OCPBUGS-88721: CVE-2026-42338

[germanparente]

CONSOLE Features and Fixes:

• OCPBUGS-88721: CVE-2026-42338

Solution description

Resolve CVE-2026-42338 by adding a yarn resolution for ip-address to ^10.1.1. The transitive dependency (via socks-proxy-agent → socks) was at 9.0.5, which has an XSS vulnerability in Address6 HTML-emitting methods. Updated to 10.2.0.

Reviewers and assignees:

Test cases:

No functional changes — ip-address is a transitive dependency not directly used by console source code. Verified the lockfile resolves to 10.2.0.

Additional info:

• CVE: CVE-2026-42338
• Advisory: GHSA-v2v4-37r5-5v8g
• Fixed in: ip-address 10.1.1+
• Risk: Low — the library is only used internally by socks for SOCKS proxy address parsing; console never imports or renders its output as HTML.

Screen shots / gifs / design review:

N/A — no visual changes.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated dependency resolution settings to optimize installation stability and package compatibility.

[openshift-ci-robot]

@germanparente: This pull request references Jira Issue OCPBUGS-88721, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

CONSOLE Features and Fixes:

• OCPBUGS-88721: CVE-2026-42338

Solution description

Resolve CVE-2026-42338 by adding a yarn resolution for ip-address to ^10.1.1. The transitive dependency (via socks-proxy-agent → socks) was at 9.0.5, which has an XSS vulnerability in Address6 HTML-emitting methods. Updated to 10.2.0.

Reviewers and assignees:

Test cases:

No functional changes — ip-address is a transitive dependency not directly used by console source code. Verified the lockfile resolves to 10.2.0.

Additional info:

• CVE: CVE-2026-42338
• Advisory: GHSA-v2v4-37r5-5v8g
• Fixed in: ip-address 10.1.1+
• Risk: Low — the library is only used internally by socks for SOCKS proxy address parsing; console never imports or renders its output as HTML.

Screen shots / gifs / design review:

N/A — no visual changes.

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

A new resolutions entry for the ip-address package is added to frontend/package.json alongside the existing minimatch resolution override, pinning the transitive version Yarn selects during installs.

Changes

Dependency Resolution Override

Layer / File(s)	Summary
ip-address Yarn resolution pin frontend/package.json	Adds an ip-address entry to the resolutions field, pinning its transitive version alongside the existing minimatch override.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

approved, lgtm, jira/valid-bug, verified

Suggested reviewers

• Leo6Leo
• logonoff
• TheRealJon

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title includes the Jira issue prefix (OCPBUGS-88721) and clearly identifies the CVE being addressed (CVE-2026-42338), directly matching the main change in the changeset.
Description check	✅ Passed	The PR description covers Analysis/Root cause, Solution description, Test cases, and Additional info with links to CVE/advisory. However, it lacks sections for Screenshots, Browser conformance, and Reviewers/assignees details required by the template.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The custom check for Ginkgo test name stability does not apply to this PR, which only modifies frontend/package.json to address a CVE by adding an ip-address yarn resolution. No test code or test n...
Test Structure And Quality	✅ Passed	This PR only modifies frontend/package.json to add a yarn resolution for ip-address. No test code (Ginkgo or otherwise) was changed, so the test quality check does not apply.
Microshift Test Compatibility	✅ Passed	This PR only modifies frontend/package.json to add a yarn resolution for ip-address. It contains no Ginkgo e2e tests, making the MicroShift Test Compatibility check inapplicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Custom check for SNO test compatibility is not applicable; this PR contains no new Ginkgo e2e tests, only a yarn dependency resolution update in frontend/package.json for CVE-2026-42338.
Topology-Aware Scheduling Compatibility	✅ Passed	Check not applicable: PR only modifies frontend/package.json for a CVE dependency fix. No deployment manifests, operator code, or controllers are added/modified.
Ote Binary Stdout Contract	✅ Passed	Custom check for OTE Binary Stdout Contract is not applicable. PR only updates frontend/package.json (dependency resolution), not Go test/binary code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only modifies frontend/package.json to add a yarn resolution for the ip-address vulnerability (CVE-2026-42338). No Ginkgo e2e tests are added, so the IPv6/disconnected network compatibility...
No-Weak-Crypto	✅ Passed	PR only updates frontend/package.json with ip-address resolution. ip-address is an IPv4/IPv6 parsing library; CVE-2026-42338 is XSS (not cryptography). No weak crypto algorithms detected.
Container-Privileges	✅ Passed	PR only modifies frontend/package.json (dependency resolution), not container/K8s manifests. Custom check for container privileges is not applicable to this dependency management PR.
No-Sensitive-Data-In-Logs	✅ Passed	PR only adds a yarn resolution override for ip-address in package.json to address CVE-2026-42338; no logging code that exposes sensitive data (passwords, tokens, API keys, PII, session IDs, etc.) i...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch OCPBUGS-88721

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: germanparente
Once this PR has been reviewed and has the lgtm label, please assign vojtechszocs for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• frontend/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@germanparente: This pull request references Jira Issue OCPBUGS-88721, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

CONSOLE Features and Fixes:

• OCPBUGS-88721: CVE-2026-42338

Solution description

Resolve CVE-2026-42338 by adding a yarn resolution for ip-address to ^10.1.1. The transitive dependency (via socks-proxy-agent → socks) was at 9.0.5, which has an XSS vulnerability in Address6 HTML-emitting methods. Updated to 10.2.0.

Reviewers and assignees:

Test cases:

No functional changes — ip-address is a transitive dependency not directly used by console source code. Verified the lockfile resolves to 10.2.0.

Additional info:

• CVE: CVE-2026-42338
• Advisory: GHSA-v2v4-37r5-5v8g
• Fixed in: ip-address 10.1.1+
• Risk: Low — the library is only used internally by socks for SOCKS proxy address parsing; console never imports or renders its output as HTML.

Screen shots / gifs / design review:

N/A — no visual changes.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
• Updated dependency resolution settings to optimize installation stability and package compatibility.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/package.json`:
- Around line 338-339: The frontend/package.json resolutions section contains
two issues: the minimatch resolution is vulnerable to HIGH-severity ReDoS flaws
in versions up to 10.2.2 and needs to be upgraded to exactly 10.2.3, and both
resolutions use caret ranges which allow floating versions instead of exact
pinning. Fix the minimatch resolution by changing the version from the caret
range to exactly 10.2.3, and change the ip-address resolution from a caret range
to an exact version pin to follow supply-chain best practices and ensure
deterministic installs across all environments.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ad4aaa4b-ba2e-42c5-8cf1-0a9765fa7ab0

📥 Commits

Reviewing files that changed from the base of the PR and between 376c8a8 and 1c24e7c.

⛔ Files ignored due to path filters (1)

• frontend/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• frontend/package.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Locate lockfile =="
fd -i '^yarn\.lock$'

echo
echo "== Verify resolved ip-address entries in lockfile =="
rg -n -C2 '(^|[" ])ip-address@' frontend/yarn.lock

echo
echo "== Ensure no vulnerable 9.x ip-address remains =="
if rg -n 'ip-address@.*\b9\.' frontend/yarn.lock; then
  echo "Found ip-address 9.x entries; please remove/override fully."
  exit 1
else
  echo "No ip-address 9.x entries found."
fi

echo
echo "== Query OSV for ip-address 10.2.0 =="
curl -sS https://api.osv.dev/v1/query \
  -H 'content-type: application/json' \
  -d '{"package":{"name":"ip-address","ecosystem":"npm"},"version":"10.2.0"}' | jq .

Repository: openshift/console

Length of output: 631

---

🏁 Script executed:

cd frontend && sed -n '330,345p' package.json

Repository: openshift/console

Length of output: 517

---

🏁 Script executed:

#!/bin/bash
# Check for CVEs in minimatch@10.2.1
curl -sS https://api.osv.dev/v1/query \
  -H 'content-type: application/json' \
  -d '{"package":{"name":"minimatch","ecosystem":"npm"},"version":"10.2.1"}' | jq .

Repository: openshift/console

Length of output: 27777

---

🏁 Script executed:

#!/bin/bash
# Check if there are newer patch versions available for both packages
# Also check what versions are currently in use in the codebase
cd frontend && rg -n 'minimatch|ip-address' yarn.lock | head -20

Repository: openshift/console

Length of output: 777

---

Upgrade minimatch to 10.2.3 to remediate HIGH-severity ReDoS vulnerabilities; use exact pinning in resolutions.

Lines 338–339 have two issues:

1. Minimatch vulnerability: The current resolution pins minimatch@^10.1.2 to ^10.2.1, which is vulnerable to two HIGH-severity ReDoS flaws (GHSA-23c5-xmqv-rm74, GHSA-7r86-cg39-jmmj, CVE-2026-27904, CVE-2026-27903). Both affect versions 10.0.0–10.2.2 and are fixed in 10.2.3. Caret ranges also allow floating to future patch releases, defeating deterministic remediation.

2. Imprecise resolutions: Supply-chain best practice requires exact versions in resolutions overrides to prevent accidental drift across installs.

Suggested fix

-    "minimatch@^10.1.2": "^10.2.1",
-    "ip-address": "^10.1.1"
+    "minimatch@^10.1.2": "10.2.3",
+    "ip-address": "10.2.0"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/package.json` around lines 338 - 339, The frontend/package.json
resolutions section contains two issues: the minimatch resolution is vulnerable
to HIGH-severity ReDoS flaws in versions up to 10.2.2 and needs to be upgraded
to exactly 10.2.3, and both resolutions use caret ranges which allow floating
versions instead of exact pinning. Fix the minimatch resolution by changing the
version from the caret range to exactly 10.2.3, and change the ip-address
resolution from a caret range to an exact version pin to follow supply-chain
best practices and ensure deterministic installs across all environments.

Source: Coding guidelines

[germanparente]

/rebase

[openshift-ci]

@germanparente: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-images	5f5e8c3	link	true	/test okd-scos-images
ci/prow/images	5f5e8c3	link	true	/test images
ci/prow/frontend	5f5e8c3	link	true	/test frontend
ci/prow/e2e-playwright	5f5e8c3	link	false	/test e2e-playwright
ci/prow/e2e-gcp-console	5f5e8c3	link	true	/test e2e-gcp-console
ci/prow/analyze	5f5e8c3	link	true	/test analyze

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.