCrashEve + /** + * The reason of the utility process crash. + */ +- readonly reason: 'clean-exit' | 'abnormal-exit' | 'killed' | 'crashed' | 'oom' | 'launch-failed' | 'integrity-failure'; ++ readonly reason: 'clean-exit' | 'abnormal-exit' | 'killed' | 'crashed' | 'oom' | 'launch-failed' | 'integrity-failure' | 'memory-eviction'; + } + + export interface IUtilityProcessInfo { Index: sagemaker-code-editor/vscode/src/vs/code/electron-main/app.ts =================================================================== --- sagemaker-code-editor.orig/vscode/src/vs/code/electron-main/app.ts +++ sagemaker-code-editor/vscode/src/vs/code/electron-main/app.ts -@@ -195,7 +195,7 @@ - const supportedSvgSchemes = new Set([Schemas.file, Schemas.vscodeFileResource, Schemas.vscodeRemoteResource, Schemas.vscodeManagedRemoteResource, 'devtools']); - - // But allow them if they are made from inside an webview +@@ -195,7 +195,7 @@ export class CodeApplication extends Dis + const supportedSvgSchemes = new Set([Schemas.file, Schemas.vscodeFileResource, Schemas.vscodeRemoteResource, Schemas.vscodeManagedRemoteResource, 'devtools']); + + // But allow them if they are made from inside an webview - const isSafeFrame = (requestFrame: WebFrameMain | undefined): boolean => { + const isSafeFrame = (requestFrame: WebFrameMain | null | undefined): boolean => { - for (let frame: WebFrameMain | null | undefined = requestFrame; frame; frame = frame.parent) { - if (frame.url.startsWith(`${Schemas.vscodeWebview}://`)) { - return true; \ No newline at end of file + for (let frame: WebFrameMain | null | undefined = requestFrame; frame; frame = frame.parent) { + if (frame.url.startsWith(`${Schemas.vscodeWebview}://`)) { + return true; From c358b1f72ce29614d3217f548549a868604a63ec Mon Sep 17 00:00:00 2001 From: Austin Jang Date: Wed, 15 Apr 2026 00:59:01 +0000 Subject: [PATCH 2/2] undo yarn.lock downgrade and add backup/restore yarn.lock to install script --- patched-vscode/remote/yarn.lock | 6 +++--- patched-vscode/yarn.lock | 12 ++++++------ scripts/install.sh | 6 +++++- 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/patched-vscode/remote/yarn.lock b/patched-vscode/remote/yarn.lock index 867443074..43918876c 100644 --- a/patched-vscode/remote/yarn.lock +++ b/patched-vscode/remote/yarn.lock @@ -587,9 +587,9 @@ strip-json-comments@~2.0.1: integrity sha1-PFMZQukIwml8DsNEhYwobHygpgo= tar-fs@^2.0.0: - version "2.1.2" - resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-2.1.2.tgz#425f154f3404cb16cb8ff6e671d45ab2ed9596c5" - integrity sha512-EsaAXwxmx8UB7FRKqeozqEPop69DXcmYwTQwXvyAPF352HJsPdkVhvTaDPYqfNgruveJIJy3TA2l+2zj8LJIJA== + version "2.1.3" + resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-2.1.3.tgz#fb3b8843a26b6f13a08e606f7922875eb1fbbf92" + integrity sha512-090nwYJDmlhwFwEW3QQl+vaNnxsO2yVsd45eTKRBzSzu+hlb1w2K9inVq5b0ngXuLVqQ4ApvsUHHnu/zQNkWAg== dependencies: chownr "^1.1.1" mkdirp-classic "^0.5.2" diff --git a/patched-vscode/yarn.lock b/patched-vscode/yarn.lock index 04ea9592e..4d02c39b1 100644 --- a/patched-vscode/yarn.lock +++ b/patched-vscode/yarn.lock @@ -4732,9 +4732,9 @@ form-data@^3.0.0: mime-types "^2.1.12" form-data@^4.0.0: - version "4.0.0" - resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.0.tgz#93919daeaf361ee529584b9b31664dc12c9fa452" - integrity sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww== + version "4.0.4" + resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.4.tgz#784cdcce0669a9d68e94d11ac4eea98088edd2c4" + integrity sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow== dependencies: asynckit "^0.4.0" combined-stream "^1.0.8" @@ -10665,9 +10665,9 @@ write@1.0.3: mkdirp "^0.5.1" ws@^7.2.0: - version "7.4.6" - resolved "https://registry.yarnpkg.com/ws/-/ws-7.4.6.tgz#5654ca8ecdeee47c33a9a4bf6d28e2be2980377c" - integrity sha512-YmhHDO4MzaDLB+M9ym/mDA5z0naX8j7SIlT8f8z+I0VtzsRbekxEutHSme7NPS2qE8StCYQNUnfWdXta/Yu85A== + version "8.17.1" + resolved "https://registry.yarnpkg.com/ws/-/ws-8.17.1.tgz#9293da530bb548febc95371d90f9c878727d919b" + integrity sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ== xml2js@^0.4.19: version "0.4.23" diff --git a/scripts/install.sh b/scripts/install.sh index 4487cadc6..8af035873 100644 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -84,8 +84,12 @@ fi printf "\n======== Copy resources ========\n" ${PROJ_ROOT}/scripts/copy-resources.sh -# Copy patched files to patches-vscode +# Copy patched files to patched-vscode, preserving security-patched yarn.lock +cp patched-vscode/yarn.lock patched-vscode/yarn.lock.bak +cp patched-vscode/remote/yarn.lock patched-vscode/remote/yarn.lock.bak cp -R vscode/* patched-vscode/ +mv patched-vscode/yarn.lock.bak patched-vscode/yarn.lock +mv patched-vscode/remote/yarn.lock.bak patched-vscode/remote/yarn.lock # Build the project printf "\n======== Building project in ${PROJ_ROOT}/vscode ========\n"