8000 chore(deps): update dependency formidable to v3.5.4 [security] by renovate[bot] · Pull Request #4652 · giantswarm/happa · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

chore(deps): update dependency formidable to v3.5.4 [security] #4652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor
@renovate renovate bot commented Apr 29, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
formidable 3.5.1 -> 3.5.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-46653

Formidable (aka node-formidable) 2.x before 2.1.3 and 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.


Release Notes

node-formidable/formidable (formidable)

v3.5.4

  • fix the os.machine breaking some dependents, fix #​994
  • add Node 16, 18, 20, 22 to CI/CD

v3.5.3

Compare Source

  • security report by ZAST.AI help for some vulnerabilities addressing (primarily the random names generation)
  • update failing tests
  • update CI/CD workflows and actions;
  • update CodeQL github action for security analysis
  • update readme, links and badges
  • update to use cuid2 (battle-tested @paralleldrive/cuid2 package) for better random names - should not be breaking anything since it's still 25 characters long, but a lot safer and faster.

v3.5.2

Compare Source

  • fix: (#​982) make it easier to import hexoid with webpack

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added dependencies Pull requests that update a dependency file renovate PR created by RenovateBot labels Apr 29, 2025
@renovate renovate bot requested a review from gusevda as a code owner April 29, 2025 17:59
@renovate renovate bot enabled auto-merge (squash) April 29, 2025 17:59
@renovate renovate bot force-pushed the renovate/npm-formidable-vulnerability branch from 5c1bbf6 to c8973e3 Compare May 8, 2025 10:22
@renovate renovate bot force-pushed the renovate/npm-formidable-vulnerability branch from c8973e3 to 5f24ecf Compare May 15, 2025 11:07
@renovate renovate bot force-pushed the renovate/npm-formidable-vulnerability branch from 5f24ecf to 3274dd6 Compare May 30, 2025 12:37
@renovate renovate bot force-pushed the renovate/npm-formidable-vulnerability branch from 3274dd6 to f98bc19 Compare June 10, 2025 11:57
@renovate renovate bot force-pushed the renovate/npm-formidable-vulnerability branch from f98bc19 to 8719831 Compare June 17, 2025 12:50
@renovate renovate bot force-pushed the renovate/npm-formidable-vulnerability branch from 8719831 to 6b6e185 Compare June 26, 2025 11:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file renovate PR created by RenovateBot
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants
0