diff --git a/package.json b/package.json
index 7d741b4bc93ccc5912adead4ebcabdac222b5be8..542a9a878f921ccc559cd16c4bfdcfab4a0b17d2 100644
--- a/package.json
+++ b/package.json
@@ -75,7 +75,7 @@
     "@gitlab/query-language": "^0.0.5-a-20240903",
     "@gitlab/svgs": "3.112.0",
     "@gitlab/ui": "91.1.2",
-    "@gitlab/web-ide": "^0.0.1-dev-20240816130114",
+    "@gitlab/web-ide": "^0.0.1-dev-20240909013227",
     "@mattiasbuelens/web-streams-adapter": "^0.1.0",
     "@rails/actioncable": "7.0.8-4",
     "@rails/ujs": "7.0.8-4",
diff --git a/patches/@gitlab+web-ide+0.0.1-dev-20240816130114.patch b/patches/@gitlab+web-ide+0.0.1-dev-20240909013227.patch
similarity index 99%
rename from patches/@gitlab+web-ide+0.0.1-dev-20240816130114.patch
rename to patches/@gitlab+web-ide+0.0.1-dev-20240909013227.patch
index 0b40e9ec7d4019edd6add822d43fadec777615e5..815bfb36eebc2b219942883365f42319c34c83d4 100644
--- a/patches/@gitlab+web-ide+0.0.1-dev-20240816130114.patch
+++ b/patches/@gitlab+web-ide+0.0.1-dev-20240909013227.patch
@@ -2950,5 +2950,5 @@ index 6a16dd1..99b1df4 100644
 -	const parentOrigin = searchParams.get('parentOrigin') || window.origin;
 +	const parentOrigin = window.origin;
  	const salt = searchParams.get('salt');
-
+ 
  	(async function () {
diff --git a/spec/frontend/ide/web_ide_assets_spec.js b/spec/frontend/ide/web_ide_assets_spec.js
index d59b09f4cbc5f21afd601e9dc49961904cd5ebbf..692c7f9853c1c90363bbec9e5c07ac16dd67858b 100644
--- a/spec/frontend/ide/web_ide_assets_spec.js
+++ b/spec/frontend/ide/web_ide_assets_spec.js
@@ -25,6 +25,24 @@ describe('asset patching in @gitlab/web-ide', () => {
     });
     const htmlChildren = allChildren.filter((x) => x.endsWith('.html'));
 
+    /**
+     * ## What in the world is this test doing!?
+     *
+     * This test was introduced when we were fixing a [security vulnerability][1] related to GitLab self-hosting
+     * problematic `.html` files. These files could be exploited through an `iframe` on an `evil.com` and will
+     * assume the user's cookie authentication. Boom!
+     *
+     * ## How do I know if an `.html` file is vulnerable?
+     *
+     * - The `.html` file used the `postMessage` API and allowed any `origin` which enabled any external site to
+     *   open it in an `iframe` and communicate to it.
+     * - The `iframe` exposed some internal VSCode message bus that could allow arbitrary requests. So watch out for
+     *   `fetch`.
+     *
+     * [1]: https://gitlab.com/gitlab-org/security/gitlab-web-ide-vscode-fork/-/issues/1#note_1905417620
+     *
+     * ========== If expectation fails and you can't see the full comment... LOOK UP! ==============
+     */
     expect(htmlChildren).toEqual([
       // This is the only HTML file we expect and it's protected by the other test.
       'out/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html',
@@ -33,6 +51,9 @@ describe('asset patching in @gitlab/web-ide', () => {
       'extensions/microsoft-authentication/media/index.html',
       'extensions/gitlab-vscode-extension/webviews/security_finding/index.html',
       'extensions/gitlab-vscode-extension/webviews/gitlab_duo_chat/index.html',
+      'extensions/gitlab-vscode-extension/assets/language-server/webviews/duo-workflow/index.html',
+      'extensions/gitlab-vscode-extension/assets/language-server/webviews/duo-chat/index.html',
+      'extensions/gitlab-vscode-extension/assets/language-server/webviews/chat/index.html',
       'extensions/github-authentication/media/index.html',
     ]);
   });
diff --git a/yarn.lock b/yarn.lock
index 471bef114f229f4fa7bf04ed89fcb8fc318920a7..b4401ebf43ec230b7acc34c23c1158aa2b2152b1 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1378,10 +1378,10 @@
     vue-functional-data-merge "^3.1.0"
     vue-runtime-helpers "^1.1.2"
 
