Skip to content

Upgrade form-data dependency version #2932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jekloudaMSFT wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Upgrade form-data dependency version #2932

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
29f9ab0
pin form-data version
jekloudaMSFT Dec 5, 2025
0e0d3c5
Merge branch 'main' into jeklouda/upgrade-form-data-dep
jekloudaMSFT Dec 8, 2025
297f5dd
regenerate pnpm lock
jekloudaMSFT Dec 8, 2025
29e58d9
Merge branch 'main' into jeklouda/upgrade-form-data-dep
jekloudaMSFT Dec 10, 2025
f1bc3bf
Merge branch 'main' into jeklouda/upgrade-form-data-dep
jekloudaMSFT Dec 12, 2025
5d9ee31
Merge branch 'main' into jeklouda/upgrade-form-data-dep
jekloudaMSFT Dec 17, 2025
c4989d8
Merge branch 'main' into jeklouda/upgrade-form-data-dep
jekloudaMSFT Dec 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@
"dns-packet": "^1.3.2",
"express": "^4.21.0",
"follow-redirects": "^1.15.6",
"form-data": "^4.0.4",
"glob-parent": "^5.1.2",
"http-proxy-middleware": ">=2.0.7",
"jsdom": "^24.0.0",
Expand Down Expand Up @@ -147,6 +148,7 @@
"cross-spawn": "There is a vulnerability with cross-spawn versions less than 7.0.5 This package is currently being consumed in @types/webpack and needs to be updated there. For now we will override this until that is fixed.",
"express": "There is a vulnerability in older versions of the express package that is consumed by webpack-dev-server, this has been patched in a later version of express that webpack-dev-server has not updated yet. Once they update this package, we can remove this override",
"follow-redirects": "There is a vulnerability in the follow-redirects package, and a fix has been provided. However, we consume the follow-redirects package via webpack-dev-server, Lerna, and wait-on, eventually. We are using this newer version of follow-redirects to avoid the vulnerability. If webpack-dev-server, Lerna, and wait-on packages are ever updated to a version of follow-redirects that fixes the vulnerability, we can remove this override and update the three packages accordingly.",
"form-data": "There is a vulnerability with form-data versions less than 4.0.4. This package is consumed indirectly by [email protected], [email protected], and [email protected]",
"micromatch": "There is a vulnerability with micromatch versions less than 4.0.8 This package is currently being consumed in @types/webpack and needs to be updated there. For now we will override this until that is fixed.",
"nanoid": "New nanoid 5.x releases are ESM-only and break our webpack/css-loader stack that still uses require(), so we pin to 3.3.11 (last 3.x CJS release).",
"postcss": "Pinned to 8.5.6 so we stay on the latest 8.x while forcing its nanoid dependency to the compatible 3.3.11 CJS build until our tooling is ESM-ready.",
Expand Down
106 changes: 56 additions & 50 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading