Skip to content

[DPEDE-1784](deps): Bump form-data from 4.0.5 to 4.0.6#2102

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot-npm_and_yarn-form-data-4.0.6
Open

[DPEDE-1784](deps): Bump form-data from 4.0.5 to 4.0.6#2102
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot-npm_and_yarn-form-data-4.0.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 17, 2026

Copy link
Copy Markdown
Contributor

Bumps form-data from 4.0.5 to 4.0.6.

Changelog

Sourced from form-data's changelog.

v4.0.6 - 2026-06-12

Commits

  • [Fix] escape CR, LF, and " in field names and filenames 8dff42c
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape f31d21e
  • [Deps] update hasown, mime-types 92ae0eb
  • [Dev Deps] update js-randomness-predictor 67b0f65
Commits
  • 64190db v4.0.6
  • 92ae0eb [Deps] update hasown, mime-types
  • f31d21e [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape
  • 8dff42c [Fix] escape CR, LF, and " in field names and filenames
  • 67b0f65 [Dev Deps] update js-randomness-predictor
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [form-data](https://github.com/form-data/form-data) from 4.0.5 to 4.0.6.
- [Release notes](https://github.com/form-data/form-data/releases)
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](form-data/form-data@v4.0.5...v4.0.6)

---
updated-dependencies:
- dependency-name: form-data
  dependency-version: 4.0.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 17, 2026
@dependabot
dependabot Bot requested a review from a team as a code owner June 17, 2026 14:01
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 17, 2026
@cl-aifel-test

cl-aifel-test Bot commented Jun 29, 2026

Copy link
Copy Markdown

🔖 aifel-verdict — AiFEL dependency-triage verdict (schema 1.1)

AiFEL verdict — 🚨 Escalate (ci-health) — human review required

Routine patch bump for unused form-data (4.0.5→4.0.6) carries no dependency or security risk, but critical CI pass rate is 64.3% (28 runs) — escalating for CI health triage before merge.

TL;DR

  • Merge: 🔍 review, then merge — dependency and security are both clear; a reviewer should confirm that the failing CI runs are pre-existing noise unrelated to this patch, then merge.
  • Breaks your code? ✅ Most likely not.
  • Security? ✅ no applicable advisories.
  • Update: form-datayou have 4.0.5, this PR installs 4.0.6 (patch, spans 1 release). Routine patch refresh; no advisory affects 4.x and no in-repo usage found.
Signal Value Interpretation
Bump type patch Semver z-component changed (4.0.5→4.0.6); by semver convention this is a bug-fix release with no new API surface and no intentional breaking changes.
Dependency risk low Patch bump; form-data is not imported anywhere in the repository's source (0 hits), so blast radius is zero regardless of what changed.
Security risk low Two advisories exist for form-dataGHSA-hmw2-7cc7-3qxx (CVSS 7.5, affects < 2.5.6) and GHSA-fjxv-7rqg-78g4 (severity critical, affects < 2.5.4) — both were patched in the 2.x series and 4.0.6 is outside both affected ranges. Neither applies.
CI health risk high 28 critical runs on the default branch; pass rate 64.3%, flakiness 0% → low CI confidence (threshold for medium requires ≥ 70%). "Push on master" (9/9 ✅) and "Scheduled" (2/2 ✅) pass cleanly; failures are concentrated in Dependabot-triggered update workflows for unrelated packages.
API usage in repo false No import/require of form-data found across the repository source (0 hits, complete scan).
Cross-repo signal standalone No publishable root manifest found — the repo does not publish a library that downstream consumers depend on.
Data completeness complete All 5 signals obtained: bump classification, API usage (local scan, authoritative), release notes (4.0.5→4.0.6 range, minimal content), CI health (28 critical runs), cascade scan (0 conflicts).
📋 Why this route + what AiFEL checked (click to expand)

Why this route?

escalate because: CI low — 28 critical runs on the default branch passed at only 64.3% (pass_rate = 0.643; threshold for medium is ≥ 0.70).

Escalation category: ci-health — dependency risk is low, security risk is low; the sole escalation trigger is failing critical checks. This does not mean the dependency is dangerous.

Confidence breakdown — score: 0.75. List of factors:

  • ✅ Patch bump — smallest possible semver delta; no breaking changes by convention.

