From 460e8f3ab16aca9c08aba9c51caa619d652ab876 Mon Sep 17 00:00:00 2001 From: kolaente Date: Tue, 16 Jun 2026 08:30:33 +0200 Subject: [PATCH] fix(deps): force form-data >=4.0.6 to fix unsafe boundary advisory Resolves the form-data <4.0.6 advisory (predictable multipart boundary). Transitive in both workspaces; pinned via pnpm overrides. Dependabot alerts #247 (desktop) and #258 (frontend). --- desktop/package.json | 3 ++- desktop/pnpm-lock.yaml | 23 ++++++++++++++++------- frontend/package.json | 3 ++- frontend/pnpm-lock.yaml | 9 +++++---- 4 files changed, 25 insertions(+), 13 deletions(-) diff --git a/desktop/package.json b/desktop/package.json index 8a85d63df..a0f2a6de9 100644 --- a/desktop/package.json +++ b/desktop/package.json @@ -78,7 +78,8 @@ "@tootallnate/once": "^3.0.1", "picomatch": ">=4.0.4", "tmp": ">=0.2.7", - "ip-address": ">=10.1.1" + "ip-address": ">=10.1.1", + "form-data": ">=4.0.6" } } } diff --git a/desktop/pnpm-lock.yaml b/desktop/pnpm-lock.yaml index 6a15d26ef..24c81fb9c 100644 --- a/desktop/pnpm-lock.yaml +++ b/desktop/pnpm-lock.yaml @@ -11,6 +11,7 @@ overrides: picomatch: '>=4.0.4' tmp: '>=0.2.7' ip-address: '>=10.1.1' + form-data: '>=4.0.6' importers: @@ -632,8 +633,8 @@ packages: resolution: {integrity: sha512-Ld2g8rrAyMYFXBhEqMz8ZAHBi4J4uS1i/CxGMDnjyFWddMXLVcDp051DZfu+t7+ab7Wv6SMqpWmyFIj5UbfFvg==} engines: {node: '>=14'} - form-data@4.0.5: - resolution: {integrity: sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==} + form-data@4.0.6: + resolution: {integrity: sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==} engines: {node: '>= 6'} forwarded@0.2.0: @@ -736,6 +737,10 @@ packages: resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==} engines: {node: '>= 0.4'} + hasown@2.0.4: + resolution: {integrity: sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==} + engines: {node: '>= 0.4'} + hosted-git-info@4.1.0: resolution: {integrity: sha512-kyCuEOWjJqZuDbRHzL8V93NzQhwIB71oFWSyzVo+KPZI+pnQPPxucdkrOZvkLRnrf5URsQM+IJ09Dw29cRALIA==} engines: {node: '>=10'} @@ -1729,7 +1734,7 @@ snapshots: ejs: 3.1.10 electron-builder-squirrel-windows: 24.13.3(dmg-builder@26.15.2) electron-publish: 24.13.1 - form-data: 4.0.5 + form-data: 4.0.6 fs-extra: 10.1.0 hosted-git-info: 4.1.0 is-ci: 3.0.1 @@ -2171,7 +2176,7 @@ snapshots: builder-util: 26.15.0 builder-util-runtime: 9.7.0 chalk: 4.1.2 - form-data: 4.0.5 + form-data: 4.0.6 fs-extra: 10.1.0 lazy-val: 1.0.5 mime: 2.6.0 @@ -2215,7 +2220,7 @@ snapshots: es-errors: 1.3.0 get-intrinsic: 1.3.0 has-tostringtag: 1.0.2 - hasown: 2.0.2 + hasown: 2.0.4 es6-error@4.1.1: optional: true @@ -2294,12 +2299,12 @@ snapshots: cross-spawn: 7.0.6 signal-exit: 4.1.0 - form-data@4.0.5: + form-data@4.0.6: dependencies: asynckit: 0.4.0 combined-stream: 1.0.8 es-set-tostringtag: 2.1.0 - hasown: 2.0.2 + hasown: 2.0.4 mime-types: 2.1.35 forwarded@0.2.0: {} @@ -2436,6 +2441,10 @@ snapshots: dependencies: function-bind: 1.1.2 + hasown@2.0.4: + dependencies: + function-bind: 1.1.2 + hosted-git-info@4.1.0: dependencies: lru-cache: 6.0.0 diff --git a/frontend/package.json b/frontend/package.json index 2add08f14..fce48f874 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -177,7 +177,8 @@ "ip-address": ">=10.1.1", "postcss": ">=8.5.10", "tmp": ">=0.2.7", - "esbuild": ">=0.28.1" + "esbuild": ">=0.28.1", + "form-data": ">=4.0.6" } } } diff --git a/frontend/pnpm-lock.yaml b/frontend/pnpm-lock.yaml index 09db0f9f9..25fd9b891 100644 --- a/frontend/pnpm-lock.yaml +++ b/frontend/pnpm-lock.yaml @@ -14,6 +14,7 @@ overrides: postcss: '>=8.5.10' tmp: '>=0.2.7' esbuild: '>=0.28.1' + form-data: '>=4.0.6' importers: @@ -3942,8 +3943,8 @@ packages: resolution: {integrity: sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==} engines: {node: '>=14'} - form-data@4.0.5: - resolution: {integrity: sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==} + form-data@4.0.6: + resolution: {integrity: sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==} engines: {node: '>= 6'} fraction.js@5.3.4: @@ -9830,7 +9831,7 @@ snapshots: axios@1.16.0: dependencies: follow-redirects: 1.16.0 - form-data: 4.0.5 + form-data: 4.0.6 proxy-from-env: 2.1.0 transitivePeerDependencies: - debug @@ -10787,7 +10788,7 @@ snapshots: cross-spawn: 7.0.6 signal-exit: 4.1.0 - form-data@4.0.5: + form-data@4.0.6: dependencies: asynckit: 0.4.0 combined-stream: 1.0.8