Skip to content

Update packages to resolve Vulnerability issue #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 22, 2025
Merged

Update packages to resolve Vulnerability issue #160

merged 1 commit into from
Jul 22, 2025

Conversation

Mathiyarasy
Copy link
Contributor

@Mathiyarasy Mathiyarasy commented Jul 22, 2025
edited
Loading

Fixes : https://github.com/github/codespaces-react/security/dependabot/42

Description:

  • form-data uses unsafe random function in form-data for choosing boundary
  • Affected versions >= 4.0.0, < 4.0.4
  • Patched version 4.04
  • Transitive dependency form-data 4.0.0 is introduced via
    jsdom 22.1.0 form-data 4.0.0
  • Existing dependabot PR for this issue updated the package-lock.json file to update form-data to patched version.
  • This may not be required as the latest jsdom package removed the form-data as its dependency

Changes:

  • Updated package vitejs/plugin-react to resolve existing peer dependency conflict in the project
    @vitejs/plugin-react@4.1.1 declares a peer dependency on vite version ^4.2.0.
    Since the latest vite version is 6.2.7 updated the vitejs/plugin-react@4.7.0
  • Updated package jsdom to latest version which do not have any dependency on form-data

@Mathiyarasy Mathiyarasy marked this pull request as ready for review July 22, 2025 09:31
@Copilot Copilot AI review requested due to automatic review settings July 22, 2025 09:31
Copilot
Copilot AI reviewed Jul 22, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates two development dependencies to resolve a security vulnerability in the form-data package. The vulnerability stems from an unsafe random function used for choosing boundaries in form-data versions 4.0.0 to 4.0.3, which was transitively introduced via jsdom 22.1.0.

  • Updated @vitejs/plugin-react from 4.1.1 to 4.7.0 to resolve peer dependency conflicts with vite 6.2.7
  • Updated jsdom from 22.1.0 to 26.1.0 to eliminate the vulnerable form-data dependency

@tomggill tomggill merged commit 4ddece1 into main Jul 22, 2025
2 checks passed
@tomggill tomggill deleted the dev/Mathi/formData branch July 22, 2025 16:38
@jm809 jm809 mentioned this pull request Sep 11, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@tomggill tomggill tomggill approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Mathiyarasy @tomggill