Skip to content

SEC-2309: patch form-data to 4.0.6 (CVE-2025-7501)#2

Open
himynameisang wants to merge 4 commits into
mainfrom
SEC-2309-patch-form-data
Open

SEC-2309: patch form-data to 4.0.6 (CVE-2025-7501)#2
himynameisang wants to merge 4 commits into
mainfrom
SEC-2309-patch-form-data

Conversation

@himynameisang

@himynameisang himynameisang commented Jun 26, 2026

Copy link
Copy Markdown

https://simondata.atlassian.net/browse/SECURITY-2309

Summary

  • Bumps form-data from 4.0.2 → 4.0.6 via npm update, resolving ORCA-8368351 (CVE-2025-7501). The patched version is sourced from the JFrog registry which has 4.0.6 available.
  • Switches Dockerfile from npm install to npm ci so future Docker builds fail fast if the lock file is ever missing or inconsistent, rather than silently re-resolving to a potentially vulnerable version.

Test plan

  • Verify npm audit no longer flags form-data after this change
  • Confirm Docker build succeeds with npm ci
  • Confirm Orca scan clears ORCA-8368351

🤖 Generated with Claude Code

- Bumps form-data 4.0.2 → 4.0.6 via npm update (resolves ORCA-8368351)
- Switches Dockerfile from npm install to npm ci so future builds fail
  fast if the lock file is ever missing or inconsistent

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 26, 2026 19:52

@orca-security-us orca-security-us Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca Security Scan Summary

Status Check Issues by priority
Passed Passed Infrastructure as Code high 0   medium 0   low 0   info 0 View in Orca
Passed Passed SAST high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Secrets high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Vulnerabilities high 0   medium 0   low 0   info 0 View in Orca

@himynameisang himynameisang requested a review from JRemitz June 26, 2026 19:53

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security finding by updating the transitive form-data dependency to a patched release and tightening Docker build reproducibility by using npm ci instead of npm install.

Changes:

  • Updated form-data from 4.0.2 to 4.0.6 in package-lock.json (including associated dependency updates like hasown and mime-types).
  • Changed the Docker build dependency install step from npm install to npm ci to enforce lockfile consistency during image builds.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package-lock.json Bumps form-data to 4.0.6 (and updates related transitive deps) to address CVE-2025-7501.
Dockerfile Switches dependency installation to npm ci to ensure deterministic installs and fail fast on lockfile issues.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

himynameisang and others added 3 commits June 26, 2026 16:20
Adds overrides.form-data >=4.0.5 to package.json for consistency with
zendesk-mcp-server and to guard against future npm update runs
re-resolving below the patched floor.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Bounds the major version to avoid resolving into a future 5.x release.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Cleaner fix: bump axios ^1.8.1 → ^1.14.0 so form-data 4.0.6 flows in
via axios's own ^4.0.5 constraint. Removes the overrides block.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants