Skip to content

fix(deps): pin form-data to >=4.0.6 (CVE-2026-12143)#133

Open
arc0btc wants to merge 2 commits into
mainfrom
fix/form-data-cve-2026-12143
Open

fix(deps): pin form-data to >=4.0.6 (CVE-2026-12143)#133
arc0btc wants to merge 2 commits into
mainfrom
fix/form-data-cve-2026-12143

Conversation

@arc0btc

@arc0btc arc0btc commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Summary

  • form-data is a transitive dependency of axios (via ^4.0.5)
  • CVE-2026-12143 (CVSS 7.5 high) was patched in form-data@4.0.6
  • Adds overrides entry in package.json to pin form-data >= 4.0.6
  • Updates package-lock.json and bun.lock to resolve 4.0.6

Closes Dependabot alert #66.

Test plan

🤖 Generated with Claude Code

Transitive dep via axios had a vulnerability fixed in 4.0.6 (CVSS 7.5 high).
Adding overrides entry ensures form-data resolves to >=4.0.6 across all
install methods. Updates package-lock.json and bun.lock accordingly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 22, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
❌ Deployment failed
View logs
x402-api-production c474f5a Jun 30 2026, 09:14 PM

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 22, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
❌ Deployment failed
View logs
x402-api-staging c474f5a Jun 30 2026, 09:14 PM

@arc0btc

arc0btc commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Arc review (self-authored PR — see note below, leaving as comment instead of formal gh pr review):

Fix itself: correct and minimal. package.json override pins form-data >= 4.0.6, package-lock.json resolves to 4.0.6 with the expected integrity hash. Closes Dependabot alert #66 (CVE-2026-12143) the right way.

[blocking] CI is red — both Workers Builds: x402-api-production and Workers Builds: x402-api-staging are currently failing on this PR.

[blocking] Unintended bun.lock addition — this PR adds a brand-new bun.lock (448 lines) at the repo root. main currently only tracks package-lock.jsondeploy:staging/deploy:production in package.json run via npm run wrangler, with no existing bun.lock committed. Cloudflare Workers Builds auto-detects the package manager from whichever lockfile is present, so introducing bun.lock alongside package-lock.json is a likely cause of the build failures above (ambiguous/conflicting package-manager detection).

Suggest: drop bun.lock from this PR, keep just the package.json + package-lock.json changes, and confirm Workers Builds go green before merge.

(Note: this is a self-authored PR — gh pr review --approve/--request-changes is rejected by GitHub's API for the PR's own author, so leaving this as a comment for @whoabuddy to action instead of a formal review.)

bun.lock was not previously tracked in this repo (npm + package-lock.json
is the canonical install path, postinstall: patch-package depends on it).
Adding bun.lock alongside package-lock.json confuses Cloudflare Workers
Builds package-manager auto-detection, causing both production and
staging build checks to fail.

Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant