From 9d0247727c6b7aa1f4992be00fc6ea57badd1ab0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= <jdanek@redhat.com>
Date: Thu, 7 May 2026 19:53:14 +0200
Subject: [PATCH] Remove quarantined es5-ext dependency

es5-ext (0.10.64) is quarantined by Nexus Firewall
(sonatype-2022-2248) due to undisclosed postinstall code execution.

Remove the direct es5-ext dependency from connections package.json,
as it is an ES5 polyfill unnecessary for modern Node.js targets.
Add npm override to handle the remaining transitive es5-ext from
the websocket package.

Ref: #420
Co-authored-by: Cursor <cursoragent@cursor.com>
---
 ts/package-lock.json            | 134 ++++++++++++++++++++++++++++----
 ts/package.json                 |   3 +
 ts/src/connections/package.json |   3 +-
 3 files changed, 122 insertions(+), 18 deletions(-)

diff --git a/ts/package-lock.json b/ts/package-lock.json
index b1b61793..654b9878 100644
--- a/ts/package-lock.json
+++ b/ts/package-lock.json
@@ -1507,6 +1507,23 @@
 				"type": "^1.0.1"
 			}
 		},
+		"node_modules/d/node_modules/es5-ext": {
+			"name": "@unes/es5-ext",
+			"version": "0.10.64-1",
+			"resolved": "https://registry.npmjs.org/@unes/es5-ext/-/es5-ext-0.10.64-1.tgz",
+			"integrity": "sha512-nZSbffWxU0SleuK9kPrC9zwsbNmzkrSxQSa0+UOR8ghBQSlnj1wmtZZA5+ZRtgk8Xn+kaoAYPT9aOBwFZzXfFA==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"es6-iterator": "^2.0.3",
+				"es6-symbol": "^3.1.3",
+				"esniff": "^2.0.1",
+				"next-tick": "^1.1.0"
+			},
+			"engines": {
+				"node": ">=0.10"
+			}
+		},
 		"node_modules/dash-ast": {
 			"version": "2.0.1",
 			"resolved": "https://registry.npmjs.org/dash-ast/-/dash-ast-2.0.1.tgz",
@@ -1797,12 +1814,23 @@
 				"node": ">= 0.4"
 			}
 		},
-		"node_modules/es5-ext": {
-			"version": "0.10.64",
-			"resolved": "https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.64.tgz",
-			"integrity": "sha512-p2snDhiLaXe6dahss1LddxqEm+SkuDvV8dnIQG0MWjyHpcMNfXKPE+/Cc0y+PhxJX3A4xGNeFCj5oc0BUh6deg==",
+		"node_modules/es6-iterator": {
+			"version": "2.0.3",
+			"resolved": "https://registry.npmjs.org/es6-iterator/-/es6-iterator-2.0.3.tgz",
+			"integrity": "sha512-zw4SRzoUkd+cl+ZoE15A9o1oQd920Bb0iOJMQkQhl3jNc03YqVjAhG7scf9C5KWRU/R13Orf588uCC6525o02g==",
+			"dev": true,
+			"dependencies": {
+				"d": "1",
+				"es5-ext": "^0.10.35",
+				"es6-symbol": "^3.1.1"
+			}
+		},
+		"node_modules/es6-iterator/node_modules/es5-ext": {
+			"name": "@unes/es5-ext",
+			"version": "0.10.64-1",
+			"resolved": "https://registry.npmjs.org/@unes/es5-ext/-/es5-ext-0.10.64-1.tgz",
+			"integrity": "sha512-nZSbffWxU0SleuK9kPrC9zwsbNmzkrSxQSa0+UOR8ghBQSlnj1wmtZZA5+ZRtgk8Xn+kaoAYPT9aOBwFZzXfFA==",
 			"dev": true,
-			"hasInstallScript": true,
 			"license": "ISC",
 			"dependencies": {
 				"es6-iterator": "^2.0.3",
@@ -1814,17 +1842,6 @@
 				"node": ">=0.10"
 			}
 		},
-		"node_modules/es6-iterator": {
-			"version": "2.0.3",
-			"resolved": "https://registry.npmjs.org/es6-iterator/-/es6-iterator-2.0.3.tgz",
-			"integrity": "sha512-zw4SRzoUkd+cl+ZoE15A9o1oQd920Bb0iOJMQkQhl3jNc03YqVjAhG7scf9C5KWRU/R13Orf588uCC6525o02g==",
-			"dev": true,
-			"dependencies": {
-				"d": "1",
-				"es5-ext": "^0.10.35",
-				"es6-symbol": "^3.1.1"
-			}
-		},
 		"node_modules/es6-map": {
 			"version": "0.1.5",
 			"resolved": "https://registry.npmjs.org/es6-map/-/es6-map-0.1.5.tgz",
@@ -1839,6 +1856,23 @@
 				"event-emitter": "~0.3.5"
 			}
 		},
+		"node_modules/es6-map/node_modules/es5-ext": {
+			"name": "@unes/es5-ext",
+			"version": "0.10.64-1",
+			"resolved": "https://registry.npmjs.org/@unes/es5-ext/-/es5-ext-0.10.64-1.tgz",
+			"integrity": "sha512-nZSbffWxU0SleuK9kPrC9zwsbNmzkrSxQSa0+UOR8ghBQSlnj1wmtZZA5+ZRtgk8Xn+kaoAYPT9aOBwFZzXfFA==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"es6-iterator": "^2.0.3",
+				"es6-symbol": "^3.1.3",
+				"esniff": "^2.0.1",
+				"next-tick": "^1.1.0"
+			},
+			"engines": {
+				"node": ">=0.10"
+			}
+		},
 		"node_modules/es6-set": {
 			"version": "0.1.6",
 			"resolved": "https://registry.npmjs.org/es6-set/-/es6-set-0.1.6.tgz",
@@ -1856,6 +1890,23 @@
 				"node": ">=0.12"
 			}
 		},
+		"node_modules/es6-set/node_modules/es5-ext": {
+			"name": "@unes/es5-ext",
+			"version": "0.10.64-1",
+			"resolved": "https://registry.npmjs.org/@unes/es5-ext/-/es5-ext-0.10.64-1.tgz",
+			"integrity": "sha512-nZSbffWxU0SleuK9kPrC9zwsbNmzkrSxQSa0+UOR8ghBQSlnj1wmtZZA5+ZRtgk8Xn+kaoAYPT9aOBwFZzXfFA==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"es6-iterator": "^2.0.3",
+				"es6-symbol": "^3.1.3",
+				"esniff": "^2.0.1",
+				"next-tick": "^1.1.0"
+			},
+			"engines": {
+				"node": ">=0.10"
+			}
+		},
 		"node_modules/es6-set/node_modules/type": {
 			"version": "2.7.2",
 			"resolved": "https://registry.npmjs.org/type/-/type-2.7.2.tgz",
@@ -2283,6 +2334,23 @@
 				"node": ">=0.10"
 			}
 		},
+		"node_modules/esniff/node_modules/es5-ext": {
+			"name": "@unes/es5-ext",
+			"version": "0.10.64-1",
+			"resolved": "https://registry.npmjs.org/@unes/es5-ext/-/es5-ext-0.10.64-1.tgz",
+			"integrity": "sha512-nZSbffWxU0SleuK9kPrC9zwsbNmzkrSxQSa0+UOR8ghBQSlnj1wmtZZA5+ZRtgk8Xn+kaoAYPT9aOBwFZzXfFA==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"es6-iterator": "^2.0.3",
+				"es6-symbol": "^3.1.3",
+				"esniff": "^2.0.1",
+				"next-tick": "^1.1.0"
+			},
+			"engines": {
+				"node": ">=0.10"
+			}
+		},
 		"node_modules/esniff/node_modules/type": {
 			"version": "2.7.3",
 			"resolved": "https://registry.npmjs.org/type/-/type-2.7.3.tgz",
@@ -2397,6 +2465,23 @@
 				"es5-ext": "~0.10.14"
 			}
 		},
+		"node_modules/event-emitter/node_modules/es5-ext": {
+			"name": "@unes/es5-ext",
+			"version": "0.10.64-1",
+			"resolved": "https://registry.npmjs.org/@unes/es5-ext/-/es5-ext-0.10.64-1.tgz",
+			"integrity": "sha512-nZSbffWxU0SleuK9kPrC9zwsbNmzkrSxQSa0+UOR8ghBQSlnj1wmtZZA5+ZRtgk8Xn+kaoAYPT9aOBwFZzXfFA==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"es6-iterator": "^2.0.3",
+				"es6-symbol": "^3.1.3",
+				"esniff": "^2.0.1",
+				"next-tick": "^1.1.0"
+			},
+			"engines": {
+				"node": ">=0.10"
+			}
+		},
 		"node_modules/events": {
 			"version": "2.1.0",
 			"resolved": "https://registry.npmjs.org/events/-/events-2.1.0.tgz",
@@ -5264,6 +5349,23 @@
 				"ms": "2.0.0"
 			}
 		},
+		"node_modules/websocket/node_modules/es5-ext": {
+			"name": "@unes/es5-ext",
+			"version": "0.10.64-1",
+			"resolved": "https://registry.npmjs.org/@unes/es5-ext/-/es5-ext-0.10.64-1.tgz",
+			"integrity": "sha512-nZSbffWxU0SleuK9kPrC9zwsbNmzkrSxQSa0+UOR8ghBQSlnj1wmtZZA5+ZRtgk8Xn+kaoAYPT9aOBwFZzXfFA==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"es6-iterator": "^2.0.3",
+				"es6-symbol": "^3.1.3",
+				"esniff": "^2.0.1",
+				"next-tick": "^1.1.0"
+			},
+			"engines": {
+				"node": ">=0.10"
+			}
+		},
 		"node_modules/websocket/node_modules/ms": {
 			"version": "2.0.0",
 			"resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
diff --git a/ts/package.json b/ts/package.json
index 5bdd66e1..3dbeb606 100644
--- a/ts/package.json
+++ b/ts/package.json
@@ -109,5 +109,8 @@
 		"trailingComma": "all",
 		"arrowParens": "always",
 		"parser": "typescript"
+	},
+	"overrides": {
+		"es5-ext": "npm:@unes/es5-ext@0.10.64-1"
 	}
 }
diff --git a/ts/src/connections/package.json b/ts/src/connections/package.json
index cdc011f1..18fb3ab3 100644
--- a/ts/src/connections/package.json
+++ b/ts/src/connections/package.json
@@ -22,8 +22,7 @@
 		"@microsoft/dev-tunnels-management": ">1.3.50",
 		"uuid": "^3.3.3",
 		"await-semaphore": "^0.1.3",
-		"websocket": "^1.0.28",
-		"es5-ext": "0.10.64"
+		"websocket": "^1.0.28"
 	},
 	"peerDependencies": {
 		"@microsoft/dev-tunnels-ssh": "^3.12.29",