Bump `form-data` to bring in fix for critical vulnerability by matthewhughes934 · Pull Request #618 · actions/setup-go

matthewhughes934 · 2025-07-24T05:41:56Z

The vulnerability:

$ npm audit --audit-level=high
# npm audit report

form-data  >=4.0.0 <4.0.4 || <2.5.4
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix`
node_modules/@azure/core-http/node_modules/form-data
node_modules/@types/node-fetch/node_modules/form-data
node_modules/form-data

1 critical severity vulnerability

To address all issues, run:
  npm audit fix

This change is the result of from running npm audit fix and then
using[1] to update licenses via licensed cache.

It doesn't look like dependabot previously raised any PRs for this
dependency, so this bumps it from 4.0.0 to 4.0.4, see the
changelog[2] for details.

Link: https://github.com/licensee/licensed [1]
Link: https://github.com/form-data/form-data/blob/v4.0.4/CHANGELOG.md [2]

reneleonhardt · 2025-07-24T10:42:14Z

CodeRabbit hasn't been enabled, is there a security team to speed-up reviews manually?
CI is frozen because of one vulnerablity, so nothing can be merged except this fix.
#460

matthewhughes934 · 2025-07-30T17:30:10Z

I forgot to npm run build, done that and squashed into the commit

The vulnerability: $ npm audit --audit-level=high # npm audit report form-data >=4.0.0 <4.0.4 || <2.5.4 Severity: critical form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4 fix available via `npm audit fix` node_modules/@azure/core-http/node_modules/form-data node_modules/@types/node-fetch/node_modules/form-data node_modules/form-data 1 critical severity vulnerability To address all issues, run: npm audit fix This change is the result of from running `npm audit fix` and then using[1] to update licenses via `licensed cache`. It doesn't look like `dependabot` previously raised any PRs for this dependency, so this bumps it from `4.0.0` to `4.0.4`, see the changelog[2] for details. Link: https://github.com/licensee/licensed [1] Link: https://github.com/form-data/form-data/blob/v4.0.4/CHANGELOG.md [2]

matthewhughes934 · 2025-07-30T19:45:07Z

Ok, that CI failure took a bit to figure out:

so I had to figure out to go and install https://github.com/licensee/licensed/tree/3.9.0 (same version as used by the action above) and run license cache. This should probably be documented somewhere.

The vulnerability: $ npm audit --audit-level=high # npm audit report form-data >=4.0.0 <4.0.4 || <2.5.4 Severity: critical form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4 fix available via `npm audit fix` node_modules/@azure/core-http/node_modules/form-data node_modules/@types/node-fetch/node_modules/form-data node_modules/form-data 1 critical severity vulnerability To address all issues, run: npm audit fix This change is the result of from running `npm audit fix` and then using[1] to update licenses via `licensed cache`. It doesn't look like `dependabot` previously raised any PRs for this dependency, so this bumps it from `4.0.0` to `4.0.4`, see the changelog[2] for details. Link: https://github.com/licensee/licensed [1] Link: https://github.com/form-data/form-data/blob/v4.0.4/CHANGELOG.md [2]

