Skip to content

fix: patch npm vulnerabilities (form-data, undici, js-yaml)#7418

Open
waldekmastykarz wants to merge 1 commit into
pnp:mainfrom
waldekmastykarz:waldekmastykarz-weekly-dependencies-bump
Open

fix: patch npm vulnerabilities (form-data, undici, js-yaml)#7418
waldekmastykarz wants to merge 1 commit into
pnp:mainfrom
waldekmastykarz:waldekmastykarz-weekly-dependencies-bump

Conversation

@waldekmastykarz

@waldekmastykarz waldekmastykarz commented Jun 24, 2026

Copy link
Copy Markdown
Member

Summary

Patches eligible npm vulnerabilities that have passed the 7-day cooldown period:

Package Severity Fix Advisory
form-data high 4.0.5 → 4.0.6 CRLF injection (GHSA-hmw2-7cc7-3qxx)
undici high ≤6.26.0 → 6.27.0 HTTP header injection, WebSocket DoS, response queue poisoning
js-yaml moderate 4.1.1 → 4.2.0 Quadratic DoS in merge key handling

Remaining vulnerabilities (not patchable without breaking changes)

31 moderate/high vulnerabilities in @opentelemetry/* and protobufjs — all require downgrading applicationinsights from 3.x to 2.x (semver-major breaking change). These should be addressed when applicationinsights releases a compatible fix.

Verification

  • ✅ Build passes
  • ✅ All 15,935 tests pass

@waldekmastykarz
fix: upgrade form-data, undici, and js-yaml to fix high and moderate …
2546e01 
…vulnerabilities

- form-data: 4.0.5 → 4.0.6 (CRLF injection fix, GHSA-hmw2-7cc7-3qxx)
- undici: ≤6.26.0 → 6.27.0 (HTTP header injection, WebSocket DoS, response queue poisoning)
- js-yaml: 4.1.1 → 4.2.0 (quadratic DoS in merge key handling)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@waldekmastykarz