Skip to content

fix(deps): bump ws to 8.21.0 and form-data to 4.0.6 for Snyk vulns#288

Merged
shriram-devrev merged 1 commit into
mainfrom
fix/snyk-ws-form-data-bump
Jul 1, 2026
Merged

fix(deps): bump ws to 8.21.0 and form-data to 4.0.6 for Snyk vulns#288
shriram-devrev merged 1 commit into
mainfrom
fix/snyk-ws-form-data-bump

Conversation

@shriram-devrev

Copy link
Copy Markdown
Contributor

What

Resolves two Snyk-reported dependency vulnerabilities in build/dev tooling (neither package ships in the meerkat runtime):

Issue Severity CVE / Snyk key Change
ISS-331765 High SNYK-JS-WS-17344547 ws override 8.20.18.21.0
ISS-328921 Medium SNYK-JS-FORMDATA-17337015 added form-data override → 4.0.6

Why

  • ws — already pinned via overrides (pulled transitively by @module-federation/dts-plugin, Nx dev tooling). Bumped the existing pin to the patched release.
  • form-data — pulled via verdaccio@cypress/request (devDependencies). Added a new overrides entry to force the patched release.

Both are dev/build-time only — not in the shipped meerkat runtime.

Verification

Ran npx snyk test --dev --strict-out-of-sync=false locally against the DevRev org:

  • 2284 dependencies tested
  • SNYK-JS-WS-17344547: 0 occurrences
  • SNYK-JS-FORMDATA-17337015: 0 occurrences
  • no remaining form-data / ws vulnerable paths

package-lock.json regenerated via npm install; resolves ws@8.21.0 and form-data@4.0.6.

Note: --strict-out-of-sync=false was required due to a pre-existing Snyk CLI false-positive with npm overrides (a tar@^7.5.4 sync warning that also reproduces on clean main) — unrelated to this change.

Resolves two Snyk-reported dependency vulnerabilities (dev/build tooling
only, not shipped in the meerkat runtime):

- ISS-331765 (High, SNYK-JS-WS-17344547): ws 8.20.1 -> 8.21.0.
  Bumps the existing overrides pin; ws is pulled transitively via
  @module-federation/dts-plugin (Nx dev tooling).
- ISS-328921 (Medium, SNYK-JS-FORMDATA-17337015): form-data 4.0.5 -> 4.0.6.
  Adds a new overrides entry; form-data is pulled via
  verdaccio -> @cypress/request (devDependencies).

Verified locally with `snyk test --dev`: both issue keys no longer appear
(0 occurrences), no remaining form-data/ws vulnerable paths.
@shriram-devrev shriram-devrev merged commit d319992 into main Jul 1, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants