fix(core): Upgrade formidable to address CVE-2025-46653 (#15341)

2025-12-16 17:46:45 +00:00 · 2025-05-13 11:18:30 +02:00
parent e750d5366e
commit d612d7ba32
3 changed files with 64 additions and 57 deletions
--- a/package.json
+++ b/package.json
@@ -51,7 +51,7 @@
    "@n8n/eslint-config": "workspace:*",
    "@types/jest": "^29.5.3",
    "@types/node": "*",
-    "@types/supertest": "^6.0.2",
+    "@types/supertest": "^6.0.3",
    "cross-env": "^7.0.3",
    "jest": "^29.6.2",
    "jest-environment-jsdom": "^29.6.2",
@@ -66,7 +66,7 @@
    "p-limit": "^3.1.0",
    "rimraf": "^5.0.1",
    "run-script-os": "^1.0.7",
-    "supertest": "^7.0.0",
+    "supertest": "^7.1.1",
    "ts-jest": "^29.1.1",
    "tsc-alias": "^1.8.10",
    "tsc-watch": "^6.2.0",
@@ -82,7 +82,6 @@
      "@types/node": "^18.16.16",
      "chokidar": "^4.0.1",
      "esbuild": "^0.24.0",
-      "formidable": "3.5.1",
      "pug": "^3.0.3",
      "semver": "^7.5.4",
      "tslib": "^2.6.2",
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -70,7 +70,7 @@
    "@types/replacestream": "^4.0.1",
    "@types/shelljs": "^0.8.11",
    "@types/sshpk": "^1.17.1",
-    "@types/superagent": "^8.1.7",
+    "@types/superagent": "^8.1.9",
    "@types/swagger-ui-express": "^4.1.8",
    "@types/syslog-client": "^1.1.2",
    "@types/uuid": "catalog:",
@@ -131,7 +131,7 @@
    "fast-glob": "catalog:",
    "flat": "5.0.2",
    "flatted": "catalog:",
-    "formidable": "3.5.1",
+    "formidable": "3.5.4",
    "handlebars": "4.7.8",
    "helmet": "8.1.0",
    "infisical-node": "1.3.0",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -162,7 +162,6 @@ overrides:
  '@types/node': ^18.16.16
  chokidar: ^4.0.1
  esbuild: ^0.24.0
-  formidable: 3.5.1
  pug: ^3.0.3
  semver: ^7.5.4
  tslib: ^2.6.2
@@ -214,8 +213,8 @@ importers:
        specifier: ^18.16.16
        version: 18.16.16
      '@types/supertest':
-        specifier: ^6.0.2
-        version: 6.0.2
+        specifier: ^6.0.3
+        version: 6.0.3
      cross-env:
        specifier: ^7.0.3
        version: 7.0.3
@@ -259,8 +258,8 @@ importers:
        specifier: ^1.0.7
        version: 1.1.6
      supertest:
-        specifier: ^7.0.0
-        version: 7.0.0
+        specifier: ^7.1.1
+        version: 7.1.1
      ts-jest:
        specifier: ^29.1.1
        version: 29.1.1(@babel/core@7.26.10)(@jest/types@29.6.1)(babel-jest@29.6.2(@babel/core@7.26.10))(jest@29.6.2(@types/node@18.16.16)(ts-node@10.9.2(@types/node@18.16.16)(typescript@5.8.2)))(typescript@5.8.2)
@@ -718,7 +717,7 @@ importers:
        version: 4.3.0
      '@getzep/zep-cloud':
        specifier: 1.0.12
-        version: 1.0.12(@langchain/core@0.3.30(openai@4.78.1(encoding@0.1.13)(zod@3.24.1)))(encoding@0.1.13)(langchain@0.3.11(e320b1d8e94e7308fefdef3743329630))
+        version: 1.0.12(@langchain/core@0.3.30(openai@4.78.1(encoding@0.1.13)(zod@3.24.1)))(encoding@0.1.13)(langchain@0.3.11(73c39badb3fd5b3eb4d1084b1fb22de6))
      '@getzep/zep-js':
        specifier: 0.9.0
        version: 0.9.0
@@ -745,7 +744,7 @@ importers:
        version: 0.3.2(@aws-sdk/client-sso-oidc@3.666.0(@aws-sdk/client-sts@3.666.0))(@langchain/core@0.3.30(openai@4.78.1(encoding@0.1.13)(zod@3.24.1)))(encoding@0.1.13)
      '@langchain/community':
        specifier: 'catalog:'
-        version: 0.3.24(a23560be5fb93c23c5c4ed2a6b67082b)
+        version: 0.3.24(d72b3dbd91eb98a3175f929d13e7c0a7)
      '@langchain/core':
        specifier: 'catalog:'
        version: 0.3.30(openai@4.78.1(encoding@0.1.13)(zod@3.24.1))
@@ -847,7 +846,7 @@ importers:
        version: 23.0.1
      langchain:
        specifier: 0.3.11
-        version: 0.3.11(e320b1d8e94e7308fefdef3743329630)
+        version: 0.3.11(73c39badb3fd5b3eb4d1084b1fb22de6)
      lodash:
        specifier: 'catalog:'
        version: 4.17.21
@@ -1205,8 +1204,8 @@ importers:
        specifier: 'catalog:'
        version: 3.2.7
      formidable:
-        specifier: 3.5.1
-        version: 3.5.1
+        specifier: 3.5.4
+        version: 3.5.4
      handlebars:
        specifier: 4.7.8
        version: 4.7.8
@@ -1407,8 +1406,8 @@ importers:
        specifier: ^1.17.1
        version: 1.17.1
      '@types/superagent':
-        specifier: ^8.1.7
-        version: 8.1.7
+        specifier: ^8.1.9
+        version: 8.1.9
      '@types/swagger-ui-express':
        specifier: ^4.1.8
        version: 4.1.8
@@ -4956,6 +4955,10 @@ packages:
  '@ngneat/falso@7.2.0':
    resolution: {integrity: sha512-283EXBFd05kCbGuGSXgmvhCsQYEYzvD/eJaE7lxd05qRB0tgREvZX7TRlJ1KSp8nHxoK6Ws029G1Y30mt4IVAA==}

