Bump form-data from 3.0.4 to 3.0.5#46
Conversation
Bumps [form-data](https://github.com/form-data/form-data) from 3.0.4 to 3.0.5. - [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md) - [Commits](form-data/form-data@v3.0.4...v3.0.5) --- updated-dependencies: - dependency-name: form-data dependency-version: 3.0.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![lifeomic-review-bot[bot]](https://avatars.githubusercontent.com/u/29172293?s=60&v=4){kind=small}
There was a problem hiding this comment.
Scope
Lockfile-only Dependabot bump: yarn.lock refreshes transitive form-data from 3.0.4 to 3.0.5 (resolved via form-data@^3.0.0, consumed by the jsdom test dependency chain). The upstream patch fixes escaping of CR, LF, and " in multipart field names and filenames—a worthwhile security/hygiene improvement with no application source changes.
Upstream: unknown (author to confirm) — release notes linked in PR body (form-data/form-data v3.0.5).
CI
Checks were still pending at review time; branch protection will gate merge.
Regression risk
Low—patch semver on a transitive dev/test dependency with a targeted escaping fix and no manifest edits.
Residual risks / follow-ups
None — because the sole change is a single resolved version line in yarn.lock, securitySensitivePaths is empty, and the bump is a narrow upstream security patch with no functional code in this repository.
Note: Review generated using Cursor model
composer-2.5.
This review was generated by review-bot.
Bumps form-data from 3.0.4 to 3.0.5.
Changelog
Sourced from form-data's changelog.
Commits
be3f3cfv3.0.56a8a1c6[Deps] updatehasown27c61a5[Dev Deps] update@ljharb/eslint-config,auto-changelog,eslint,tape8777e67[Fix] escape CR, LF, and"in field names and filenamesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.