Skip to content

Update jest, cypress packages to resolve security issues caused by form-data #9539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 18, 2025
Merged

Update jest, cypress packages to resolve security issues caused by form-data #9539

merged 4 commits into from
Aug 18, 2025

Conversation

elsamaryv
Copy link
Contributor

@elsamaryv elsamaryv commented Aug 6, 2025
edited
Loading

Fixes a critical security vulnerability related to form-data dependency.

@miq-bot add-label dependencies

@elsamaryv
Update form-data to use version 4.0.4
b4093bb 
Fixes a critical security vulnerability related to form-data using an unsafe random function for choosing a boundary.
@elsamaryv elsamaryv marked this pull request as ready for review August 6, 2025 09:23
@elsamaryv elsamaryv requested a review from a team as a code owner August 6, 2025 09:23
GilbertCherrie
GilbertCherrie reviewed Aug 6, 2025
View reviewed changes
package.json Outdated
@@ -198,6 +198,7 @@
"nwsapi": "^2.2.1",
"path-to-regexp": "~8.0.0",
"patternfly": "~3.59.5",
"terser": "~4.8.1"
"terser": "~4.8.1",
"form-data": "~4.0.4"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@elsamaryv one small fix, can you please put this in alphabetical order.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, I believe form-data 2.5.5 also contains the fix. Can we upgrade to that version instead to prevent such a big version jump from 2.3.3.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to do this without using resolutions? (IMO resolutions only should be used as a last resort). If we can update jest/jest-cli, perhaps newer versions support the right version range

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah @elsamaryv can you first try to upgrade the jest and jest-cli packages then see if it upgrades the form data package. If you are able to upgrade jest and jest-cli see what the most recent version you can get to for those without anything breaking and then see if that causes form-data to upgrade also.

Copy link
Contributor Author

@elsamaryv elsamaryv Aug 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated the Jest and Cypress packages that previously included form-data via transitive dependencies. With these updates, form-data resolves to the patched versions 3.0.4 and 4.0.4. However, upgrading jest-cli causes multiple test/suite failures, so I had to retain the current version, which still depends on the vulnerable [email protected].

Running yarn why form-data shows:

Screenshot 2025-08-12 at 6 46 54 PM Screenshot 2025-08-12 at 6 47 21 PM

@GilbertCherrie GilbertCherrie self-assigned this Aug 6, 2025
@elsamaryv elsamaryv changed the title Update form-data to use v4.0.4 [WIP] Update form-data to use v4.0.4 Aug 12, 2025
@elsamaryv elsamaryv changed the title [WIP] Update form-data to use v4.0.4 Update jest, cypress packages to resolve security issues caused by form-data Aug 12, 2025
@jrafanie
Copy link
Member

Close / open after revert of #9505 via #9553

@jrafanie jrafanie closed this Aug 13, 2025
@jrafanie jrafanie reopened this Aug 13, 2025
@GilbertCherrie GilbertCherrie merged commit 5cb4543 into ManageIQ:master Aug 18, 2025
36 of 38 checks passed
@jrafanie jrafanie mentioned this pull request Aug 18, 2025
Merged
@jrafanie
Copy link
Member

@Fryguy thoughts on spassky/yes
#9539 updates cypress/jest for form-data
#9554 adds flashClassMap
#9557 depends on flashClassMap

@jrafanie jrafanie mentioned this pull request Aug 18, 2025
Merged
@jrafanie
Copy link
Member

@Fryguy thoughts on spassky/yes
#9539 updates cypress/jest for form-data
#9554 adds flashClassMap
#9557 depends on flashClassMap

he said, yup, add the labels 😉

@Fryguy
Copy link
Member

Fryguy commented Aug 19, 2025

Backported to spassky in commit 961248a.

commit 961248a8a2ccb92819a216d44c3ea6c2916a4321
Author: Gilbert Cherrie <[email protected]>
Date:   Mon Aug 18 10:49:18 2025 -0400

    Merge pull request #9539 from elsamaryv/update-form-data
    
    Update jest, cypress packages to resolve security issues caused by form-data
    
    (cherry picked from commit 5cb4543dbd3f9ce0802637b14a984893e8aa3607)

Fryguy pushed a commit that referenced this pull request Aug 19, 2025
@GilbertCherrie @Fryguy
Merge pull request #9539 from elsamaryv/update-form-data
961248a 
Update jest, cypress packages to resolve security issues caused by form-data

(cherry picked from commit 5cb4543)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Fryguy Fryguy Fryguy left review comments

@GilbertCherrie GilbertCherrie GilbertCherrie left review comments

Assignees

@GilbertCherrie GilbertCherrie

Labels
dependencies spassky/backported
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@elsamaryv @jrafanie @Fryguy @GilbertCherrie @miq-bot