Fix GHSA-3pwg-f3hj-wp8p

patches/backported-patches.json

@@ -0,0 +1,14 @@
+[
+    {
+        "finding_id": "GHSA-3pwg-f3hj-wp8p",
+        "affected_versions": "<1.109.1",
+        "patch_path": "common/fix-terminal-autoreplies.diff",
+        "link": "https://github.com/microsoft/vscode/security/advisories/GHSA-3pwg-f3hj-wp8p"
+    },
+    {
+        "finding_id": "CVE-2026-21523",
+        "affected_versions": "<1.109.1",
+        "patch_path": "common/fix-terminal-autoreplies.diff",
+        "link": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21523"
+    }
+]

patches/common/fix-terminal-autoreplies.diff

@@ -0,0 +1,16 @@
+Backporting fix for GHSA-3pwg-f3hj-wp8p advisory: https://github.com/microsoft/vscode/security/advisories/GHSA-3pwg-f3hj-wp8p
+
+Based on commit: https://github.com/microsoft/vscode/commit/670c6d9b2a6588cc90a1e347015966dc391795ba
+
+Index: code-editor-src/src/vs/workbench/contrib/terminalContrib/autoReplies/common/terminalAutoRepliesConfiguration.ts
+===================================================================
+--- code-editor-src.orig/src/vs/workbench/contrib/terminalContrib/autoReplies/common/terminalAutoRepliesConfiguration.ts
++++ code-editor-src/src/vs/workbench/contrib/terminalContrib/autoReplies/common/terminalAutoRepliesConfiguration.ts
+@@ -26,6 +26,7 @@ export const terminalAutoRepliesConfigur
+ 			},
+ 			{ type: 'null' }]
+ 		},
++		restricted: true,
+ 		default: {}
+ 	},
+ };

patches/sagemaker.series

@@ -18,6 +18,7 @@ common/build.diff
 common/integration.diff
 common/replace-gulp-untar.diff
 common/adopt-new-proxy-agent.diff
+common/fix-terminal-autoreplies.diff
 web-server/suppress-known-errors-build-integration.diff
 web-server/local-storage.diff
 web-server/base-path.diff

patches/web-embedded-with-terminal.series

@@ -18,6 +18,7 @@ common/build.diff
 common/integration.diff
 common/replace-gulp-untar.diff
 common/adopt-new-proxy-agent.diff
+common/fix-terminal-autoreplies.diff
 web-embedded/readd-workbench.diff
 web-embedded/suppress-known-errors-build-integration.diff
 web-embedded/disable-built-in-walkthroughs-from-c.diff

patches/web-embedded.series

@@ -18,6 +18,7 @@ common/build.diff
 common/integration.diff
 common/replace-gulp-untar.diff
 common/adopt-new-proxy-agent.diff
+common/fix-terminal-autoreplies.diff
 web-embedded/readd-workbench.diff
 web-embedded/suppress-known-errors-build-integration.diff
 web-embedded/disable-built-in-walkthroughs-from-c.diff

patches/web-server.series

@@ -18,6 +18,7 @@ common/build.diff
 common/integration.diff
 common/replace-gulp-untar.diff
 common/adopt-new-proxy-agent.diff
+common/fix-terminal-autoreplies.diff
 web-server/suppress-known-errors-build-integration.diff
 web-server/local-storage.diff
 web-server/base-path.diff

scripts/security-scan.sh

@@ -329,9 +329,21 @@ scan_github_advisories() {
     local repo_owner="microsoft"
     local repo_name="vscode"
     local vscode_version=$(jq -r '.version' third-party-src/package.json)
+    local backported_file="patches/backported-patches.json"
 
     echo "Found VS Code version: $vscode_version"
 
+    # Load backported patches list if exists
+    local -A backported_patches
+    if [ -f "$backported_file" ]; then
+        echo "Loading backported patches from $backported_file"
+        local finding_ids=$(jq -r '.[].finding_id' "$backported_file")
+        while IFS= read -r finding_id; do
+            [ -n "$finding_id" ] && backported_patches["$finding_id"]=1
+        done <<< "$finding_ids"
+        echo "Loaded ${#backported_patches[@]} backported patches to ignore"
+    fi
+
     echo "Fetching security advisories from GitHub API for $repo_owner/$repo_name"
 
     # Fetch security advisories using GitHub CLI
@@ -426,6 +438,13 @@ scan_github_advisories() {
             is_version_affected=true
         fi
 
+        # Check if this advisory is in the backported patches list
+        if [[ -v backported_patches["$ghsa_id"] ]] || [[ "$cve_id" != "N/A" && -v backported_patches["$cve_id"] ]]; then
+            echo "ℹ️  Ignoring - patch backported to current version"
+            advisory_index=$((advisory_index + 1))
+            continue
+        fi
+
         # Count concerning advisories based on combined criteria
         # Advisory is concerning if BOTH conditions are met:
         # 1. Version is affected AND 2. Severity is medium/high/critical