From dd6b227bfe34c58680f3af4c19e4da1d1f0d22f9 Mon Sep 17 00:00:00 2001
From: ka-ishimoto <ka-ishimoto@kddi.com>
Date: Thu, 4 Jun 2026 13:46:59 +0900
Subject: [PATCH] Fix false positive CVE alerts by setting package name to
 code-oss-dev The VS Code build process sets the bundled
 lib/vscode/package.json name to "code-server" (from product.json nameShort),
 causing vulnerability scanners to misidentify it and flag non-applicable
 CVEs. Override the name to "code-oss-dev" in build-release.sh after merging
 package.json. Fixes #7071

Signed-off-by: ka-ishimoto <ka-ishimoto@kddi.com>
---
 ci/build/build-release.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ci/build/build-release.sh b/ci/build/build-release.sh
index 9ded35f98ccb..30dcfef6399e 100755
--- a/ci/build/build-release.sh
+++ b/ci/build/build-release.sh
@@ -128,7 +128,9 @@ bundle_vscode() {
 
   # Merge the package.json for the web/remote server so we can include
   # dependencies, since we want to ship this via NPM.
-  jq --slurp '.[0] * .[1]' \
+  # Also override the name to prevent vulnerability scanners from
+  # misidentifying this package as VS Code (see #7071).
+  jq --slurp '.[0] * .[1] | .name = "code-oss-dev"' \
     "$VSCODE_SRC_PATH/remote/package.json" \
     "$VSCODE_OUT_PATH/package.json" > "$VSCODE_OUT_PATH/package.json.merged"
   mv "$VSCODE_OUT_PATH/package.json.merged" "$VSCODE_OUT_PATH/package.json"