From 7983dbbccab276d5b746487731e7f0b41d1c9a88 Mon Sep 17 00:00:00 2001 From: Tymofiy Bortnyk Date: Wed, 17 Jun 2026 22:54:04 +0300 Subject: [PATCH] fix(e2e): force patched form-data@4.0.6 via npm override MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit appium@3.5.0 pins form-data@4.0.5 (exact via @appium/support@7.2.3, ^4.0.5 via axios@1.16.1), which is vulnerable to CWE-93 CRLF injection (GHSA, affected >=4.0.0 <4.0.6). Dependabot's only update path would downgrade appium 3.5.0 -> 1.22.3. Force the patched 4.0.6 via an npm override instead — a patch release that only adds CR/LF/quote escaping in the Content-Disposition header, so it's API-compatible. Both consumers (@appium/support, axios) dedupe to 4.0.6; npm audit reports 0 vulnerabilities. Same approach already used for serialize-javascript (#28). Co-Authored-By: Claude Opus 4.8 (1M context) --- e2e/package-lock.json | 11 +++++------ e2e/package.json | 5 +++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/e2e/package-lock.json b/e2e/package-lock.json index 03ea785..c183563 100644 --- a/e2e/package-lock.json +++ b/e2e/package-lock.json @@ -5125,17 +5125,16 @@ } }, "node_modules/form-data": { - "version": "4.0.5", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz", - "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==", + "version": "4.0.6", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.6.tgz", + "integrity": "sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==", "dev": true, - "license": "MIT", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.8", "es-set-tostringtag": "^2.1.0", - "hasown": "^2.0.2", - "mime-types": "^2.1.12" + "hasown": "^2.0.4", + "mime-types": "^2.1.35" }, "engines": { "node": ">= 6" diff --git a/e2e/package.json b/e2e/package.json index 275ad51..c45f5e3 100644 --- a/e2e/package.json +++ b/e2e/package.json @@ -17,8 +17,9 @@ "webdriverio": "9.28.0" }, "//uiautomator2": "Driver installed via `npm run driver:install` (uiautomator2@4.2.9 — last 4.x; 5.x+ require Appium 3). Not an npm dependency; lives under APPIUM_HOME=./.appium.", - "//overrides": "serialize-javascript: mocha@10.8.2 pins ^6.0.2 (vuln <7.0.5, GHSA-5c6j-r48x-rmvq + GHSA-qj8w-gfj5-8c6v). Force the patched 7.x — API-compatible (only 7.0.0 breaking change was dropping Node<20; CI runs Node 20+) and keeps @wdio/mocha-framework@9.28.0 (Dependabot's path would downgrade it to 6.1.17).", + "//overrides": "serialize-javascript: mocha@10.8.2 pins ^6.0.2 (vuln <7.0.5, GHSA-5c6j-r48x-rmvq + GHSA-qj8w-gfj5-8c6v). Force the patched 7.x — API-compatible (only 7.0.0 breaking change was dropping Node<20; CI runs Node 20+) and keeps @wdio/mocha-framework@9.28.0 (Dependabot's path would downgrade it to 6.1.17). form-data: appium@3.5.0 pins form-data@4.0.5 via @appium/support@7.2.3 (vuln >=4.0.0 <4.0.6, CWE-93 CRLF injection). Force the patched 4.0.6 — patch release, API-compatible; Dependabot's path would downgrade appium to 1.22.3.", "overrides": { - "serialize-javascript": "^7.0.5" + "serialize-javascript": "^7.0.5", + "form-data": "^4.0.6" } }