Skip to content

Update packages to resolve Vulnerability issue #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tomggill merged 1 commit into from
Jul 22, 2025
Merged

Update packages to resolve Vulnerability issue #160

tomggill merged 1 commit into from
Jul 22, 2025

Conversation

@Mathiyarasy
Copy link
Contributor

@MathiyarasyMathiyarasy commented Jul 22, 2025
edited
Loading

Fixes :https://github.com/github/codespaces-react/security/dependabot/42

Description:

  • form-data uses unsafe random function in form-data for choosing boundary
  • Affected versions >= 4.0.0, < 4.0.4
  • Patched version 4.04
  • Transitive dependency form-data 4.0.0 is introduced via
    jsdom 22.1.0 form-data 4.0.0
  • Existing dependabot PR for this issue updated the package-lock.json file to update form-data to patched version.
  • This may not be required as the latest jsdom package removed the form-data as its dependency

Changes:

  • Updated package vitejs/plugin-react to resolve existing peer dependency conflict in the project
    @vitejs/[email protected] declares a peer dependency on vite version ^4.2.0.
    Since the latest vite version is 6.2.7 updated the vitejs/[email protected]
  • Updated package jsdom to latest version which do not have any dependency on form-data

@MathiyarasyMathiyarasy marked this pull request as ready for review July 22, 2025 09:31
CopilotAI review requested due to automatic review settings July 22, 2025 09:31
CopilotAI reviewed Jul 22, 2025
View reviewed changes
Copy link

CopilotAI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates two development dependencies to resolve a security vulnerability in the form-data package. The vulnerability stems from an unsafe random function used for choosing boundaries in form-data versions 4.0.0 to 4.0.3, which was transitively introduced via jsdom 22.1.0.

  • Updated @vitejs/plugin-react from 4.1.1 to 4.7.0 to resolve peer dependency conflicts with vite 6.2.7
  • Updated jsdom from 22.1.0 to 26.1.0 to eliminate the vulnerable form-data dependency

@tomggilltomggill merged commit 4ddece1 into mainJul 22, 2025
2 checks passed
@tomggilltomggill deleted the dev/Mathi/formData branch July 22, 2025 16:38
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code reviewCopilotCopilot left review comments

@tomggilltomggilltomggill approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Mathiyarasy@tomggill@Claude@Codex