Fix CVE-2025-69873 by updating ajv to patched versions

[sbouchet]

What does this PR do?

This PR fixes CVE-2025-69873: ReDoS via $data reference

ajv version is updated to 8.18.0

What issues does this PR fix?

https://issues.redhat.com/browse/CRW-10189
https://issues.redhat.com/browse/CRW-10193

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

• the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
• the corresponding items were added to the CHANGELOG.md file
• rules for automatic git rebase were added to the .rebase folder

[github-actions]

Click here to review and test in web IDE:

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-654-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-654-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-654-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-654-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-654-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-654-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-654-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-654-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-654-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-654-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-654-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-654-dev-amd64

[RomanNikitenko]

@sbouchet
I still see ajv 6.12.6 in different places:

• code/test/mcp/package-lock.json
• code/package-lock.json
• launcher/package-lock.json
• code/extensions/che-remote/package-lock.json

could you double-check if we need changes for those places as well
thanks in advance!

[RomanNikitenko]

about

axios version is updated to 1.13.5

in the PR description

I guess it's copy-paste problem

[sbouchet]

@RomanNikitenko :

• description fixed
• for ajv 6.x, i'm working on override it too, nice catch as always. the thing is i need to do deep verifications as the move from two majors version update may break stuff.

[sbouchet]

@sbouchet I still see ajv 6.12.6 in different places:

• code/test/mcp/package-lock.json
• code/package-lock.json
• launcher/package-lock.json
• code/extensions/che-remote/package-lock.json

could you double-check if we need changes for those places as well thanks in advance!

even better i found that the maintainers have published a fix for this ! 6.14.0 will be

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-654-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-654-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-654-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-654-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-654-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-654-dev-amd64

[RomanNikitenko]

License check failed: