Fix the trivy vulnerability

[samithkavishke]

Purpose

Describe the problems, issues, or needs driving this feature/fix and include links to related issues in the following format: Resolves issue1, issue2, etc.

Goals

Describe the solutions that this feature/fix will introduce to resolve the problems described above

Approach

Describe how you are implementing the solutions. Include an animated GIF or screenshot if the change affects the UI (email documentation@wso2.com to review all UI text). Include a link to a Markdown file or Google doc if the feature write-up is too long to paste here.

UI Component Development

Specify the reason if following are not followed.

• Added reusable UI components to the ui-toolkit. Follow the intructions when adding the componenent.
• Use ui-toolkit components wherever possible. Run npm run storybook from the root directory to view current components.
• Matches with the native VSCode look and feel.

Manage Icons

Specify the reason if following are not followed.

• Added Icons to the font-wso2-vscode. Follow the instructions.

User stories

Summary of user stories addressed by this change>

Release note

Brief description of the new feature or bug fix as it will appear in the release notes

Documentation

Link(s) to product documentation that addresses the changes of this PR. If no doc impact, enter “N/A” plus brief explanation of why there’s no doc impact

Training

Link to the PR for changes to the training content in https://github.com/wso2/WSO2-Training, if applicable

Certification

Type “Sent” when you have provided new/updated certification questions, plus four answers for each question (correct answer highlighted in bold), based on this change. Certification questions/answers should be sent to certification@wso2.com and NOT pasted in this PR. If there is no impact on certification exams, type “N/A” and explain why.

Marketing

Link to drafts of marketing content that will describe and promote this feature, including product page changes, technical articles, blog posts, videos, etc., if applicable

Automation tests

• Unit tests

  Code coverage information

• Integration tests

  Details about the test cases and coverage

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes/no
• Ran FindSecurityBugs plugin and verified report? yes/no
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes/no

Samples

Provide high-level details about the samples related to this feature

Related PRs

List any other related PRs

Migrations (if applicable)

Describe migration steps and platforms on which migration has been tested

Test environment

List all JDK versions, operating systems, databases, and browser/versions on which this feature/fix was tested

Learning

Describe the research phase and any blog posts, patterns, libraries, or add-ons you used to solve the problem.

Summary by CodeRabbit

• Chores
  • Updated package dependency version constraints to ensure compatibility and stability across the application.

[coderabbitai]

📝 Walkthrough

Walkthrough

In common/config/rush/pnpm-config.json, two new entries are added to the globalOverrides block: minimum version constraints for undici and http-proxy-middleware. The existing webpack-dev-server override is unchanged.

Changes

PNPM Dependency Overrides

Layer / File(s)	Summary
globalOverrides version pins common/config/rush/pnpm-config.json	Adds undici and http-proxy-middleware minimum version overrides to the existing globalOverrides block alongside the unchanged webpack-dev-server entry.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A rabbit hops in, quill in paw,
Two new overrides added with care —
undici and http-proxy-middleware there,
Versions pinned tight, no room for flaw.
The lockfile breathes easy, dependencies fair! 🐇✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description consists entirely of unfilled template placeholders with no actual content addressing the Trivy vulnerability, implementation details, or the dependency version updates.	Complete all required sections with specific details: describe the Trivy vulnerability, explain why undici and http-proxy-middleware updates fix it, detail testing performed, and add security validation.
Title check	❓ Inconclusive	The title 'Fix the trivy vulnerability' is vague and generic, failing to specify which vulnerability is being addressed or what changes are being made.	Revise the title to be more specific, e.g., 'Fix Trivy vulnerability by updating undici and http-proxy-middleware versions' to clearly convey the actual changes.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Biome (2.5.0)

common/config/rush/pnpm-config.json

File contains syntax errors that prevent linting: Line 1: JSON standard does not allow comments.; Line 5: End of file expected; Line 8: JSON standard does not allow comments.; Line 20: End of file expected; Line 20: End of file expected; Line 20: End of file expected; Line 20: End of file expected; Line 22: JSON standard does not allow comments.; Line 36: JSON standard does not allow comments.; Line 46: JSON standard does not allow comments.; Line 61: JSON standard does not allow comments.; Line 79: JSON standard does not allow comments.; Line 91: End of file expected; Line 91: End of file expected; Line 91: End of file expected; Line 107: End of file expected; Line 109: JSON standard does not allow comments.; Line 121: End of file expected; Line 121: End of file expected; Line 122: Expected a property but instead found '// "ignoreMissing": ["@eslint/*"],'.; Line 121: End of file expected; Line 122: End of file expected; Line 127: JSON standard does not allow comments.; Line 140: End o

... [truncated 346 characters] ...

an object, or a literal but instead found '// "fsevents"'.; Line 167: End of file expected; Line 168: End of file expected; Line 171: JSON standard does not allow comments.; Line 183: End of file expected; Line 183: End of file expected; Line 184: Expected a property but instead found '// "request": "*"'.; Line 183: End of file expected; Line 184: End of file expected; Line 188: JSON standard does not allow comments.; Line 195: End of file expected; Line 195: End of file expected; Line 195: End of file expected; Line 195: End of file expected; Line 197: JSON standard does not allow comments.; Line 209: End of file expected; Line 209: End of file expected; Line 210: Expected a property but instead found '// "dependencies": {'.; Line 209: End of file expected; Line 210: End of file expected

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@common/config/rush/pnpm-config.json`:
- Around line 105-106: Update the version constraints for the undici and
http-proxy-middleware package overrides in the pnpm-config.json file to use
bounded constraints instead of unbounded ones. Change the undici override from
using only a lower bound (>=7.28.0) to include an upper bound that caps the
major version (>=7.28.0 <8), and similarly update the http-proxy-middleware
override from >=3.0.6 to >=3.0.6 <4 to maintain consistency with other bounded
constraints already present in the file like protobufjs and the Node.js
constraint.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d82a53af-688c-4da0-b8df-fc1711d2a25f

📥 Commits

Reviewing files that changed from the base of the PR and between 5397264 and 478414f.

⛔ Files ignored due to path filters (1)

• common/config/rush/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• common/config/rush/pnpm-config.json