Skip to content

LTS-4004: bump form-data to patched releases (4.0.6 / 2.5.6) — fixes CRLF injection (GHSA-hmw2-7cc7-3qxx)#14

Open
prasadthx wants to merge 1 commit into
mainfrom
LTS-4004-form-data-crlf-fix
Open

LTS-4004: bump form-data to patched releases (4.0.6 / 2.5.6) — fixes CRLF injection (GHSA-hmw2-7cc7-3qxx)#14
prasadthx wants to merge 1 commit into
mainfrom
LTS-4004-form-data-crlf-fix

Conversation

@prasadthx

@prasadthx prasadthx commented Jun 24, 2026

Copy link
Copy Markdown

What

Bumps the transitive dev-dependency form-data to patched releases in the lockfile:

Copy Before After
top-level node_modules/form-data 4.0.4 4.0.6
@types/request/node_modules/form-data 2.5.5 2.5.6

Why

Resolves GHSA-hmw2-7cc7-3qxx — CRLF injection in form-data via unescaped multipart field names and filenames (CWE-93, CVSS 7.5).

Jira: LTS-4004

Notes

  • form-data is not a direct dependency — it's pulled in transitively by dev tooling. Both vulnerable copies already satisfied the existing semver ranges (^4.0.0/^4.0.4 and ^2.5.5), so the patched versions are picked up without any package.json change. hasown@2.0.4 is added as a sub-dependency of form-data@4.0.6.
  • This is a package-lock.json-only update, produced by npm update form-data --package-lock-only. No runtime or source code changes.

Why the diff is larger than just form-data

npm (v11) also reconciled a stale puppeteer-core subtree that was lingering in the lockfile. puppeteer-core is an optional peer dependency of webdriverio and is not used by this sample:

"peerDependencies":     { "puppeteer-core": ">=22.x || <=24.x" },
"peerDependenciesMeta": { "puppeteer-core": { "optional": true } }

The old lockfile had puppeteer-core@21.11.0 (and its private subtree: chromium-bidi, devtools-protocol, cross-fetch, unbzip2-stream, plus nested copies of ws/buffer/proxy-agent/@puppeteer/browsers) pinned even though nothing requires it. npm correctly drops it on reconciliation — npm ci against the new lockfile produces the same tree. Verified:

  • all direct dependencies still resolve,
  • no remaining package has a hard dependency on puppeteer-core (optional peer only),
  • no dangling hard dependencies introduced.

🤖 Generated with Claude Code

@claude
LTS-4004: bump form-data to patched releases (4.0.6, 2.5.6)
a78cfa8 
Fixes CRLF injection in form-data via unescaped multipart field names and filenames (GHSA-hmw2-7cc7-3qxx, CWE-93, CVSS 7.5).

form-data is a transitive dev-dependency; both vulnerable copies bumped within existing semver ranges: top-level 4.0.4 -> 4.0.6 and 2.5.5 -> 2.5.6 (under @types/request). Lockfile-only; package.json untouched.

npm v11 also reconciled a stale puppeteer-core optional-peer subtree (optional peer of webdriverio, unused by this sample) that was lingering in the lockfile; npm ci produces the same tree. No direct deps lost; no hard dep on puppeteer-core remains.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@prasadthx prasadthx requested a review from a team as a code owner June 24, 2026 14:17
@prasadthx prasadthx requested a review from MihirR-BS June 24, 2026 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MihirR-BS MihirR-BS MihirR-BS approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@prasadthx @MihirR-BS