Skip to content

Bump form-data to bring in fix for critical vulnerability#618

Merged
HarithaVattikuti merged 1 commit intoactions:mainfrom
matthewhughes934:fix-high-severity-vuln
Aug 13, 2025
Merged

Bump form-data to bring in fix for critical vulnerability#618
HarithaVattikuti merged 1 commit intoactions:mainfrom
matthewhughes934:fix-high-severity-vuln

Conversation

@matthewhughes934
Copy link
Contributor

@matthewhughes934 matthewhughes934 commented Jul 24, 2025
edited
Loading

The vulnerability:

$ npm audit --audit-level=high
# npm audit report

form-data  >=4.0.0 <4.0.4 || <2.5.4
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix`
node_modules/@azure/core-http/node_modules/form-data
node_modules/@types/node-fetch/node_modules/form-data
node_modules/form-data

1 critical severity vulnerability

To address all issues, run:
  npm audit fix

This change is the result of from running npm audit fix and then
using[1] to update licenses via licensed cache.

It doesn't look like dependabot previously raised any PRs for this
dependency, so this bumps it from 4.0.0 to 4.0.4, see the
changelog[2] for details.

Link: https://github.com/licensee/licensed [1]
Link: https://github.com/form-data/form-data/blob/v4.0.4/CHANGELOG.md [2]

@matthewhughes934 matthewhughes934 requested a review from a team as a code owner July 24, 2025 05:41
@matthewhughes934 matthewhughes934 mentioned this pull request Jul 24, 2025
Merged
@reneleonhardt
Copy link

reneleonhardt commented Jul 24, 2025
edited
Loading

CodeRabbit hasn't been enabled, is there a security team to speed-up reviews manually?
CI is frozen because of one vulnerablity, so nothing can be merged except this fix.
#460

@matthewhughes934 matthewhughes934 force-pushed the fix-high-severity-vuln branch from 84e0bda to 6912ca9 Compare July 30, 2025 17:29
@matthewhughes934
Copy link
Contributor Author

matthewhughes934 commented Jul 30, 2025

I forgot to npm run build, done that and squashed into the commit

@matthewhughes934
Bump form-data to bring in fix for critical vulnerability
be381b3 
The vulnerability:

    $ npm audit --audit-level=high
    # npm audit report

    form-data  >=4.0.0 <4.0.4 || <2.5.4
    Severity: critical
    form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4
    form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4
    fix available via `npm audit fix`
    node_modules/@azure/core-http/node_modules/form-data
    node_modules/@types/node-fetch/node_modules/form-data
    node_modules/form-data

    1 critical severity vulnerability

    To address all issues, run:
      npm audit fix

This change is the result of from running `npm audit fix` and then
using[1] to update licenses via `licensed cache`.

It doesn't look like `dependabot` previously raised any PRs for this
dependency, so this bumps it from `4.0.0` to `4.0.4`, see the
changelog[2] for details.

Link: https://github.com/licensee/licensed [1]
Link: https://github.com/form-data/form-data/blob/v4.0.4/CHANGELOG.md [2]
@matthewhughes934 matthewhughes934 force-pushed the fix-high-severity-vuln branch from 6912ca9 to be381b3 Compare July 30, 2025 19:43
@matthewhughes934
Copy link
Contributor Author

matthewhughes934 commented Jul 30, 2025

Ok, that CI failure took a bit to figure out:

so I had to figure out to go and install https://github.com/licensee/licensed/tree/3.9.0 (same version as used by the action above) and run license cache. This should probably be documented somewhere.

@HarithaVattikuti HarithaVattikuti merged commit e75c3e8 into actions:main Aug 13, 2025
104 checks passed
aparnajyothi-y pushed a commit that referenced this pull request Sep 3, 2025
@matthewhughes934 @aparnajyothi-y
Bump form-data to bring in fix for critical vulnerability (#618)
7af3d9d 
The vulnerability:

    $ npm audit --audit-level=high
    # npm audit report

    form-data  >=4.0.0 <4.0.4 || <2.5.4
    Severity: critical
    form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4
    form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4
    fix available via `npm audit fix`
    node_modules/@azure/core-http/node_modules/form-data
    node_modules/@types/node-fetch/node_modules/form-data
    node_modules/form-data

    1 critical severity vulnerability

    To address all issues, run:
      npm audit fix

This change is the result of from running `npm audit fix` and then
using[1] to update licenses via `licensed cache`.

It doesn't look like `dependabot` previously raised any PRs for this
dependency, so this bumps it from `4.0.0` to `4.0.4`, see the
changelog[2] for details.

Link: https://github.com/licensee/licensed [1]
Link: https://github.com/form-data/form-data/blob/v4.0.4/CHANGELOG.md [2]
@tamird tamird mentioned this pull request Sep 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HarithaVattikuti HarithaVattikuti HarithaVattikuti approved these changes

@aparnajyothi-y aparnajyothi-y aparnajyothi-y approved these changes

@priyagupta108 priyagupta108 priyagupta108 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@matthewhughes934 @reneleonhardt @HarithaVattikuti @aparnajyothi-y @priyagupta108