Skip to content

[lexical] Chore: Fix form-data CVE-2025-7783 in root lockfile#8174

Merged
thatmichael85 merged 1 commit intomainfrom
users/thatmichael85/form-data-vulnerability-fix
Feb 27, 2026
Merged

[lexical] Chore: Fix form-data CVE-2025-7783 in root lockfile#8174
thatmichael85 merged 1 commit intomainfrom
users/thatmichael85/form-data-vulnerability-fix

Conversation

@thatmichael85
Copy link
Contributor

@thatmichael85 thatmichael85 commented Feb 26, 2026

Description

  • form-data >= 4.0.0, < 4.0.4 (CVE-2025-7783, CRITICAL severity) uses an unsafe random function for choosing multipart form boundaries.
  • form-data is a transitive dependency via jsdom and cannot be bumped through normal pnpm update since pnpm preserves existing lockfile resolutions for transitive deps.
  • Added a pnpm.overrides entry for form-data>=4.0.4 in the root package.json, resolving it to 4.0.5.

Test plan

Before

After

  • form-data@4.0.5 in root pnpm-lock.yaml
  • No code changes beyond the override and lockfile update

@vercel
Copy link

vercel bot commented Feb 26, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
lexical Ready Ready Preview, Comment Feb 27, 2026 1:04am
lexical-playground Ready Ready Preview, Comment Feb 27, 2026 1:04am

Request Review

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Feb 26, 2026
@etrepum etrepum added the extended-tests Run extended e2e tests on a PR label Feb 26, 2026
@thatmichael85
[lexical] Chore: Fix form-data CVE-2025-7783 in root lockfile
8018851 
Add pnpm override for form-data>=4.0.4 to fix a CRITICAL severity
vulnerability (GHSA-mw96-cpmx-2vgc) where form-data < 4.0.4 uses an
unsafe random function for choosing multipart boundaries.

form-data is a transitive dependency via jsdom and cannot be bumped
through normal dependency updates since jsdom pins it with ^4.0.0
and pnpm preserves existing resolutions.
@thatmichael85 thatmichael85 force-pushed the users/thatmichael85/form-data-vulnerability-fix branch from fc41530 to 8018851 Compare February 27, 2026 01:02
@thatmichael85 thatmichael85 added this pull request to the merge queue Feb 27, 2026
Merged via the queue into main with commit 66ab6cd Feb 27, 2026
34 of 36 checks passed
@etrepum etrepum mentioned this pull request Mar 19, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@etrepum etrepum etrepum approved these changes

@zurfyx zurfyx Awaiting requested review from zurfyx zurfyx is a code owner

@fantactuka fantactuka Awaiting requested review from fantactuka fantactuka is a code owner

@acywatson acywatson Awaiting requested review from acywatson acywatson is a code owner

@ivailop7 ivailop7 Awaiting requested review from ivailop7 ivailop7 is a code owner

@potatowagon potatowagon Awaiting requested review from potatowagon potatowagon is a code owner

@takuyakanbr takuyakanbr Awaiting requested review from takuyakanbr takuyakanbr is a code owner

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. extended-tests Run extended e2e tests on a PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thatmichael85 @etrepum