chore: upgrade form-data to ^4.0.6 to address CVE-2026-12143 by brendan-kellam · Pull Request #1316 · sourcebot-dev/sourcebot

brendan-kellam · 2026-06-17T22:20:10Z

Fixes SOU-1341

Refreshes the form-data lockfile entries to 4.0.6, addressing CVE-2026-12143 (CRLF injection via unescaped multipart field names and filenames).

Both transitive chains (jsdom → form-data and openai → @types/node-fetch → form-data) already requested ^4.0.0, so this is a lockfile-only refresh via yarn up -R form-data (no package.json change). Verified with yarn why form-data --recursive that all instances now resolve to 4.0.6.

Summary by CodeRabbit

Chores
- Updated dependency versions.

Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1341/sourcebot-devsourcebot-cve-2026-12143-form-data-crlf-injection-via#agent-session-3b143142) Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>

coderabbitai · 2026-06-17T22:20:23Z

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5d4752e1-a7dc-47e6-8a99-8873fb1c4137

📥 Commits

Reviewing files that changed from the base of the PR and between 7daaf5b and e94d632.

⛔ Files ignored due to path filters (1)

yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

CHANGELOG.md

Walkthrough

A single changelog entry is added to the ## [Unreleased] section of CHANGELOG.md, recording the upgrade of the form-data dependency to ^4.0.6.

Changes

Changelog Entry

Layer / File(s)	Summary
Add form-data upgrade entry `CHANGELOG.md`	Adds one line to the Unreleased dependency upgrades list noting `form-data` upgraded to `^4.0.6`.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch linear/sou-1341-sourcebot-devsourcebot-cve-2026-12143-form-data-crlf-ca96

⚔️ Resolve merge conflicts

Resolve merge conflict in branch linear/sou-1341-sourcebot-devsourcebot-cve-2026-12143-form-data-crlf-ca96

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

github-actions · 2026-06-17T22:26:41Z

License Audit

❌ Status: FAIL

Metric	Count
Total packages	2137
Resolved (non-standard)	16
Unresolved	4
Strong copyleft	0
Weak copyleft	38

Fail Reasons

4 packages have unresolvable licenses: @react-grab/cli@0.1.23, @react-grab/cli@0.1.29, @react-grab/mcp@0.1.29, element-source@0.0.3

Unresolved Packages

Package	Version	License	Reason
@react-grab/cli	0.1.23	`UNKNOWN`	No repository or homepage in metadata; npm registry record has no license field; npm web page returns 403. No license declared anywhere accessible.
@react-grab/cli	0.1.29	`UNKNOWN`	No repository or homepage in metadata; npm registry record has no license field; npm web page returns 403. No license declared anywhere accessible.
@react-grab/mcp	0.1.29	`UNKNOWN`	No repository or homepage in metadata; npm registry record has no license field; npm web page returns 403. No license declared anywhere accessible.
element-source	0.0.3	`UNKNOWN`	No repository or homepage in metadata; npm registry record has no license field; npm web page returns 403. No license declared anywhere accessible.

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-darwin-arm64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-darwin-x64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-darwin-x64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm	1.0.5	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-ppc64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-riscv64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-s390x	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-s390x	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-x64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-x64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-arm64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-arm64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-x64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-x64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-wasm32	0.33.5	`Apache-2.0 AND LGPL-3.0-or-later AND MIT`
@img/sharp-wasm32	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later AND MIT`
@img/sharp-win32-arm64	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-ia32	0.33.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-ia32	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-x64	0.33.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-x64	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later`
axe-core	4.10.3	`MPL-2.0`
lightningcss	1.32.0	`MPL-2.0`
lightningcss-android-arm64	1.32.0	`MPL-2.0`
lightningcss-darwin-arm64	1.32.0	`MPL-2.0`
lightningcss-darwin-x64	1.32.0	`MPL-2.0`
lightningcss-freebsd-x64	1.32.0	`MPL-2.0`
lightningcss-linux-arm-gnueabihf	1.32.0	`MPL-2.0`
lightningcss-linux-arm64-gnu	1.32.0	`MPL-2.0`
lightningcss-linux-arm64-musl	1.32.0	`MPL-2.0`
lightningcss-linux-x64-gnu	1.32.0	`MPL-2.0`
lightningcss-linux-x64-musl	1.32.0	`MPL-2.0`
lightningcss-win32-arm64-msvc	1.32.0	`MPL-2.0`
lightningcss-win32-x64-msvc	1.32.0	`MPL-2.0`

Resolved Packages (16)

Package	Version	Original	Resolved	Source
@sentry/cli	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry (Functional Source License 1.1 with MIT future grant; self-identifying, not in SPDX list)
@sentry/cli-darwin	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry (Functional Source License 1.1 with MIT future grant; self-identifying, not in SPDX list)
@sentry/cli-linux-arm	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry (Functional Source License 1.1 with MIT future grant; self-identifying, not in SPDX list)
@sentry/cli-linux-arm64	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry (Functional Source License 1.1 with MIT future grant; self-identifying, not in SPDX list)
@sentry/cli-linux-i686	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry (Functional Source License 1.1 with MIT future grant; self-identifying, not in SPDX list)
@sentry/cli-linux-x64	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry (Functional Source License 1.1 with MIT future grant; self-identifying, not in SPDX list)
@sentry/cli-win32-arm64	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry (Functional Source License 1.1 with MIT future grant; self-identifying, not in SPDX list)
@sentry/cli-win32-i686	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry (Functional Source License 1.1 with MIT future grant; self-identifying, not in SPDX list)
@sentry/cli-win32-x64	2.58.5	`FSL-1.1-MIT`	`FSL-1.1-MIT`	npm registry (Functional Source License 1.1 with MIT future grant; self-identifying, not in SPDX list)
pause-stream	0.0.11	`["MIT","Apache2"]`	`(MIT OR Apache-2.0)`	extracted from license array in npm metadata; confirmed dual MIT/Apache-2.0 in GitHub repo LICENSE
posthog-js	1.369.0	`SEE LICENSE IN LICENSE`	`Apache-2.0`	GitHub repo LICENSE file (primarily Apache-2.0, some bundled components MIT)
codemirror-lang-elixir	4.0.0	`UNKNOWN`	`Apache-2.0`	GitHub repo LICENSE file
lezer-elixir	1.1.2	`UNKNOWN`	`Apache-2.0`	GitHub repo LICENSE file
map-stream	0.1.0	`UNKNOWN`	`MIT`	GitHub repo license (api.github.com license endpoint)
memorystream	0.3.1	`UNKNOWN`	`MIT`	extracted from licenses object in npm registry metadata ({type:MIT})
valid-url	1.0.9	`UNKNOWN`	`MIT`	GitHub repo LICENSE file

…026-12143-form-data-crlf-ca96

Merge branch 'main' into linear/sou-1341-sourcebot-devsourcebot-cve-2…

e94d632

…026-12143-form-data-crlf-ca96

brendan-kellam marked this pull request as ready for review June 17, 2026 22:28

brendan-kellam merged commit 804b065 into main Jun 17, 2026
7 of 8 checks passed

brendan-kellam deleted the linear/sou-1341-sourcebot-devsourcebot-cve-2026-12143-form-data-crlf-ca96 branch June 17, 2026 22:28

github-actions Bot mentioned this pull request Jun 17, 2026

Sourcebot Roadmap 🚀 #459

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: upgrade form-data to ^4.0.6 to address CVE-2026-12143#1316

chore: upgrade form-data to ^4.0.6 to address CVE-2026-12143#1316
brendan-kellam merged 2 commits into
mainfrom
linear/sou-1341-sourcebot-devsourcebot-cve-2026-12143-form-data-crlf-ca96

brendan-kellam commented Jun 17, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

coderabbitai Bot commented Jun 17, 2026 •

edited

Loading

Review failed

Uh oh!

github-actions Bot commented Jun 17, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

brendan-kellam commented Jun 17, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented Jun 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review failed

Walkthrough

Changes

Estimated code review effort

Uh oh!

github-actions Bot commented Jun 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

License Audit

Fail Reasons

Unresolved Packages

Weak Copyleft Packages (informational)

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

brendan-kellam commented Jun 17, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Jun 17, 2026 •

edited

Loading

github-actions Bot commented Jun 17, 2026 •

edited

Loading