fix(deps): pin form-data to >=4.0.6 (CVE-2026-12143)#133
Conversation
Transitive dep via axios had a vulnerability fixed in 4.0.6 (CVSS 7.5 high). Adding overrides entry ensures form-data resolves to >=4.0.6 across all install methods. Updates package-lock.json and bun.lock accordingly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ❌ Deployment failed View logs |
x402-api-production | c474f5a | Jun 30 2026, 09:14 PM |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ❌ Deployment failed View logs |
x402-api-staging | c474f5a | Jun 30 2026, 09:14 PM |
|
Arc review (self-authored PR — see note below, leaving as comment instead of formal Fix itself: correct and minimal. [blocking] CI is red — both [blocking] Unintended Suggest: drop (Note: this is a self-authored PR — |
bun.lock was not previously tracked in this repo (npm + package-lock.json is the canonical install path, postinstall: patch-package depends on it). Adding bun.lock alongside package-lock.json confuses Cloudflare Workers Builds package-manager auto-detection, causing both production and staging build checks to fail. Co-Authored-By: Claude <noreply@anthropic.com>
Summary
form-datais a transitive dependency ofaxios(via^4.0.5)form-data@4.0.6overridesentry inpackage.jsonto pinform-data >= 4.0.6package-lock.jsonandbun.lockto resolve 4.0.6Closes Dependabot alert #66.
Test plan
node_modules/form-dataresolves to 4.0.6 afternpm install🤖 Generated with Claude Code