Skip to content

fix(deps): update form-data to 2.5.5 (CVE-2025-7783) #1507

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 24, 2025
Merged

fix(deps): update form-data to 2.5.5 (CVE-2025-7783) #1507

merged 1 commit into from
Jul 24, 2025

Conversation

MikeMcC399
Copy link
Collaborator

@MikeMcC399 MikeMcC399 commented Jul 22, 2025
edited
Loading

Situation

npm audit reports GHSA-fjxv-7rqg-78g4 critical vulnerability CVE-2025-7783 for transient dependency form-data@2.5.3

Steps to reproduce

git clone https://github.com/cypress-io/github-action
cd github-action
npm ci
npm audit

Logs

$ npm audit
# npm audit report

form-data  <2.5.4
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix`
node_modules/form-data

1 critical severity vulnerability

To address all issues, run:
  npm audit fix

$ npm ls form-data
@cypress/github-action@0.0.0-development
└─┬ @actions/cache@4.0.2
  └─┬ @azure/ms-rest-js@2.7.0
    └── form-data@2.5.3

Change

Use npm audit fix to update from form-data@2.5.3 to the non-vulnerable transient dependency form-data@2.5.5 (current 2.x latest).

Comment

  • Updating the dependency does not cause any change to the compiled code, so it looks like there was no corresponding vulnerability compiled into the action in the first place. Nevertheless, the PR remediates the vulnerability report in the action and I suggest therefore to merge it.

  • This PR does not address vulnerabilities in the examples coming from cypress@14.5.2. This will be handled separately and may depend on an update from Cypress, and Cypress' dependencies. See Critical vulnerability CVE-2025-7783 using form-data 4.0.1 & 4.0.3 cypress#32066

@cypress-app-bot
Copy link

@MikeMcC399 MikeMcC399 added bug Something isn't working type: dependencies labels Jul 22, 2025
@MikeMcC399 MikeMcC399 self-assigned this Jul 22, 2025
@MikeMcC399 MikeMcC399 marked this pull request as ready for review July 22, 2025 15:10
@jennifer-shehane jennifer-shehane merged commit b8ba51a into cypress-io:master Jul 24, 2025
80 checks passed
@github-actions GitHub Actions
Copy link

🎉 This PR is included in version 6.10.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

@MikeMcC399 MikeMcC399 deleted the update/action-form-data branch July 24, 2025 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jennifer-shehane jennifer-shehane jennifer-shehane approved these changes

Assignees

@MikeMcC399 MikeMcC399

Labels
bug Something isn't working released type: dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MikeMcC399 @cypress-app-bot @jennifer-shehane
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy