Skip to content

fix(deps): vuln form-data (patch → 4.0.6) #2360

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/npm/2-1781556597
Jun 26, 2026
Merged

fix(deps): vuln form-data (patch → 4.0.6) #2360
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/npm/2-1781556597

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: High-severity security update — 5 packages upgraded (patch changes only)

Manifests changed:

  • . (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
form-data 4.0.4 4.0.6 patch Direct 1 HIGH
form-data 4.0.4 4.0.6 patch Direct 1 HIGH
form-data 4.0.4 4.0.6 patch Direct 1 HIGH
form-data 4.0.4 4.0.6 patch Direct 1 HIGH
form-data 4.0.4 4.0.6 patch Direct 1 HIGH

Security Details

🚨 Critical & High Severity (5 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
form-data GHSA-hmw2-7cc7-3qxx HIGH form-data: CRLF injection in form-data via unescaped multipart field names and filenames 4.0.4 2.5.6
form-data GHSA-hmw2-7cc7-3qxx HIGH form-data: CRLF injection in form-data via unescaped multipart field names and filenames 4.0.4 2.5.6
form-data GHSA-hmw2-7cc7-3qxx HIGH form-data: CRLF injection in form-data via unescaped multipart field names and filenames 4.0.4 2.5.6
form-data GHSA-hmw2-7cc7-3qxx HIGH form-data: CRLF injection in form-data via unescaped multipart field names and filenames 4.0.4 2.5.6
form-data GHSA-hmw2-7cc7-3qxx HIGH form-data: CRLF injection in form-data via unescaped multipart field names and filenames 4.0.4 2.5.6

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-prod-us1-4

datadog-prod-us1-4 Bot commented Jun 15, 2026

Copy link
Copy Markdown

Pipelines  Tests

Fix all issues with BitsAI

⚠️ Warnings

🚦 4 Pipeline jobs failed

Continuous Integration | Check aas changes   View in Datadog   GitHub Actions

Continuous Integration | Check cloud-run changes   View in Datadog   GitHub Actions

Continuous Integration | Check container-app changes   View in Datadog   GitHub Actions

View all 4 failed jobs.

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 783aa9a | Docs | Datadog PR Page | Give us feedback!

@campaigner-prod
campaigner-prod Bot marked this pull request as ready for review June 16, 2026 13:46
@campaigner-prod
campaigner-prod Bot requested review from a team as code owners June 16, 2026 13:46
@dd-octo-sts-dcc400
dd-octo-sts-dcc400 Bot force-pushed the engraver-auto-version-upgrade/minorpatch/npm/2-1781556597 branch from 6c4180e to 1bf4137 Compare June 22, 2026 15:28
@gh-worker-campaigns-3e9aa4

gh-worker-campaigns-3e9aa4 Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Auto-rebase complete

Branch is up to date with master — rebased onto df67891.


Auto-Rebase · Add no-auto-rebase to opt out

@dd-octo-sts-94e5d1
dd-octo-sts-94e5d1 Bot force-pushed the engraver-auto-version-upgrade/minorpatch/npm/2-1781556597 branch from 1bf4137 to fb24f70 Compare June 22, 2026 16:29
@dd-octo-sts-26fcfa
dd-octo-sts-26fcfa Bot force-pushed the engraver-auto-version-upgrade/minorpatch/npm/2-1781556597 branch from fb24f70 to df2aa9b Compare June 22, 2026 17:04
@dd-octo-sts-03ec73
dd-octo-sts-03ec73 Bot force-pushed the engraver-auto-version-upgrade/minorpatch/npm/2-1781556597 branch from df2aa9b to 3a6c1ee Compare June 22, 2026 18:45
@dd-octo-sts
dd-octo-sts Bot force-pushed the engraver-auto-version-upgrade/minorpatch/npm/2-1781556597 branch from 3a6c1ee to d35d4ee Compare June 22, 2026 19:24
@dd-octo-sts-6bb5b9
dd-octo-sts-6bb5b9 Bot force-pushed the engraver-auto-version-upgrade/minorpatch/npm/2-1781556597 branch from d35d4ee to eb43edf Compare June 22, 2026 21:20
@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed

Lockfile regeneration failed during rebase onto master. Your branch was not updated. You may need to rebase and regenerate lockfiles manually.

Error details
  • Custom Action: registry.ddbuild.io/images/engraver-custom-action:update-yarn-lockfile ❌ (0.00s) - container exited with non-zero status code: 1:
Error Logs (last 30 lines)
�➤ YN0086: │ Some peer dependencies are incorrectly met by your project; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code.
�|➤ YN0086: │ Some peer dependencies are incorrectly met by dependencies; run yarn explain peer-requirements for details.
��➤ YN0000: └ Completed
��➤ YN0000: ┌ Fetch step
�>➤ YN0001: │ ReadError: The server aborted pending request
�c    at IncomingMessage.<anonymous> (/campaigner/checkout/.yarn/releases/yarn-4.10.3.cjs:146:12029)
�/    at Object.onceWrapper (node:events:633:28)
�1    at IncomingMessage.emit (node:events:519:28)
�N    at c.emit (/campaigner/checkout/.yarn/releases/yarn-4.10.3.cjs:141:22975)
�=    at IncomingMessage._destroy (node:_http_incoming:221:10)
�7    at _destroy (node:internal/streams/destroy:122:10)
�D    at IncomingMessage.destroy (node:internal/streams/destroy:84:5)
�@    at TLSSocket.socketCloseListener (node:_http_client:534:11)
�+    at TLSSocket.emit (node:events:531:35)
��    at node:net:346:12
�>➤ YN0001: │ ReadError: The server aborted pending request
�c    at IncomingMessage.<anonymous> (/campaigner/checkout/.yarn/releases/yarn-4.10.3.cjs:146:12029)
�/    at Object.onceWrapper (node:events:633:28)
�1    at IncomingMessage.emit (node:events:519:28)
�N    at c.emit (/campaigner/checkout/.yarn/releases/yarn-4.10.3.cjs:141:22975)
�=    at IncomingMessage._destroy (node:_http_incoming:221:10)
�7    at _destroy (node:internal/streams/destroy:122:10)
�D    at IncomingMessage.destroy (node:internal/streams/destroy:84:5)
�@    at TLSSocket.socketCloseListener (node:_http_client:534:11)
�+    at TLSSocket.emit (node:events:531:35)
��    at node:net:346:12
�'➤ YN0000: └ Completed in 32s 850ms
�/➤ YN0000: · Failed with errors in 33s 133ms
��Restoring package.json...
��package.json restored

Auto-Rebase · Add no-auto-rebase to opt out

@gh-worker-campaigns-3e9aa4

gh-worker-campaigns-3e9aa4 Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

Auto-rebase complete

Branch is up to date with master — rebased onto 45b0652.


Auto-Rebase · Add no-auto-rebase to opt out

@dd-octo-sts
dd-octo-sts Bot force-pushed the engraver-auto-version-upgrade/minorpatch/npm/2-1781556597 branch from eb43edf to 837a721 Compare June 23, 2026 14:31
@dd-octo-sts-019303
dd-octo-sts-019303 Bot force-pushed the engraver-auto-version-upgrade/minorpatch/npm/2-1781556597 branch from 8efaadb to 56bfb5b Compare June 24, 2026 15:54
@dd-octo-sts-aad58d
dd-octo-sts-aad58d Bot force-pushed the engraver-auto-version-upgrade/minorpatch/npm/2-1781556597 branch from 56bfb5b to db48db7 Compare June 24, 2026 20:57
@dd-octo-sts-03ec73
dd-octo-sts-03ec73 Bot force-pushed the engraver-auto-version-upgrade/minorpatch/npm/2-1781556597 branch from db48db7 to 495a9a2 Compare June 24, 2026 21:30
@dd-octo-sts-c33ac5
dd-octo-sts-c33ac5 Bot force-pushed the engraver-auto-version-upgrade/minorpatch/npm/2-1781556597 branch from 495a9a2 to 1fc4081 Compare June 25, 2026 17:20
Co-authored-by: dd-octo-sts-c33ac5[bot] <256648544+dd-octo-sts-c33ac5[bot]@users.noreply.github.com>
@dd-octo-sts-aad58d
dd-octo-sts-aad58d Bot force-pushed the engraver-auto-version-upgrade/minorpatch/npm/2-1781556597 branch from 1fc4081 to 783aa9a Compare June 25, 2026 20:54
@gh-worker-dd-mergequeue-cf854d
gh-worker-dd-mergequeue-cf854d Bot merged commit 4884e76 into master Jun 26, 2026
63 of 67 checks passed
@gh-worker-dd-mergequeue-cf854d
gh-worker-dd-mergequeue-cf854d Bot deleted the engraver-auto-version-upgrade/minorpatch/npm/2-1781556597 branch June 26, 2026 03:43
@ava-silver ava-silver mentioned this pull request Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant