Marc Dumais

For example, the Perl item: _Impacted Image File(s): /home/theia/plugins/vscode-builtin-perl/extension_ That built-in Perl extension contains almost nothing, and certainly not Perl itself. It's built from these sources: https://github.com/microsoft/vscode/tree/main/extensions/perl

I think these are all related to `alpine` packaged software, installed directly or indirectly in the [theia-docker Dockerfile](https://github.com/theia-ide/theia-apps/blob/master/theia-docker/Dockerfile#L27). The node [version](https://github.com/theia-ide/theia-apps/blob/master/theia-docker/Dockerfile#L1) we target determines the version of `alpine`-based `node` image...

There is an alternative: we have example images in this repo that do not consume the `node` docker image, that's the ultimate source of the vulnerable `alpine` packaged software. I...

> the difference between images is minimal (main difference is vscode extensions included). I would rather say that the difference between the various Theia applications, made available in our variuos...

Hi @rattai , The use-case you describe, though potentially feasible, may have some significant impediments and side-effects. The user's home directory, mounted in the container, could potentially make changes that...

> I'm not talking about sharing users or directories with the host machine. Understood, thanks for the clarification @rattai . I think we'ill enable your use-case if we move the...

> @marcdumais I don't personally understand the need for a separate workspace folder like `/home/project` or `/workspace`. If `/home/theia` works the way we've discussed, I would probably place my workspace...

> The quick but not recommended fix is to set `THEIA_MINI_BROWSER_HOST_PATTERN={{hostname}}`. See Theia's [`CHANGELOG.md`](https://github.com/eclipse-theia/theia/blob/master/CHANGELOG.md#v181---08122020). > > But it is recommended to support virtual hosts one way or the other to...

My thought is to make an enhancement to Eclipse Theia, to warn, at `browser app` start-up, if either webviews or the mini-browser are not optimally configured for security. Once we...

@paul-marechal @vince-fugnitto any thoughts how to best implement that? Could each component check at startup if they are configured to deploy each webview on its own, unique origin. If not,...