Skip to content

Bump form-data to bring in fix for critical vulnerability #618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
HarithaVattikuti merged 1 commit into from
Aug 13, 2025
Merged

Bump form-data to bring in fix for critical vulnerability #618

HarithaVattikuti merged 1 commit into from
Aug 13, 2025

Conversation

@matthewhughes934
Copy link
Contributor

@matthewhughes934 matthewhughes934 commented Jul 24, 2025
edited
Loading

The vulnerability:

$ npm audit --audit-level=high
# npm audit report

form-data  >=4.0.0 <4.0.4 || <2.5.4
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix`
node_modules/@azure/core-http/node_modules/form-data
node_modules/@types/node-fetch/node_modules/form-data
node_modules/form-data

1 critical severity vulnerability

To address all issues, run:
  npm audit fix

This change is the result of from running npm audit fix and then
using[1] to update licenses via licensed cache.

It doesn't look like dependabot previously raised any PRs for this
dependency, so this bumps it from 4.0.0 to 4.0.4, see the
changelog[2] for details.

Link: https://github.com/licensee/licensed [1]
Link: https://github.com/form-data/form-data/blob/v4.0.4/CHANGELOG.md [2]
@matthewhughes934 matthewhughes934 requested a review from a team as a code owner July 24, 2025 05:41
@matthewhughes934 matthewhughes934 mentioned this pull request Jul 24, 2025
Merged
@reneleonhardt
Copy link

reneleonhardt commented Jul 24, 2025
edited
Loading

CodeRabbit hasn't been enabled, is there a security team to speed-up reviews manually?
CI is frozen because of one vulnerablity, so nothing can be merged except this fix.
#460
@matthewhughes934 matthewhughes934 force-pushed the fix-high-severity-vuln branch from 84e0bda to 6912ca9 Compare July 30, 2025 17:29
@matthewhughes934
Copy link
Contributor Author

matthewhughes934 commented Jul 30, 2025

I forgot to npm run build, done that and squashed into the commit
@matthewhughes934
Bump form-data to bring in fix for critical vulnerability
be381b3 
The vulnerability:

    $ npm audit --audit-level=high
    # npm audit report

    form-data  >=4.0.0 <4.0.4 || <2.5.4
    Severity: critical
    form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4
    form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4
    fix available via `npm audit fix`
    node_modules/@azure/core-http/node_modules/form-data
    node_modules/@types/node-fetch/node_modules/form-data
    node_modules/form-data

    1 critical severity vulnerability

    To address all issues, run:
      npm audit fix

This change is the result of from running `npm audit fix` and then
using[1] to update licenses via `licensed cache`.

It doesn't look like `dependabot` previously raised any PRs for this
dependency, so this bumps it from `4.0.0` to `4.0.4`, see the
changelog[2] for details.

Link: https://github.com/licensee/licensed [1]
Link: https://github.com/form-data/form-data/blob/v4.0.4/CHANGELOG.md [2]
@matthewhughes934 matthewhughes934 force-pushed the fix-high-severity-vuln branch from 6912ca9 to be381b3 Compare July 30, 2025 19:43
@matthewhughes934
Copy link
Contributor Author

matthewhughes934 commented Jul 30, 2025

Ok, that CI failure took a bit to figure out:

so I had to figure out to go and install https://github.com/licensee/licensed/tree/3.9.0 (same version as used by the action above) and run license cache. This should probably be documented somewhere.
@HarithaVattikuti HarithaVattikuti merged commit e75c3e8 into actions:main Aug 13, 2025
104 checks passed
aparnajyothi-y pushed a commit that referenced this pull request Sep 3, 2025
@matthewhughes934 @aparnajyothi-y
Bump form-data to bring in fix for critical vulnerability (#618)
7af3d9d 
The vulnerability:

    $ npm audit --audit-level=high
    # npm audit report

    form-data  >=4.0.0 <4.0.4 || <2.5.4
    Severity: critical
    form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4
    form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4
    fix available via `npm audit fix`
    node_modules/@azure/core-http/node_modules/form-data
    node_modules/@types/node-fetch/node_modules/form-data
    node_modules/form-data

    1 critical severity vulnerability

    To address all issues, run:
      npm audit fix

This change is the result of from running `npm audit fix` and then
using[1] to update licenses via `licensed cache`.

It doesn't look like `dependabot` previously raised any PRs for this
dependency, so this bumps it from `4.0.0` to `4.0.4`, see the
changelog[2] for details.

Link: https://github.com/licensee/licensed [1]
Link: https://github.com/form-data/form-data/blob/v4.0.4/CHANGELOG.md [2]
@tamird tamird mentioned this pull request Sep 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

5 participants

@matthewhughes934 @reneleonhardt @HarithaVattikuti @aparnajyothi-y @priyagupta108