fix(deps): bump form-data override to 4.0.6 (CRLF advisory)#39
Merged
Conversation
The overrides block pinned form-data to 4.0.4, which is affected by GHSA-hmw2-7cc7-3qxx (high-severity CRLF injection via unescaped multipart field names). The advisory was published after the last main build, so `npm audit --audit-level high --omit=dev` now fails CI on every branch. Bump the override to 4.0.6 (the fixed release, compatible with axios). `npm audit --omit=dev` is clean afterward. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
🎉 This PR is included in version 2.8.1 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
CI's
securityjob (npm audit --audit-level high --omit=dev) is failing on every branch with a high-severity advisory:form-datavia unescaped multipart field names/filenames. Affectsform-data4.0.0–4.0.5.The root cause is the
overridesblock inpackage.json, which pinnedform-datato 4.0.4 (a vulnerable version).axiospulls it in transitively. The advisory was published aftermain's last green build, sonpm auditonly started flagging it recently — it is not caused by any code change.Fix
Bump the
form-dataoverride from4.0.4to 4.0.6 (the fixed release; compatible with the resolvedaxios). Afternpm install:Notes
form-datais incidentalnpm installnormalization: the stale top-level lockfile version (2.6.0) was synced to the current2.8.0, andpeer: truemetadata markers were added to some devDependencies. No production dependency other thanform-data(and its sub-depshasown/mime-types) changed.securitycheck on fix(comment): convert plain text to ADF for v3 and surface field errors #38 once merged and that branch picks up main.🤖 Generated with Claude Code