From 78f2506d16e2664230a288122b28c3df13e8daf1 Mon Sep 17 00:00:00 2001 From: olivrg Date: Tue, 16 Jun 2026 11:03:58 +0100 Subject: [PATCH] chore(security): patch form-data, ignore dev-only vite advisory Two high-severity advisories surfaced in the repo-wide `pnpm audit --audit-level=high` gate (both transitive, both newly disclosed, so they now fail CI on main as well): - form-data (GHSA-hmw2-7cc7-3qxx, <4.0.6): CRLF injection via unescaped multipart field names/filenames. Reaches the runtime via @slack/web-api. Fixed with a pnpm override forcing form-data >=4.0.6 (a safe 4.x patch bump; proxy + Slack channel tests pass on 4.0.6). - vite (GHSA-fx2h-pf6j-xcff, <=6.4.2): server.fs.deny bypass in the vite DEV server. The dashboard ships as prebuilt static assets served by the proxy; the vite dev server never runs in production, so the advisory does not affect the shipped artifact. Added to ignoreGhsas as dev-only, matching the esbuild precedent (#63). To be dropped when vite is upgraded (#64). --- package.json | 6 +++++- pnpm-lock.yaml | 34 ++++++++++++++-------------------- 2 files changed, 19 insertions(+), 21 deletions(-) diff --git a/package.json b/package.json index f4da7e0..19b69a4 100644 --- a/package.json +++ b/package.json @@ -33,8 +33,12 @@ "pnpm": { "auditConfig": { "ignoreGhsas": [ - "GHSA-gv7w-rqvm-qjhr" + "GHSA-gv7w-rqvm-qjhr", + "GHSA-fx2h-pf6j-xcff" ] + }, + "overrides": { + "form-data@>=4.0.0 <4.0.6": ">=4.0.6" } } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index fc2da7f..f13e6b6 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -5,13 +5,7 @@ settings: excludeLinksFromLockfile: false overrides: - path-to-regexp: 8.4.2 - axios: 1.17.0 - fast-uri: 3.1.2 - follow-redirects: 1.16.0 - brace-expansion@1.1.12: 1.1.13 - brace-expansion@5.0.4: 5.0.5 - postcss@8.5.8: 8.5.10 + form-data@>=4.0.0 <4.0.6: '>=4.0.6' importers: @@ -1669,8 +1663,8 @@ packages: debug: optional: true - form-data@4.0.5: - resolution: {integrity: sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==} + form-data@4.0.6: + resolution: {integrity: sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==} engines: {node: '>= 6'} forwarded@0.2.0: @@ -1737,8 +1731,8 @@ packages: resolution: {integrity: sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==} engines: {node: '>= 0.4'} - hasown@2.0.2: - resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==} + hasown@2.0.4: + resolution: {integrity: sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==} engines: {node: '>= 0.4'} hermes-estree@0.25.1: @@ -2173,7 +2167,7 @@ packages: engines: {node: '>= 18'} peerDependencies: jiti: '>=1.21.0' - postcss: 8.5.10 + postcss: '>=8.0.9' tsx: ^4.8.1 yaml: ^2.4.2 peerDependenciesMeta: @@ -2538,7 +2532,7 @@ packages: peerDependencies: '@microsoft/api-extractor': ^7.36.0 '@swc/core': ^1 - postcss: 8.5.10 + postcss: ^8.4.12 typescript: '>=4.5.0' peerDependenciesMeta: '@microsoft/api-extractor': @@ -3283,7 +3277,7 @@ snapshots: '@types/retry': 0.12.0 axios: 1.17.0 eventemitter3: 5.0.4 - form-data: 4.0.5 + form-data: 4.0.6 is-electron: 2.2.2 is-stream: 2.0.1 p-queue: 6.6.2 @@ -3670,7 +3664,7 @@ snapshots: axios@1.17.0: dependencies: follow-redirects: 1.16.0 - form-data: 4.0.5 + form-data: 4.0.6 https-proxy-agent: 5.0.1 proxy-from-env: 2.1.0 transitivePeerDependencies: @@ -3941,7 +3935,7 @@ snapshots: es-errors: 1.3.0 get-intrinsic: 1.3.0 has-tostringtag: 1.0.2 - hasown: 2.0.2 + hasown: 2.0.4 es-toolkit@1.45.1: {} @@ -4197,12 +4191,12 @@ snapshots: follow-redirects@1.16.0: {} - form-data@4.0.5: + form-data@4.0.6: dependencies: asynckit: 0.4.0 combined-stream: 1.0.8 es-set-tostringtag: 2.1.0 - hasown: 2.0.2 + hasown: 2.0.4 mime-types: 2.1.35 forwarded@0.2.0: {} @@ -4228,7 +4222,7 @@ snapshots: get-proto: 1.0.1 gopd: 1.2.0 has-symbols: 1.1.0 - hasown: 2.0.2 + hasown: 2.0.4 math-intrinsics: 1.1.0 get-proto@1.0.1: @@ -4260,7 +4254,7 @@ snapshots: dependencies: has-symbols: 1.1.0 - hasown@2.0.2: + hasown@2.0.4: dependencies: function-bind: 1.1.2