Fix CVE-2025-64756 Vulnerability

[gigara]

Purpose

$subject
Resolves #946

Goals

Describe the solutions that this feature/fix will introduce to resolve the problems described above

Approach

Describe how you are implementing the solutions. Include an animated GIF or screenshot if the change affects the UI (email [email protected] to review all UI text). Include a link to a Markdown file or Google doc if the feature write-up is too long to paste here.

UI Component Development

Specify the reason if following are not followed.

• Added reusable UI components to the ui-toolkit. Follow the intructions when adding the componenent.
• Use ui-toolkit components wherever possible. Run npm run storybook from the root directory to view current components.
• Matches with the native VSCode look and feel.

Manage Icons

Specify the reason if following are not followed.

• Added Icons to the font-wso2-vscode. Follow the instructions.

User stories

Summary of user stories addressed by this change>

Release note

Brief description of the new feature or bug fix as it will appear in the release notes

Documentation

Link(s) to product documentation that addresses the changes of this PR. If no doc impact, enter “N/A” plus brief explanation of why there’s no doc impact

Training

Link to the PR for changes to the training content in https://github.com/wso2/WSO2-Training, if applicable

Certification

Type “Sent” when you have provided new/updated certification questions, plus four answers for each question (correct answer highlighted in bold), based on this change. Certification questions/answers should be sent to [email protected] and NOT pasted in this PR. If there is no impact on certification exams, type “N/A” and explain why.

Marketing

Link to drafts of marketing content that will describe and promote this feature, including product page changes, technical articles, blog posts, videos, etc., if applicable

Automation tests

• Unit tests

  Code coverage information

• Integration tests

  Details about the test cases and coverage

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes/no
• Ran FindSecurityBugs plugin and verified report? yes/no
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes/no

Samples

Provide high-level details about the samples related to this feature

Related PRs

List any other related PRs

Migrations (if applicable)

Describe migration steps and platforms on which migration has been tested

Test environment

List all JDK versions, operating systems, databases, and browser/versions on which this feature/fix was tested

Learning

Describe the research phase and any blog posts, patterns, libraries, or add-ons you used to solve the problem.

Summary by CodeRabbit

Release Notes

• Chores
  • Updated build and testing tool versions for improved stability and compatibility.
  • Modernized file copying operations in build scripts.
  • Updated icon font character mappings across multiple extensions.
  • Upgraded test framework and related dependencies.
  • Enhanced .gitignore patterns to exclude generated artifacts.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• workspaces/mi/mi-diagram/src/test/__snapshots__/diagram-test.test.tsx.snap is excluded by !**/*.snap

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Multiple extensions migrated from copyfiles to rsync for build operations. Dependencies updated: @vscode/vsce to ^3.7.0, glob to ^11.1.0, and fantasticon to ^3.0.0. Glob API changed from callbacks to promises. Webpack configuration refactored. Font icon mappings and .gitignore files updated.

Changes

Cohort / File(s)	Summary
Copyfiles to Rsync Migration workspaces/api-designer/api-designer-extension/package.json, workspaces/choreo/choreo-extension/package.json, workspaces/mcp-inspector/mcp-inspector-extension/package.json, workspaces/wso2-platform/wso2-platform-extension/package.json	Replaced copyfiles commands with rsync for font, webview library, and VSIX copying. Removed copyfiles from devDependencies where applicable.
VSCode Extension Tooling Updates workspaces/api-designer/api-designer-extension/package.json, workspaces/apk/apk-extension/package.json, workspaces/ballerina/ballerina-extension/package.json, workspaces/bi/bi-extension/package.json, workspaces/common-libs/playwright-vscode-tester/package.json, workspaces/mi/mi-extension/package.json, workspaces/mcp-inspector/mcp-inspector-extension/package.json, workspaces/wso2-platform/wso2-platform-extension/package.json	Updated @vscode/vsce from ~2.21.0–^3.4.2 to ^3.7.0. Replaced deprecated vsce with @vscode/vsce in apk-extension.
Glob Dependency Updates workspaces/apk/apk-extension/package.json, workspaces/ballerina/ballerina-low-code-diagram/package.json, workspaces/bi/bi-extension/package.json, workspaces/common-libs/ui-toolkit/package.json	Upgraded glob from ^7.2.3–^11.0.2 to ^11.1.0.
Glob API Migration to Promises workspaces/apk/apk-extension/src/test/suite/index.ts, workspaces/ballerina/ballerina-extension/test/ai/integration_tests/libs/index.ts	Migrated from callback-based glob() to promise-based API with async/await and try/catch error handling. Updated import statement to use named export { glob }.
Webpack Configuration Refactoring workspaces/ballerina/ballerina-extension/webpack.config.js	Replaced deprecated webpack-merge-and-include-globally plugin with custom concatenateAndMinify helper function. Added file concatenation, minification via uglify-js, and error handling in Webpack's afterEmit hook. Removed webpack-merge-and-include-globally from devDependencies.
.gitignore Updates workspaces/api-designer/api-designer-visualizer/.gitignore, workspaces/common-libs/service-designer/.gitignore, workspaces/common-libs/ui-toolkit/.gitignore	Added ignore entries for build artifacts and Storybook resources: lib/, storybook-static/, .storybook/fonts/.
Font Icon Character Mappings workspaces/ballerina/ballerina-extension/package.json, workspaces/mi/mi-extension/package.json	Updated icon fontCharacter mappings for distro-design-view, distro-start, distro-debug, distro-persist-diagram, and distro-build-package.
Other Dependency Updates workspaces/common-libs/font-wso2-vscode/package.json	Upgraded fantasticon from ^1.2.3 to ^3.0.0.
Test Framework Updates workspaces/mi/mi-diagram/package.json	Upgraded jest, @types/jest, and babel-jest from 29.x to ^30.0.0.

Sequence Diagram(s)

sequenceDiagram
    participant Test as Test Runner
    participant OldGlob as Callback-based glob()
    participant NewGlob as Promise-based glob()
    participant FS as File System
    participant Mocha as Mocha

    rect rgb(220, 240, 220)
    Note over OldGlob,Mocha: Old Flow (Callback)
    Test->>OldGlob: glob(pattern, callback)
    OldGlob->>FS: Scan files
    FS-->>OldGlob: File list (in callback)
    OldGlob->>Mocha: Register files
    OldGlob->>Mocha: Run tests
    end

    rect rgb(240, 220, 220)
    Note over NewGlob,Mocha: New Flow (Promise/Async)
    Test->>NewGlob: await glob(pattern)
    NewGlob->>FS: Scan files
    FS-->>NewGlob: Promise resolves with list
    NewGlob->>Mocha: Register files (.then)
    NewGlob->>Mocha: Run tests
    alt Error
        NewGlob->>Test: Error caught (.catch)
    end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Areas requiring extra attention:
  • workspaces/ballerina/ballerina-extension/webpack.config.js — Complex refactoring replacing webpack plugin with custom minification logic; verify error handling paths and minification correctness
  • workspaces/apk/apk-extension/src/test/suite/index.ts and workspaces/ballerina/ballerina-extension/test/ai/integration_tests/libs/index.ts — Glob API migration; ensure all error paths and async sequencing are properly handled
  • package.json files across extensions — Multiple heterogeneous changes (copyfiles→rsync, version bumps); verify rsync command semantics match original copyfiles behavior
  • Font icon mappings — Validate character codes are correct and tests pass with updated values

Suggested reviewers

• hevayo
• kaje94

Poem

🐰 Hoppy hop, the CVE's fixed at last,
Rsync replaces copyfiles of the past,
Promises bloom where callbacks once did stay,
Webpack's rebuilt in a shinier way!
Fonts dance new, and tests all pass—
Forward we bound, through the looking glass! ✨

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is largely incomplete with mostly unfilled placeholder text. The Goals, Approach, User stories, Release note, Documentation, Training, Certification, Marketing, Samples, Related PRs, Migrations, Test environment, and Learning sections contain only template prompts without substantive content.	Complete the Goals, Approach, and other critical sections with specific details about what CVE-2025-64756 is, how it was fixed (dependency upgrades, tooling migration), testing performed, and why changes were made.
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Out of Scope Changes check	❓ Inconclusive	While most changes align with vulnerability remediation (dependency upgrades, copyfiles→rsync migration, glob/vsce updates), some changes appear tangential: font icon character updates, webpack plugin replacement, and test framework upgrades lack clear connection to CVE-2025-64756.	Clarify in the PR description whether font updates, webpack changes, and Jest upgrades are directly related to the CVE fix or represent refactoring/maintenance bundled with this change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Fix CVE-2025-64756 Vulnerability' is concise, specific, and clearly identifies the main change—addressing a named CVE vulnerability.
Linked Issues check	✅ Passed	The PR code changes address the linked issue #946 objective to fix CVE-2025-64756 by upgrading vulnerable dependencies and migrating to secure tooling across multiple package.json files and related code files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}