Npm version when downloading code-server from release the released version is coming as 1.0.1 which is throwing vulnerability

[BinitAmin]

Hi Team,

We are using this code server extension in our docker container with below steps to install in container.

Downloading from release -linux-arm64 version
Extracting the tar and coping code-server folder into /use/bin/
And we have added command in supervisor.conf to run code-server with port and host

To summarize above steps I am following standalone release section from install page.

Recently we are receiving vulnerability related to npm and when I checked it is showing version 1.0.1 installed. Which is there inside the extension/package.json file.. as we are extracting the deployed tar file vulnerability is getting popped up from code-server folder. Now I am not sure how to get the latest version there in the deployed file.

Please can someone suggest anything? Or is there any other approach that I should follow?

[code-asher]

Which package are you seeing the vulnerability for? Usually anything in the extensions directory is a false positive (see #6332). The extensions have names that collide with npm packages, so the tools think they are vulnerable, but really they are unrelated.

[BinitAmin]

There are so many the total counts for CVE list is 31 from our Mend (qualys) security scan report. Some of them like only npm have 7 CVE popping up.
Below are the packages -
Pug-code-gen
Pug
Npm
Markdown
Jason
Ini
Handlebars
Grunt
Diff
Debug
Brace-expansion

I have gone through the thread but couldn't understand how can I mark them as false positive. I know it's false positive but qualys scan says it's positive and I am not able to convince our vulnerability scan department further. Is there any approach that I can try? Like deleting the folder for above packages? Being a developer I should not say deleting the specific package from package folder will help me but say for an example I am installing npm separately then should I delete npm extension library?

Further details -
All the vulnerability description starts with below
Nodejs (npm) Security Update for 'package_name' (GHSA-some_randome_number)

[code-asher]

If your team is not willing or is unable to mark false positives as false positives (I am not familiar with Mend), then maybe you could try deleting the entire lib/vscode/extensions directory before running the scanner.

[BinitAmin]

Deleting the entire extension folder is not helpful. So I have deleted all the affected packages.json file from the extension folder. That was I was able to remove most of all but 1.

There is on more CVE that couldn't fix - CVE-2025-47269
NodeJs (npm) security update for code-server (GHSA-p483-wpfp-42cj)

Currently I am using latest code-server 1.104.0

In the report it is pointing to below path
/Lib/vscode/package.json
Why the CVE suggestion is saying use the code-server 4.99.4 ?

I tried deleting that package.json 😂 , it has started throwing so many warnings afterwards.. It should not be deleted..

Please suggest something on this last CVE

[code-asher]

That is another false positive caused by #7071

[code-asher]

By the way, if you are trying to run code-server with these deleted package.json files, I am not sure that will work. It may cause the builtin extensions to not load at all. They should only be deleted for the scanner and not when distributed to end users.

Possibly you could try renaming the names in the package.json files instead, but I am not sure that will work.