Fix CVE-2026-4926 by updating path-to-regexp to patched versions

[sbouchet]

What does this PR do?

This PR fixes CVE-2026-4926.

path-to-regexp versions is updated to latest version 8.4.0

What issues does this PR fix?

https://redhat.atlassian.net/browse/CRW-10598
https://redhat.atlassian.net/browse/CRW-10600

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

• the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
• the corresponding items were added to the CHANGELOG.md file
• rules for automatic git rebase were added to the .rebase folder

Summary by CodeRabbit

• Chores
  • Updated package dependency override configurations to ensure consistency across the project's development environments.

[github-actions]

Click here to review and test in web IDE:

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c51ef418-cc7c-400b-9055-5c76897038e4

📥 Commits

Reviewing files that changed from the base of the PR and between e76fa85 and dcc9cd9.

⛔ Files ignored due to path filters (2)

• code/package-lock.json is excluded by !**/package-lock.json
• code/test/mcp/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (5)

• .rebase/CHANGELOG.md
• .rebase/add/code/package.json
• .rebase/add/code/test/mcp/package.json
• code/package.json
• code/test/mcp/package.json

---

📝 Walkthrough

Walkthrough

This pull request adds a dependency override for path-to-regexp version 8.4.0 across multiple package.json files: code/package.json, code/test/mcp/package.json, and their corresponding files in the .rebase/add/ directory. A changelog entry is added to document these changes in PR #677.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Fix CVEs by updating minimatch to patched versions #659: Also modifies the same package.json override blocks (code/package.json and code/test/mcp/package.json), applying a similar pattern of dependency version pinning.

Suggested reviewers

• rgrunber
• azatsarynnyy
• vitaliy-guliy
• RomanNikitenko

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly summarizes the main change: updating path-to-regexp to fix a specific CVE vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-677-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-677-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-677-dev-amd64