  • ✅ No in-repo usage of form-data — blast radius is zero; no code change needed regardless of package internals.

  • ✅ No applicable security advisories — both known CVEs affect 2.x only; this project is on 4.x and is unaffected.

  • ✅ No cascade conflicts — no other open Dependabot PRs competing for form-data.

  • ⚠️ Release notes minimal — changelog entry for 4.0.5→4.0.6 is a compare-link only with no substantive notes (−0.10).

  • ⚠️ Critical CI confidence low — pass rate 64.3% across 28 critical runs falls below the 70% medium threshold (−0.15).

  • 💡 To reach a lower route: Triage the failing workflows on the default branch. The failures appear concentrated in Dependabot-triggered update workflows for unrelated packages (@babel/preset-env, nuxt, vite, etc.) — if a reviewer confirms these failures are pre-existing and unrelated to this patch, that is sufficient to merge now. To structurally lower the route on future PRs, bring the critical-check pass_rate to ≥ 0.70 so ci_confidence reaches medium and the route becomes spot_check. Note: fixing informational workflows (e.g. Dependency Submission) will not change the route since they are already excluded from CI scoring.

What AiFEL checked

  1. Triage — classified patch (form-data 4.0.5→4.0.6).
  2. Symbol extraction — 0 import sites across the repository (confirmed no usage; local scan authoritative).
  3. Release-notes comparator — changelog available for 4.0.5→4.0.6 range; minimal content (compare-link header only), no breaking changes documented. Patch semver confirms backward-compatible.
  4. CI health — 28 critical runs: pass 64.3%, flaky 0% → confidence low; informational excluded: none identified separately.
  5. Cascade coordinator — 0 conflicts.
  6. Data completeness — obtained 5/5 signals; missing: none.

Will merging break your code?

Per AiFEL analysis, most likely won't impact your code. form-data is not imported anywhere in the repository source, so no code path is reachable by this dependency change.

Security advisories

Nothing still affects 4.0.6

Two advisories were found for form-data but neither affects version 4.0.6:

  • GHSA-hmw2-7cc7-3qxx (CVE-2026-12143) — CVSS 7.5 (high). CRLF injection via unescaped multipart field names and filenames. Affects < 2.5.6; first patched in 2.5.6. 4.0.6 is outside the affected range — does not apply.
  • GHSA-fjxv-7rqg-78g4 (CVE-2025-7783) — CVSS not published (severity: critical). Unsafe random function used to choose multipart boundary. Affects < 2.5.4; first patched in 2.5.4. 4.0.6 is outside the affected range — does not apply.

Neither advisory is fixed by this bump (both were already fixed in the 2.x series; this project runs 4.x). No action needed on the security axis.

Packages — what you have vs what this PR installs

Ecosystem Package You have This PR installs What changes for you
npm form-data 4.0.5 4.0.6 routine patch — no code impact, no applicable advisories

Machine-readable verdict
{
  "schema_version": "1.1",
  "classification": "patch",
  "risk_band": "low",
  "ci_confidence": "low",
  "decision_route": "escalate",
  "data_completeness": "complete",
  "escalate_reason": "risk",
  "missing_signals": [],
  "confidence": 0.75,
  "packages": [{"ecosystem": "npm", "name": "form-data", "old_version": "4.0.5", "new_version": "4.0.6"}],
  "breaking_changes": [],
  "cascade_conflicts": [],
  "summary": "Routine patch bump for unused form-data (4.0.5→4.0.6); no dependency impact, no applicable advisories; escalated for low CI confidence (64.3% pass rate across 28 critical runs).",
  "upgrade_risk_note": null,
  "cross_repo_signal": "standalone",
  "api_usage_found": false,
  "advisory_ids": [],
  "max_cvss": null,
  "feedback_capture_marker": "aifel-CenturyLink-Chi-2102",
  "agent_version": "1.1.1-aw"
}

🤖 Generated by AiFEL — AI-assisted Dependabot triage. Advisory only; a human reviewer still decides and merges.
📝 Share your AiFEL experience

@cl-aifel-test cl-aifel-test Bot added the aifel/escalate AiFEL: human review required (breaking change or risk) label Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aifel/escalate AiFEL: human review required (breaking change or risk) dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants