Add Socket patch for CVE-2025-7783 in pkg:npm/form-data@4.0.1#1
Add Socket patch for CVE-2025-7783 in pkg:npm/form-data@4.0.1#1socket-security[bot] wants to merge 2 commits into
Conversation
Updates: - 1 blob(s) added - 0 blob(s) removed - Manifest updated
Configures package.json postinstall scripts to automatically apply Socket security patches.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 923eba7. Configure here.
| @@ -0,0 +1,27 @@ | |||
| { | |||
| "patches": { | |||
| "pkg:npm/form-data@4.0.1": { | |||
There was a problem hiding this comment.
Patch targets wrong form-data version
Medium Severity
The Socket manifest only registers a patch for pkg:npm/form-data@4.0.1, while the pnpm workspace lockfile resolves form-data@4.0.4 as a transitive dependency of axios@1.11.0 in web-app. socket-patch apply matches patches by exact package version, so this hook will not modify the installed form-data copy the app actually uses.
Reviewed by Cursor Bugbot for commit 923eba7. Configure here.
| "test:e2e:headed": "playwright test --headed", | ||
| "test:e2e:debug": "playwright test --debug" | ||
| "test:e2e:debug": "playwright test --debug", | ||
| "postinstall": "pnpm dlx @socketsecurity/socket-patch apply --silent --ecosystems npm", |
There was a problem hiding this comment.
Postinstall cwd misses root manifest
Medium Severity
postinstall runs from the web-app package directory, but this PR adds the Socket patch manifest under .socket/ at the repository root only. Without a --cwd (or equivalent) pointing at the monorepo root, socket-patch apply may not find the manifest or the hoisted node_modules layout used by pnpm workspaces.
Reviewed by Cursor Bugbot for commit 923eba7. Configure here.
| "test:e2e:debug": "playwright test --debug" | ||
| "test:e2e:debug": "playwright test --debug", | ||
| "postinstall": "pnpm dlx @socketsecurity/socket-patch apply --silent --ecosystems npm", | ||
| "dependencies": "pnpm dlx @socketsecurity/socket-patch apply --silent --ecosystems npm" |
There was a problem hiding this comment.
Duplicate patch script named dependencies
Low Severity
A scripts entry named dependencies duplicates the same socket-patch apply command as postinstall. It is not an npm lifecycle hook, is not referenced elsewhere in the repo, and sits beside the real dependencies object, which is easy to misread as package metadata.
Reviewed by Cursor Bugbot for commit 923eba7. Configure here.
Summary
This PR updates Socket security patches for your dependencies.
Changes
pkg:npm/form-data@4.0.1(Socket Patch)📦 Package.json Updates
This PR automatically configures your postinstall script to apply Socket patches:
web-app/package.jsonAfter merging, patches will automatically apply on
npm install.Testing
Review the patches and test your application to ensure compatibility.
🔒 Powered by Socket Security
Note
Low Risk
Security-hardening via a targeted vendor patch and install hooks; no app logic changes, though postinstall depends on Socket CLI and mutates node_modules at install time.
Overview
Adds Socket dependency patching for CVE-2025-7783 (critical) in transitive
form-data@4.0.1, plus install-time wiring so patches apply automatically inweb-app.New
.socket/assets register a community patch forpackage/lib/form_data.js: multipart boundary generation switches from predictableMath.random()tocrypto.randomBytes(12), closing parameter-injection when an attacker can infer PRNG output and control a form field..socket/manifest.jsonrecords the patch UUID, file hashes, and GHSA/CVE metadata.web-app/package.jsongainspostinstallanddependenciesscripts that runpnpm dlx @socketsecurity/socket-patch apply --silent --ecosystems npm, so npm installs overlay the vendored fix without bumping the upstreamform-dataversion in this diff.Reviewed by Cursor Bugbot for commit 923eba7. Bugbot is set up for automated code reviews on this repo. Configure here.