-"@gitlab/web-ide@^0.0.1-dev-20240816130114":
-  version "0.0.1-dev-20240816130114"
-  resolved "https://registry.yarnpkg.com/@gitlab/web-ide/-/web-ide-0.0.1-dev-20240816130114.tgz#25a88d945095ea10bab9fbed5de1daea205b0bf1"
-  integrity sha512-Uv3n+l3oS5ywBWxzXhriFvxYUYw4KBHxlQJEIN3w0gzEiFgV7sYwQmJjCjhukN0PNCIX0akHZYwMm+ow/vD9IA==
+"@gitlab/web-ide@^0.0.1-dev-20240909013227":
+  version "0.0.1-dev-20240909013227"
+  resolved "https://registry.yarnpkg.com/@gitlab/web-ide/-/web-ide-0.0.1-dev-20240909013227.tgz#6ba20cabe4b3dee8eacbb0e3aa4d71b49b30fecc"
+  integrity sha512-fWkkQ3Vm03NmDrJVmEO7nteRzXHj2J4GGfKifILpMeWjKp2X7nPjatHsbOWS8TqEVQUTrL5SB6yV+p6242fAtA==
 
 "@graphql-eslint/eslint-plugin@3.20.1":
   version "3.20.1"
@@ -13104,16 +13104,7 @@ string-length@^4.0.1:
     char-regex "^1.0.2"
     strip-ansi "^6.0.0"
 
-"string-width-cjs@npm:string-width@^4.2.0":
-  version "4.2.3"
-  resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010"
-  integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==
-  dependencies:
-    emoji-regex "^8.0.0"
-    is-fullwidth-code-point "^3.0.0"
-    strip-ansi "^6.0.1"
-
-"string-width@^1.0.2 || 2 || 3 || 4", string-width@^4.1.0, string-width@^4.2.0, string-width@^4.2.3:
+"string-width-cjs@npm:string-width@^4.2.0", "string-width@^1.0.2 || 2 || 3 || 4", string-width@^4.1.0, string-width@^4.2.0, string-width@^4.2.3:
   version "4.2.3"
   resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010"
   integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==
@@ -13166,7 +13157,7 @@ string_decoder@^1.0.0, string_decoder@^1.1.1, string_decoder@~1.1.1:
   dependencies:
     safe-buffer "~5.1.0"
 
-"strip-ansi-cjs@npm:strip-ansi@^6.0.1":
+"strip-ansi-cjs@npm:strip-ansi@^6.0.1", strip-ansi@^6.0.0, strip-ansi@^6.0.1:
   version "6.0.1"
   resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
   integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==
@@ -13180,13 +13171,6 @@ strip-ansi@^5.2.0:
   dependencies:
     ansi-regex "^4.1.0"
 
-strip-ansi@^6.0.0, strip-ansi@^6.0.1:
-  version "6.0.1"
-  resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
-  integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==
-  dependencies:
-    ansi-regex "^5.0.1"
-
 strip-ansi@^7.0.1, strip-ansi@^7.1.0:
   version "7.1.0"
   resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-7.1.0.tgz#d5b6568ca689d8561370b0707685d22434faff45"
@@ -14878,7 +14862,7 @@ worker-loader@^3.0.8:
     loader-utils "^2.0.0"
     schema-utils "^3.0.0"
 
-"wrap-ansi-cjs@npm:wrap-ansi@^7.0.0":
+"wrap-ansi-cjs@npm:wrap-ansi@^7.0.0", wrap-ansi@^7.0.0:
   version "7.0.0"
   resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-7.0.0.tgz#67e145cff510a6a6984bdf1152911d69d2eb9e43"
   integrity sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==
@@ -14896,15 +14880,6 @@ wrap-ansi@^6.2.0:
     string-width "^4.1.0"
     strip-ansi "^6.0.0"
 
-wrap-ansi@^7.0.0:
-  version "7.0.0"
-  resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-7.0.0.tgz#67e145cff510a6a6984bdf1152911d69d2eb9e43"
-  integrity sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==
-  dependencies:
-    ansi-styles "^4.0.0"
-    string-width "^4.1.0"
-    strip-ansi "^6.0.0"
-
 wrap-ansi@^8.1.0:
   version "8.1.0"
   resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-8.1.0.tgz#56dc22368ee570face1b49819975d9b9a5ead214"