Potential security vulnerability due to very old package versions in vendor/modules/code-oss-dev?

[ivanov-slk]

Hi there,

I noticed that there are many outdated packages under code-server-3.12.0-linux-amd64.tar/code-server-3.12.0-linux-amd64/vendor/modules/code-oss-dev. code-oss-dev itself looks suspicious - it has been reported as containing malicious software on npm.

A screenshot of two of the outdated packages:

The latest version for json is 11.0.0.
For handlebars it is 4.7.7.

These outdated packages are reported as vulnerable by the security scanner I'm using.

I'd like to know are these packages needed? How can they be updated? What about the security issue in code-oss-dev?

Thank you!

[im-coder-lg]

@jsjoeio knows how the packages are needed, I think I sound offensive, so no offense. I think the old packages are used because that might be small in size and they are actually properly doing the job and also it could be that since the modules are updated, the code also might change, right? So maybe due to that, code-server uses old versions. If you can, try investigating more if the modules are upgradable and if they are, try opening a PR, looping in this discussion, maybe I'll also review(requires a build test, hope you have a good Mac or Linux machine)

[jsjoeio]

Hmm...great questions. code-oss-dev is the name of VS Code packaged up and used in code-server. Our fork lives here.

We're in the process of getting a release ready for 4.0.0.

If those packages exist in code-oss-dev, then they're probably needed by VS Code. We have trivy and another script that checks for vulnerabilities here. Those should catch anything suspicious.