Skip to content

chore(deps): override form-data to 4.0.6#441

Merged
RetricSu merged 2 commits into
ckb-devrel:developfrom
humble-little-bear:bump-form-data-override
Jul 2, 2026
Merged

chore(deps): override form-data to 4.0.6#441
RetricSu merged 2 commits into
ckb-devrel:developfrom
humble-little-bear:bump-form-data-override

Conversation

@humble-little-bear

Copy link
Copy Markdown
Contributor

Force the transitive "form-data" dependency to the patched version 4.0.6 to resolve the CRLF injection vulnerability (GHSA-7m2j-8qp9-m8jw).\n\nChanges:\n- Added a pnpm override in "pnpm-workspace.yaml" so all resolutions of form-data in the range ">=4.0.0 <4.0.6" resolve to 4.0.6.\n- Updated "pnpm-lock.yaml" so the only form-data version is 4.0.6.\n- Moved the existing "onlyBuiltDependencies" config from package.json to pnpm-workspace.yaml because pnpm 10 reads these settings from the workspace file.\n\nTests pass locally with pnpm 10.34.4.

Resolves GHSA-7m2j-8qp9-m8jw (CRLF injection) by forcing transitive form-data to 4.0.6 via pnpm override.
pnpm 10 reads overrides and onlyBuiltDependencies from pnpm-workspace.yaml instead of package.json.
@RetricSu RetricSu merged commit 0fd5d8d into ckb-devrel:develop Jul 2, 2026
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants