From 4304cd750bbea3521be6f0539e5e2c96e149adc7 Mon Sep 17 00:00:00 2001 From: humble-little-bear Date: Wed, 1 Jul 2026 23:34:00 +0000 Subject: [PATCH 1/2] chore(deps): override form-data to 4.0.6 Resolves GHSA-7m2j-8qp9-m8jw (CRLF injection) by forcing transitive form-data to 4.0.6 via pnpm override. --- package.json | 5 ++++- pnpm-lock.yaml | 25 ++++++++++++++++++------- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/package.json b/package.json index 3e8603f..db41634 100644 --- a/package.json +++ b/package.json @@ -28,7 +28,10 @@ "pnpm": { "onlyBuiltDependencies": [ "secp256k1" - ] + ], + "overrides": { + "form-data@>=4.0.0 <4.0.6": "4.0.6" + } }, "scripts": { "build": "node scripts/build.js", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 0436d6a..9eb9c1c 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -4,6 +4,9 @@ settings: autoInstallPeers: true excludeLinksFromLockfile: false +overrides: + form-data@>=4.0.0 <4.0.6: 4.0.6 + importers: .: @@ -1702,8 +1705,8 @@ packages: resolution: {integrity: sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==} engines: {node: '>=14'} - form-data@4.0.4: - resolution: {integrity: sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==} + form-data@4.0.6: + resolution: {integrity: sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==} engines: {node: '>= 6'} forwarded@0.2.0: @@ -1824,6 +1827,10 @@ packages: resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==} engines: {node: '>= 0.4'} + hasown@2.0.4: + resolution: {integrity: sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==} + engines: {node: '>= 0.4'} + hmac-drbg@1.0.1: resolution: {integrity: sha512-Tti3gMqLdZfhOQY1Mzf/AanLiqh1WTiJgEj26ZuYQ9fbkLomzGchCws4FyrSd4VkpBfiNhaE1On+lOz894jvXg==} @@ -4090,7 +4097,7 @@ snapshots: '@types/node-fetch@2.6.12': dependencies: '@types/node': 20.17.24 - form-data: 4.0.4 + form-data: 4.0.6 '@types/node@12.20.55': {} @@ -4727,7 +4734,7 @@ snapshots: es-errors: 1.3.0 get-intrinsic: 1.3.0 has-tostringtag: 1.0.2 - hasown: 2.0.2 + hasown: 2.0.4 escalade@3.2.0: {} @@ -4980,12 +4987,12 @@ snapshots: cross-spawn: 7.0.6 signal-exit: 4.1.0 - form-data@4.0.4: + form-data@4.0.6: dependencies: asynckit: 0.4.0 combined-stream: 1.0.8 es-set-tostringtag: 2.1.0 - hasown: 2.0.2 + hasown: 2.0.4 mime-types: 2.1.35 forwarded@0.2.0: {} @@ -5027,7 +5034,7 @@ snapshots: get-proto: 1.0.1 gopd: 1.2.0 has-symbols: 1.1.0 - hasown: 2.0.2 + hasown: 2.0.4 math-intrinsics: 1.1.0 get-package-type@0.1.0: {} @@ -5110,6 +5117,10 @@ snapshots: dependencies: function-bind: 1.1.2 + hasown@2.0.4: + dependencies: + function-bind: 1.1.2 + hmac-drbg@1.0.1: dependencies: hash.js: 1.1.7 From b5d020237d4af19e7a752c6bb39d5e5039b24808 Mon Sep 17 00:00:00 2001 From: humble-little-bear Date: Wed, 1 Jul 2026 23:42:17 +0000 Subject: [PATCH 2/2] chore(deps): move pnpm config to pnpm-workspace.yaml pnpm 10 reads overrides and onlyBuiltDependencies from pnpm-workspace.yaml instead of package.json. --- package.json | 8 -------- pnpm-workspace.yaml | 5 +++++ 2 files changed, 5 insertions(+), 8 deletions(-) create mode 100644 pnpm-workspace.yaml diff --git a/package.json b/package.json index db41634..eb00728 100644 --- a/package.json +++ b/package.json @@ -25,14 +25,6 @@ "publishConfig": { "access": "public" }, - "pnpm": { - "onlyBuiltDependencies": [ - "secp256k1" - ], - "overrides": { - "form-data@>=4.0.0 <4.0.6": "4.0.6" - } - }, "scripts": { "build": "node scripts/build.js", "start": "ts-node-dev --transpile-only src/cli.ts", diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml new file mode 100644 index 0000000..f6ec30a --- /dev/null +++ b/pnpm-workspace.yaml @@ -0,0 +1,5 @@ +overrides: + "form-data@>=4.0.0 <4.0.6": "4.0.6" + +onlyBuiltDependencies: + - secp256k1