Skip to content

fix(deps): bump form-data override to 4.0.6 (CRLF advisory)#39

Merged
pchuri merged 1 commit into
mainfrom
fix/form-data-advisory
Jun 18, 2026
Merged

fix(deps): bump form-data override to 4.0.6 (CRLF advisory)#39
pchuri merged 1 commit into
mainfrom
fix/form-data-advisory

Conversation

@pchuri

@pchuri pchuri commented Jun 18, 2026

Copy link
Copy Markdown
Owner

Problem

CI's security job (npm audit --audit-level high --omit=dev) is failing on every branch with a high-severity advisory:

  • GHSA-hmw2-7cc7-3qxx — CRLF injection in form-data via unescaped multipart field names/filenames. Affects form-data 4.0.0–4.0.5.

The root cause is the overrides block in package.json, which pinned form-data to 4.0.4 (a vulnerable version). axios pulls it in transitively. The advisory was published after main's last green build, so npm audit only started flagging it recently — it is not caused by any code change.

Fix

Bump the form-data override from 4.0.4 to 4.0.6 (the fixed release; compatible with the resolved axios). After npm install:

$ npm audit --audit-level high --omit=dev
found 0 vulnerabilities

Notes

  • Lockfile churn beyond form-data is incidental npm install normalization: the stale top-level lockfile version (2.6.0) was synced to the current 2.8.0, and peer: true metadata markers were added to some devDependencies. No production dependency other than form-data (and its sub-deps hasown/mime-types) changed.
  • Full test suite passes (273 tests).
  • Unblocks the security check on fix(comment): convert plain text to ADF for v3 and surface field errors #38 once merged and that branch picks up main.

🤖 Generated with Claude Code

The overrides block pinned form-data to 4.0.4, which is affected by
GHSA-hmw2-7cc7-3qxx (high-severity CRLF injection via unescaped
multipart field names). The advisory was published after the last main
build, so `npm audit --audit-level high --omit=dev` now fails CI on
every branch. Bump the override to 4.0.6 (the fixed release, compatible
with axios). `npm audit --omit=dev` is clean afterward.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@pchuri pchuri merged commit 4bf04e8 into main Jun 18, 2026
5 checks passed
@pchuri pchuri deleted the fix/form-data-advisory branch June 18, 2026 08:12
github-actions Bot pushed a commit that referenced this pull request Jun 18, 2026
## [2.8.1](v2.8.0...v2.8.1) (2026-06-18)

### Bug Fixes

* **comment:** convert plain text to ADF for v3 and surface field errors ([#38](#38)) ([70375dd](70375dd)), closes [#37](#37)
* **deps:** bump form-data override to 4.0.6 to resolve CRLF advisory ([#39](#39)) ([4bf04e8](4bf04e8))
@github-actions

Copy link
Copy Markdown

🎉 This PR is included in version 2.8.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant