Skip to content

maint(common): update npm modules brace-expansion to 1.1.12, form-data to 4.0.4#14479

Merged
jahorton merged 1 commit intomasterfrom
maint/npm-audit-fixes
Aug 11, 2025
Merged

maint(common): update npm modules brace-expansion to 1.1.12, form-data to 4.0.4#14479
jahorton merged 1 commit intomasterfrom
maint/npm-audit-fixes

Conversation

@jahorton
Copy link
Copy Markdown
Contributor

@jahorton jahorton commented Aug 8, 2025 

# npm audit report

brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/brace-expansion
node_modules/mocha/node_modules/brace-expansion

form-data  4.0.0 - 4.0.3
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix`
node_modules/form-data

2 vulnerabilities (1 low, 1 critical)

@keymanapp-test-bot skip

@jahorton
maint: fix npm audit issues
6263648 
```
# npm audit report

brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/brace-expansion
node_modules/mocha/node_modules/brace-expansion

form-data  4.0.0 - 4.0.3
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix`
node_modules/form-data

2 vulnerabilities (1 low, 1 critical)
```
@github-project-automation github-project-automation bot moved this to Todo in Keyman Aug 8, 2025
@keymanapp-test-bot
Copy link
Copy Markdown

keymanapp-test-bot bot commented Aug 8, 2025

User Test Results

Test specification and instructions

User tests are not required

@keymanapp-test-bot keymanapp-test-bot bot added this to the A19S9 milestone Aug 8, 2025
@github-actions github-actions bot added the maint Maintenance work -- continuous integration, build scripts, infrastructure label Aug 8, 2025
jahorton
jahorton commented Aug 8, 2025
View reviewed changes
package-lock.json
"version": "1.2.4",
"resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.2.4.tgz",
"integrity": "sha512-5uYhsJH8VJBTv7oslg4BznJYhDoRI6waYCxMmCdnTrcCrHA/fCFKoTFz2JKKE0HdDFUF7/oQuhzumXJK7paBRQ==",
"version": "1.3.0",
Copy link
Copy Markdown
Contributor Author

@jahorton jahorton Aug 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most of the non-obvious changes to package-lock.json seem to be from this update and its dependencies, itself a dependency of form-data, which was the package with the critical vulnerability addressed by the npm audit fix run.

@mcdurdin mcdurdin changed the title maint: fix npm audit issues maint(common): fix npm audit issues Aug 11, 2025
@mcdurdin mcdurdin changed the title maint(common): fix npm audit issues maint(common): update npm modules brace-expansion to 1.1.12, form-data to 4.0.4 Aug 11, 2025
mcdurdin
mcdurdin approved these changes Aug 11, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@mcdurdin mcdurdin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM I hope

@jahorton jahorton merged commit 347cb17 into master Aug 11, 2025
7 checks passed
@jahorton jahorton deleted the maint/npm-audit-fixes branch August 11, 2025 12:33
@github-project-automation github-project-automation bot moved this from Todo to Done in Keyman Aug 11, 2025
@keyman-server
Copy link
Copy Markdown
Collaborator

keyman-server commented Aug 13, 2025

Changes in this pull request will be available for download in Keyman version 19.0.95-alpha

@keymanapp keymanapp deleted a comment from keyman-server Aug 13, 2025
@keymanapp keymanapp deleted a comment from keyman-server Aug 13, 2025
@keymanapp keymanapp deleted a comment from keyman-server Aug 13, 2025
@keyman-server
Copy link
Copy Markdown
Collaborator

keyman-server commented Aug 13, 2025

Changes in this pull request will be available for download in Keyman version 19.0.95-alpha

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcdurdin mcdurdin mcdurdin approved these changes

@ermshiperete ermshiperete Awaiting requested review from ermshiperete

@darcywong00 darcywong00 Awaiting requested review from darcywong00

Assignees

No one assigned

Labels

maint Maintenance work -- continuous integration, build scripts, infrastructure

Projects

Keyman
Archived in project

Milestone

A19S9

Development

Successfully merging this pull request may close these issues.

3 participants

@jahorton @keyman-server @mcdurdin