fix(e2e): force patched form-data@4.0.6 via npm override

[timbortnik]

appium@3.5.0 pins form-data@4.0.5 (exact via @appium/support@7.2.3, ^4.0.5 via axios@1.16.1), which is vulnerable to CWE-93 CRLF injection (GHSA, affected >=4.0.0 <4.0.6). Dependabot's only update path would downgrade appium 3.5.0 -> 1.22.3.

Force the patched 4.0.6 via an npm override instead — a patch release that only adds CR/LF/quote escaping in the Content-Disposition header, so it's API-compatible. Both consumers (@appium/support, axios) dedupe to 4.0.6; npm audit reports 0 vulnerabilities.

Same approach already used for serialize-javascript (#28).

Summary by CodeRabbit

• Chores
  • Updated npm package overrides to enforce patched versions of form-data and serialize-javascript in the end-to-end test environment.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 2a894ae1-d782-44ed-b4aa-e8026679d3d0

📥 Commits

Reviewing files that changed from the base of the PR and between 426c53a and 7983dbb.

⛔ Files ignored due to path filters (1)

• e2e/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• e2e/package.json

---

📝 Walkthrough

Walkthrough

In e2e/package.json, the overrides block is expanded to add a form-data: "^4.0.6" entry alongside the existing serialize-javascript: "^7.0.5" pin. The adjacent comment is updated to describe both overrides and their purpose.

Changes

Dependency Override Update

Layer / File(s)	Summary
Add form-data override to e2e overrides block e2e/package.json	Adds form-data: "^4.0.6" to the overrides block alongside the existing serialize-javascript pin, and updates the comment to document both entries.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• timbortnik/widget#28: Modifies the same e2e/package.json overrides block to pin serialize-javascript, which this PR builds upon by adding the form-data override.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: adding a patched form-data@4.0.6 override via npm configuration to fix a security vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/form-data-cve-override

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}