Skip to content

chore(security): patch form-data, ignore dev-only vite advisory#68

Merged
olivrg merged 1 commit into
mainfrom
chore/security-audit-advisories
Jun 16, 2026
Merged

chore(security): patch form-data, ignore dev-only vite advisory#68
olivrg merged 1 commit into
mainfrom
chore/security-audit-advisories

Conversation

@olivrg

@olivrg olivrg commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Description

Two high-severity advisories surfaced in the repo-wide pnpm audit --audit-level=high gate (both transitive, both newly disclosed, so they now fail CI on main as well):

Closes #

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Refactor (no functional changes)
  • Documentation
  • CI / build / tooling

Packages Affected

  • packages/proxy
  • packages/dashboard
  • packages/python-sdk
  • Root config / monorepo tooling
  • docs/
  • examples/

Checklist

  • ESLint + Prettier pass
  • TypeScript strict mode passes
  • All CI checks pass (pnpm audit --audit-level=high now exits 0, plus lint / format:check / typecheck / test
    / build)

How to Test

  1. pnpm audit --audit-level=high → exits 0 (0 non-ignored high/critical advisories).
  2. pnpm why form-data → resolves to >=4.0.6.
  3. pnpm test → full suite passes (Slack @slack/web-api path exercised on form-data 4.0.6). (No Closes #… — this is maintenance; it references chore(deps): upgrade vite so esbuild ≥0.28.1, then drop the GHSA-gv7w-rqvm-qjhr audit ignore #64 but doesn't close it.)

Additional Context

@olivrg
chore(security): patch form-data, ignore dev-only vite advisory
78f2506 
Two high-severity advisories surfaced in the repo-wide `pnpm audit
--audit-level=high` gate (both transitive, both newly disclosed, so they now
fail CI on main as well):

- form-data (GHSA-hmw2-7cc7-3qxx, <4.0.6): CRLF injection via unescaped
  multipart field names/filenames. Reaches the runtime via @slack/web-api.
  Fixed with a pnpm override forcing form-data >=4.0.6 (a safe 4.x patch bump;
  proxy + Slack channel tests pass on 4.0.6).
- vite (GHSA-fx2h-pf6j-xcff, <=6.4.2): server.fs.deny bypass in the vite DEV
  server. The dashboard ships as prebuilt static assets served by the proxy;
  the vite dev server never runs in production, so the advisory does not affect
  the shipped artifact. Added to ignoreGhsas as dev-only, matching the esbuild
  precedent (#63). To be dropped when vite is upgraded (#64).
@olivrg olivrg merged commit 0955589 into main Jun 16, 2026
3 checks passed
@olivrg olivrg deleted the chore/security-audit-advisories branch June 16, 2026 10:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@olivrg