chore(deps-dev): bump form-data from 4.0.0 to 4.0.5 #471
Conversation
Bumps [form-data](https://github.com/form-data/form-data) from 4.0.0 to 4.0.5. - [Release notes](https://github.com/form-data/form-data/releases) - [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md) - [Commits](form-data/form-data@v4.0.0...v4.0.5) --- updated-dependencies: - dependency-name: form-data dependency-version: 4.0.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
dependencies
dependabot
bot
added
dependencies
![semgrepcode-auth0[bot]](https://avatars.githubusercontent.com/in/977730?s=60&v=4){kind=small}
| "integrity": "sha512-zXSSClWBPfcSYjg0hcQNompkFN/MxQQ53eyrzm9BYgik2ut2I7PxAf2foVqBRMYCwWaZx/aWodi+uk76npdSAw==", | ||
| "dev": true | ||
| }, | ||
| "node_modules/express-jwt-v6/node_modules/jsonwebtoken": { |
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 2279 lists a dependency (jsonwebtoken) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.
To resolve this comment:
Check if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function..
- If you're affected, upgrade this dependency to at least version 9.0.0 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "integrity": "sha512-zXSSClWBPfcSYjg0hcQNompkFN/MxQQ53eyrzm9BYgik2ut2I7PxAf2foVqBRMYCwWaZx/aWodi+uk76npdSAw==", | ||
| "dev": true | ||
| }, | ||
| "node_modules/express-jwt-v6/node_modules/jsonwebtoken": { |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 2279 lists a dependency (jsonwebtoken) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.
To resolve this comment:
Check if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm.
- If you're affected, upgrade this dependency to at least version 9.0.0 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
|
package-lock is being updated as part of #464 |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Bumps form-data from 4.0.0 to 4.0.5.
Release notes
Sourced from form-data's releases.
... (truncated)
Changelog
Sourced from form-data's changelog.
... (truncated)
Commits
68ff7ddv4.0.55822467[Dev Deps] update@ljharb/eslint-config,eslint76d0dee[Fix] set Symbol.toStringTag in the proper place16e0076[Tests] Switch to newer v8 prediction library; enable node 24 testing41996f5v4.0.4316c82b[meta] actually ensure the readme backup isn’t published2300ca1[meta] fix readme capitalization811f682[meta] addauto-changelog5e34080[Tests] fix linting errors1d11a76[Tests] handle predict-v8-randomness failures in node < 17 and node > 23Maintainer changes
This version was pushed to npm by ljharb, a new releaser for form-data since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.