Skip to content

fix: bump form-data to remediate CVE-2025-7783#11

Open
persimmon16 wants to merge 1 commit intomainfrom
fix/CVE-2025-7783-form-data
Open

fix: bump form-data to remediate CVE-2025-7783#11
persimmon16 wants to merge 1 commit intomainfrom
fix/CVE-2025-7783-form-data

Conversation

@persimmon16
Copy link
Copy Markdown

@persimmon16 persimmon16 commented Mar 27, 2026

Summary

  • Adds scoped resolutions to the root package.json to force all form-data instances to patched versions
  • Remediates CVE-2025-7783 (CVSS 9.4) in form-data@2.3.3 and form-data@3.0.1, both transitive production dependencies
  • Resolved versions: form-data 2.x upgraded to 2.5.5, form-data 3.x upgraded to 3.0.4

Details

form-data is pulled in transitively by request, then-request, jsdom, and @types/node-fetch. Since these are transitive dependencies, Yarn resolution overrides are used to pin safe versions:

Resolution pattern Target version
**/request/form-data 2.5.5
**/then-request/form-data 2.5.5
**/jsdom/form-data 3.0.4
**/@types/node-fetch/form-data 3.0.4

Test plan

  • Verify yarn install completes successfully
  • Verify yarn.lock no longer contains form-data@2.3.3 or form-data@3.0.1
  • Run existing test suite to confirm no regressions

@persimmon16
fix: bump form-data to remediate CVE-2025-7783
3aaabb3 
Add yarn resolutions to force form-data to patched versions across all
workspaces, remediating CVE-2025-7783 (CVSS 9.4). The vulnerable
versions form-data@2.3.3 and form-data@3.0.1 were transitive production
dependencies.

Resolved versions: form-data 2.x -> 2.5.5, form-data 3.x -> 3.0.4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@persimmon16