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-go](https://github.com/actions/setup-go) | action | major | `v5` → `v6` | --- ### Release Notes <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v6.4.0`](https://github.com/actions/setup-go/releases/tag/v6.4.0) [Compare Source](actions/setup-go@v6.3.0...v6.4.0) ##### What's Changed ##### Enhancement - Add go-download-base-url input for custom Go distributions by [@gdams](https://github.com/gdams) in [#721](actions/setup-go#721) ##### Dependency update - Upgrade minimatch from 3.1.2 to 3.1.5 by [@dependabot](https://github.com/dependabot) in [#727](actions/setup-go#727) ##### Documentation update - Rearrange README.md, add advanced-usage.md by [@priyagupta108](https://github.com/priyagupta108) in [#724](actions/setup-go#724) - Fix Microsoft build of Go link by [@gdams](https://github.com/gdams) in [#734](actions/setup-go#734) ##### New Contributors - [@gdams](https://github.com/gdams) made their first contribution in [#721](actions/setup-go#721) **Full Changelog**: <actions/setup-go@v6...v6.4.0> ### [`v6.3.0`](https://github.com/actions/setup-go/releases/tag/v6.3.0) [Compare Source](actions/setup-go@v6.2.0...v6.3.0) ##### What's Changed - Update default Go module caching to use go.mod by [@priyagupta108](https://github.com/priyagupta108) in [#705](actions/setup-go#705) - Fix golang download url to go.dev by [@178inaba](https://github.com/178inaba) in [#469](actions/setup-go#469) **Full Changelog**: <actions/setup-go@v6...v6.3.0> ### [`v6.2.0`](https://github.com/actions/setup-go/releases/tag/v6.2.0) [Compare Source](actions/setup-go@v6.1.0...v6.2.0) ##### What's Changed ##### Enhancements - Example for restore-only cache in documentation by [@aparnajyothi-y](https://github.com/aparnajyothi-y) in [#696](actions/setup-go#696) - Update Node.js version in action.yml by [@ccoVeille](https://github.com/ccoVeille) in [#691](actions/setup-go#691) - Documentation update of actions/checkout by [@deining](https://github.com/deining) in [#683](actions/setup-go#683) ##### Dependency updates - Upgrade js-yaml from 3.14.1 to 3.14.2 by [@dependabot](https://github.com/dependabot) in [#682](actions/setup-go#682) - Upgrade [@actions/cache](https://github.com/actions/cache) to v5 by [@salmanmkc](https://github.com/salmanmkc) in [#695](actions/setup-go#695) - Upgrade actions/checkout from 5 to 6 by [@dependabot](https://github.com/dependabot) in [#686](actions/setup-go#686) - Upgrade qs from 6.14.0 to 6.14.1 by [@dependabot](https://github.com/dependabot) in [#703](actions/setup-go#703) ##### New Contributors - [@ccoVeille](https://github.com/ccoVeille) made their first contribution in [#691](actions/setup-go#691) - [@deining](https://github.com/deining) made their first contribution in [#683](actions/setup-go#683) **Full Changelog**: <actions/setup-go@v6...v6.2.0> ### [`v6.1.0`](https://github.com/actions/setup-go/releases/tag/v6.1.0) [Compare Source](actions/setup-go@v6...v6.1.0) ##### What's Changed ##### Enhancements - Fall back to downloading from go.dev/dl instead of storage.googleapis.com/golang by [@nicholasngai](https://github.com/nicholasngai) in [#665](actions/setup-go#665) - Add support for .tool-versions file and update workflow by [@priya-kinthali](https://github.com/priya-kinthali) in [#673](actions/setup-go#673) - Add comprehensive breaking changes documentation for v6 by [@mahabaleshwars](https://github.com/mahabaleshwars) in [#674](actions/setup-go#674) ##### Dependency updates - Upgrade eslint-config-prettier from 10.0.1 to 10.1.8 and document breaking changes in v6 by [@dependabot](https://github.com/dependabot) in [#617](actions/setup-go#617) - Upgrade actions/publish-action from 0.3.0 to 0.4.0 by [@dependabot](https://github.com/dependabot) in [#641](actions/setup-go#641) - Upgrade semver and [@types/semver](https://github.com/types/semver) by [@dependabot](https://github.com/dependabot) in [#652](actions/setup-go#652) ##### New Contributors - [@nicholasngai](https://github.com/nicholasngai) made their first contribution in [#665](actions/setup-go#665) - [@priya-kinthali](https://github.com/priya-kinthali) made their first contribution in [#673](actions/setup-go#673) - [@mahabaleshwars](https://github.com/mahabaleshwars) made their first contribution in [#674](actions/setup-go#674) **Full Changelog**: <actions/setup-go@v6...v6.1.0> ### [`v6.0.0`](https://github.com/actions/setup-go/releases/tag/v6.0.0) [Compare Source](actions/setup-go@v6...v6) ##### What's Changed ##### Breaking Changes - Improve toolchain handling to ensure more reliable and consistent toolchain selection and management by [@matthewhughes934](https://github.com/matthewhughes934) in [#460](actions/setup-go#460) - Upgrade Nodejs runtime from node20 to node 24 by [@salmanmkc](https://github.com/salmanmkc) in [#624](actions/setup-go#624) Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. [See Release Notes](https://github.com/actions/runner/releases/tag/v2.327.1) ##### Dependency Upgrades - Upgrade [@types/jest](https://github.com/types/jest) from 29.5.12 to 29.5.14 by [@dependabot](https://github.com/dependabot)\[bot] in [#589](actions/setup-go#589) - Upgrade [@actions/tool-cache](https://github.com/actions/tool-cache) from 2.0.1 to 2.0.2 by [@dependabot](https://github.com/dependabot)\[bot] in [#591](actions/setup-go#591) - Upgrade [@typescript-eslint/parser](https://github.com/typescript-eslint/parser) from 8.31.1 to 8.35.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#590](actions/setup-go#590) - Upgrade undici from 5.28.5 to 5.29.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#594](actions/setup-go#594) - Upgrade typescript from 5.4.2 to 5.8.3 by [@dependabot](https://github.com/dependabot)\[bot] in [#538](actions/setup-go#538) - Upgrade eslint-plugin-jest from 28.11.0 to 29.0.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#603](actions/setup-go#603) - Upgrade `form-data` to bring in fix for critical vulnerability by [@matthewhughes934](https://github.com/matthewhughes934) in [#618](actions/setup-go#618) - Upgrade actions/checkout from 4 to 5 by [@dependabot](https://github.com/dependabot)\[bot] in [#631](actions/setup-go#631) ##### New Contributors - [@matthewhughes934](https://github.com/matthewhughes934) made their first contribution in [#618](actions/setup-go#618) - [@salmanmkc](https://github.com/salmanmkc) made their first contribution in [#624](actions/setup-go#624) **Full Changelog**: <actions/setup-go@v5...v6.0.0> ### [`v6`](actions/setup-go@v5.6.0...v6) [Compare Source](actions/setup-go@v5.6.0...v6) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).  Co-authored-by: hoodn <hood.noah@gmail.com> Reviewed-on: https://gitea.k3s.noah-hood.io/hoodn/certmanager-porkbun-webhook/pulls/7 Co-authored-by: renovate-bot <renovate-bot@example.local> Co-committed-by: renovate-bot <renovate-bot@example.local>

