From 086e318798b664002c3516bfa329ec726a2684ab Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2026 13:53:42 +0000 Subject: [PATCH] fix(deps): add form-data resolution to fix SNYK-JS-FORMDATA-10841150 Add yarn resolution for **/form-data to ^4.0.1, fixing CVE SNYK-JS-FORMDATA-10841150 (Predictable Value Range, CVSS 9.8). The vulnerable form-data@4.0.0 was introduced transitively via appium-adb (dev/test dependency). This patch version bump consolidates all form-data versions to 4.0.1. Co-Authored-By: Abhay Aggarwal --- package.json | 3 ++- yarn.lock | 29 +---------------------------- 2 files changed, 3 insertions(+), 29 deletions(-) diff --git a/package.json b/package.json index 49edefcd942..ee1b4824b32 100644 --- a/package.json +++ b/package.json @@ -149,7 +149,8 @@ "metro/image-size": "^1.2.1", "content-hash/**/base-x": "3.0.11", "multihashes/**/base-x": "3.0.11", - "@keystonehq/ur-decoder/**/base-x": "3.0.11" + "@keystonehq/ur-decoder/**/base-x": "3.0.11", + "**/form-data": "^4.0.1" }, "dependencies": { "@config-plugins/detox": "^9.0.0", diff --git a/yarn.lock b/yarn.lock index 134f392c3e3..690b30c5e5f 100644 --- a/yarn.lock +++ b/yarn.lock @@ -17863,16 +17863,7 @@ fork-ts-checker-webpack-plugin@^8.0.0: semver "^7.3.5" tapable "^2.2.1" -form-data@4.0.0: - version "4.0.0" - resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.0.tgz#93919daeaf361ee529584b9b31664dc12c9fa452" - integrity sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww== - dependencies: - asynckit "^0.4.0" - combined-stream "^1.0.8" - mime-types "^2.1.12" - -form-data@4.0.1, form-data@^4.0.0: +form-data@4.0.0, form-data@4.0.1, form-data@^3.0.1, form-data@^4.0.0, form-data@~2.3.2: version "4.0.1" resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.1.tgz#ba1076daaaa5bfd7e99c1a6cb02aa0a5cff90d48" integrity sha512-tzN8e4TX8+kkxGPK8D5u0FNmjPUjw3lwC9lSLxxoB/+GtsJG91CO8bSWy73APlgAZzZbXEYZJuxjkHH2w+Ezhw== @@ -17881,24 +17872,6 @@ form-data@4.0.1, form-data@^4.0.0: combined-stream "^1.0.8" mime-types "^2.1.12" -form-data@^3.0.1: - version "3.0.2" - resolved "https://registry.yarnpkg.com/form-data/-/form-data-3.0.2.tgz#83ad9ced7c03feaad97e293d6f6091011e1659c8" - integrity sha512-sJe+TQb2vIaIyO783qN6BlMYWMw3WBOHA1Ay2qxsnjuafEOQFJ2JakedOQirT6D5XPRxDvS7AHYyem9fTpb4LQ== - dependencies: - asynckit "^0.4.0" - combined-stream "^1.0.8" - mime-types "^2.1.12" - -form-data@~2.3.2: - version "2.3.3" - resolved "https://registry.yarnpkg.com/form-data/-/form-data-2.3.3.tgz#dcce52c05f644f298c6a7ab936bd724ceffbf3a6" - integrity sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ== - dependencies: - asynckit "^0.4.0" - combined-stream "^1.0.6" - mime-types "^2.1.12" - format-util@^1.0.3: version "1.0.5" resolved "https://registry.yarnpkg.com/format-util/-/format-util-1.0.5.tgz#1ffb450c8a03e7bccffe40643180918cc297d271"