matthewhughes934 requested a review from a team as a code owner July 24, 2025 05:41

matthewhughes934 mentioned this pull request Jul 24, 2025

Improve toolchain handling #460

Merged

matthewhughes934 force-pushed the fix-high-severity-vuln branch from 84e0bda to 6912ca9 Compare July 30, 2025 17:29

matthewhughes934 force-pushed the fix-high-severity-vuln branch from 6912ca9 to be381b3 Compare July 30, 2025 19:43

aparnajyothi-y approved these changes Jul 31, 2025

View reviewed changes

priyagupta108 approved these changes Aug 1, 2025

View reviewed changes

HarithaVattikuti approved these changes Aug 13, 2025

View reviewed changes

HarithaVattikuti merged commit e75c3e8 into actions:main Aug 13, 2025
104 checks passed

tamird mentioned this pull request Sep 4, 2025

Bump actions/setup-go from 5.5.0 to 6.0.0 petermattis/goid#67

Merged

github-actions Bot mentioned this pull request May 15, 2026

chore(ci)(deps): bump actions/setup-go from 5.6.0 to 6.4.0 ag-ui-protocol/ag-ui#1699

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump `form-data` to bring in fix for critical vulnerability#618

Bump `form-data` to bring in fix for critical vulnerability#618
HarithaVattikuti merged 1 commit into
actions:mainfrom
matthewhughes934:fix-high-severity-vuln

matthewhughes934 commented Jul 24, 2025 •

edited

Loading

Uh oh!

reneleonhardt commented Jul 24, 2025 •

edited

Loading

Uh oh!

matthewhughes934 commented Jul 30, 2025

Uh oh!

matthewhughes934 commented Jul 30, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

matthewhughes934 commented Jul 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

reneleonhardt commented Jul 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

matthewhughes934 commented Jul 30, 2025

Uh oh!

matthewhughes934 commented Jul 30, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

matthewhughes934 commented Jul 24, 2025 •

edited

Loading

reneleonhardt commented Jul 24, 2025 •

edited

Loading