+  '@noble/hashes@1.8.0':
+    resolution: {integrity: sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A==}
+    engines: {node: ^14.21.3 || >=16}
+
  '@nodelib/fs.scandir@2.1.5':
    resolution: {integrity: sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==}
    engines: {node: '>= 8'}
@@ -5217,6 +5220,9 @@ packages:
  '@otplib/preset-v11@12.0.1':
    resolution: {integrity: sha512-9hSetMI7ECqbFiKICrNa4w70deTUfArtwXykPUvSHWOdzOlfa9ajglu7mNCntlvxycTiOAXkQGwjQCzzDEMRMg==}

+  '@paralleldrive/cuid2@2.2.2':
+    resolution: {integrity: sha512-ZOBkgDwEdoYVlSeRbYYXs0S9MejQofiVYoTbKzy/6GQa39/q5tQU2IX46+shYnUkpEl3wc+J6wRlar7r2EK2xA==}
+
  '@petamoriken/float16@3.9.2':
    resolution: {integrity: sha512-VgffxawQde93xKxT3qap3OH+meZf7VaSB5Sqd4Rqc+FP5alWbpOyan/7tRbOAvynjpG3GpdtAuGU/NdhQpmrog==}

@@ -6481,11 +6487,11 @@ packages:
  '@types/stylis@4.2.0':
    resolution: {integrity: sha512-n4sx2bqL0mW1tvDf/loQ+aMX7GQD3lc3fkCMC55VFNDu/vBOabO+LTIeXKM14xK0ppk5TUGcWRjiSpIlUpghKw==}

-  '@types/superagent@8.1.7':
-    resolution: {integrity: sha512-NmIsd0Yj4DDhftfWvvAku482PZum4DBW7U51OvS8gvOkDDY0WT1jsVyDV3hK+vplrsYw8oDwi9QxOM7U68iwww==}
+  '@types/superagent@8.1.9':
+    resolution: {integrity: sha512-pTVjI73witn+9ILmoJdajHGW2jkSaOzhiFYF1Rd3EQ94kymLqB9PjD9ISg7WaALC7+dCHT0FGe9T2LktLq/3GQ==}

-  '@types/supertest@6.0.2':
-    resolution: {integrity: sha512-137ypx2lk/wTQbW6An6safu9hXmajAifU/s7szAHLN/FeIm5w7yR0Wkl9fdJMRSHwOn4HLAI0DaB2TOORuhPDg==}
+  '@types/supertest@6.0.3':
+    resolution: {integrity: sha512-8WzXq62EXFhJ7QsH3Ocb/iKQ/Ty9ZVWnVzoTKc9tyyFRRF3a74Tk2+TLFgaFFw364Ere+npzHKEJ6ga2LzIL7w==}

  '@types/swagger-ui-express@4.1.8':
    resolution: {integrity: sha512-AhZV8/EIreHFmBV5wAs0gzJUNq9JbbSXgJLQubCC0jtIo6prnI9MIRRxnU4MZX9RB9yXxF1V4R7jtLl/Wcj31g==}
@@ -9038,8 +9044,9 @@ packages:
    resolution: {integrity: sha512-8e1++BCiTzUno9v5IZ2J6bv4RU+3UKDmqWUQD0MIMVCd9AdhWkO1gw57oo1mNEX1dMq2EGI+FbWz4B92pscSQg==}
    engines: {node: '>= 18'}

-  formidable@3.5.1:
-    resolution: {integrity: sha512-WJWKelbRHN41m5dumb0/k8TeAx7Id/y3a+Z7QfhxP/htI9Js5zYaEDtG8uMgG0vM0lOlqnmjE99/kfpOYi/0Og==}
+  formidable@3.5.4:
+    resolution: {integrity: sha512-YikH+7CUTOtP44ZTnUhR7Ic2UASBPOqmaRkRKxRbywPTe5VxF7RRCck4af9wutiZ/QKM5nME9Bie2fFaPz5Gug==}
+    engines: {node: '>=14.0.0'}

  forwarded-parse@2.1.2:
    resolution: {integrity: sha512-alTFZZQDKMporBH77856pXgzhEzaUVmLCDk+egLgIgHst3Tpndzz8MnKe+GzRJRfvVdn69HhpW7cmXzvtLvJAw==}
@@ -9361,10 +9368,6 @@ packages:
  help-me@5.0.0:
    resolution: {integrity: sha512-7xgomUX6ADmcYzFik0HzAxh/73YlKR9bmFzf51CZwR+b6YtzU2m0u49hQCqV6SvlqIqsaxovfwdvbnsw3b/zpg==}

-  hexoid@1.0.0:
-    resolution: {integrity: sha512-QFLV0taWQOZtvIRIAdBChesmogZrtuXvVWsFHZTk2SU+anspqZ2vMnoLg7IE1+Uk16N19APic1BuF8bC8c2m5g==}
-    engines: {node: '>=8'}
-
  highlight.js@11.9.0:
    resolution: {integrity: sha512-fJ7cW7fQGCYAkgv4CPfwFHrfd/cLS4Hau96JuJ+ZTOWhjnhoeN1ub1tFmALm/+lW5z4WCAuAV9bm05AP0mS6Gw==}
    engines: {node: '>=12.0.0'}
@@ -12878,12 +12881,12 @@ packages:
    engines: {node: '>=16 || 14 >=14.17'}
    hasBin: true

-  superagent@9.0.2:
-    resolution: {integrity: sha512-xuW7dzkUpcJq7QnhOsnNUgtYp3xRwpt2F7abdRYIpCsAt0hhUqia0EdxyXZQQpNmGtsCzYHryaKSV3q3GJnq7w==}
+  superagent@10.2.1:
+    resolution: {integrity: sha512-O+PCv11lgTNJUzy49teNAWLjBZfc+A1enOwTpLlH6/rsvKcTwcdTT8m9azGkVqM7HBl5jpyZ7KTPhHweokBcdg==}
    engines: {node: '>=14.18.0'}

-  supertest@7.0.0:
-    resolution: {integrity: sha512-qlsr7fIC0lSddmA3tzojvzubYxvlGtzumcdHgPwbFWMISQwL22MhM2Y3LNt+6w9Yyx7559VW5ab70dgphm8qQA==}
+  supertest@7.1.1:
+    resolution: {integrity: sha512-aI59HBTlG9e2wTjxGJV+DygfNLgnWbGdZxiA/sgrnNNikIW8lbDvCtF6RnhZoJ82nU7qv7ZLjrvWqCEm52fAmw==}
    engines: {node: '>=14.18.0'}

  supports-color@5.5.0:
@@ -16398,7 +16401,7 @@ snapshots:
  '@gar/promisify@1.1.3':
    optional: true

-  '@getzep/zep-cloud@1.0.12(@langchain/core@0.3.30(openai@4.78.1(encoding@0.1.13)(zod@3.24.1)))(encoding@0.1.13)(langchain@0.3.11(e320b1d8e94e7308fefdef3743329630))':
+  '@getzep/zep-cloud@1.0.12(@langchain/core@0.3.30(openai@4.78.1(encoding@0.1.13)(zod@3.24.1)))(encoding@0.1.13)(langchain@0.3.11(73c39badb3fd5b3eb4d1084b1fb22de6))':
    dependencies:
      form-data: 4.0.0
      node-fetch: 2.7.0(encoding@0.1.13)
@@ -16407,7 +16410,7 @@ snapshots:
      zod: 3.24.1
    optionalDependencies:
      '@langchain/core': 0.3.30(openai@4.78.1(encoding@0.1.13)(zod@3.24.1))
-      langchain: 0.3.11(e320b1d8e94e7308fefdef3743329630)
+      langchain: 0.3.11(73c39badb3fd5b3eb4d1084b1fb22de6)
    transitivePeerDependencies:
      - encoding

@@ -16922,7 +16925,7 @@ snapshots:
      - aws-crt
      - encoding

-  '@langchain/community@0.3.24(a23560be5fb93c23c5c4ed2a6b67082b)':
+  '@langchain/community@0.3.24(d72b3dbd91eb98a3175f929d13e7c0a7)':
    dependencies:
      '@browserbasehq/stagehand': 1.9.0(@playwright/test@1.49.1)(deepmerge@4.3.1)(dotenv@16.4.5)(encoding@0.1.13)(openai@4.78.1(encoding@0.1.13)(zod@3.24.1))(zod@3.24.1)
      '@ibm-cloud/watsonx-ai': 1.1.2
@@ -16933,7 +16936,7 @@ snapshots:
      flat: 5.0.2
      ibm-cloud-sdk-core: 5.3.2
      js-yaml: 4.1.0
-      langchain: 0.3.11(e320b1d8e94e7308fefdef3743329630)
+      langchain: 0.3.11(73c39badb3fd5b3eb4d1084b1fb22de6)
      langsmith: 0.2.15(openai@4.78.1(encoding@0.1.13)(zod@3.24.1))
      openai: 4.78.1(encoding@0.1.13)(zod@3.24.1)
      uuid: 10.0.0
@@ -16948,7 +16951,7 @@ snapshots:
      '@aws-sdk/credential-provider-node': 3.666.0(@aws-sdk/client-sso-oidc@3.666.0(@aws-sdk/client-sts@3.666.0))(@aws-sdk/client-sts@3.666.0)
      '@azure/storage-blob': 12.18.0(encoding@0.1.13)
      '@browserbasehq/sdk': 2.0.0(encoding@0.1.13)
-      '@getzep/zep-cloud': 1.0.12(@langchain/core@0.3.30(openai@4.78.1(encoding@0.1.13)(zod@3.24.1)))(encoding@0.1.13)(langchain@0.3.11(e320b1d8e94e7308fefdef3743329630))
+      '@getzep/zep-cloud': 1.0.12(@langchain/core@0.3.30(openai@4.78.1(encoding@0.1.13)(zod@3.24.1)))(encoding@0.1.13)(langchain@0.3.11(73c39badb3fd5b3eb4d1084b1fb22de6))
      '@getzep/zep-js': 0.9.0
      '@google-ai/generativelanguage': 2.6.0(encoding@0.1.13)
      '@google-cloud/storage': 7.12.1(encoding@0.1.13)
@@ -17411,6 +17414,8 @@ snapshots:
      seedrandom: 3.0.5
      uuid: 8.3.2

+  '@noble/hashes@1.8.0': {}
+
  '@nodelib/fs.scandir@2.1.5':
    dependencies:
      '@nodelib/fs.stat': 2.0.5
@@ -17764,6 +17769,10 @@ snapshots:
      '@otplib/plugin-crypto': 12.0.1
      '@otplib/plugin-thirty-two': 12.0.1

+  '@paralleldrive/cuid2@2.2.2':
+    dependencies:
+      '@noble/hashes': 1.8.0
+
  '@petamoriken/float16@3.9.2': {}

  '@pinecone-database/pinecone@4.0.0':
@@ -19417,16 +19426,17 @@ snapshots:

  '@types/stylis@4.2.0': {}

-  '@types/superagent@8.1.7':
+  '@types/superagent@8.1.9':
    dependencies:
      '@types/cookiejar': 2.1.5
      '@types/methods': 1.1.4
      '@types/node': 18.16.16
+      form-data: 4.0.0

-  '@types/supertest@6.0.2':
+  '@types/supertest@6.0.3':
    dependencies:
      '@types/methods': 1.1.4
-      '@types/superagent': 8.1.7
+      '@types/superagent': 8.1.9

  '@types/swagger-ui-express@4.1.8':
    dependencies:
@@ -21982,7 +21992,7 @@ snapshots:

  eslint-import-resolver-node@0.3.9:
    dependencies:
-      debug: 3.2.7(supports-color@8.1.1)
+      debug: 3.2.7(supports-color@5.5.0)
      is-core-module: 2.13.1
      resolve: 1.22.8
    transitivePeerDependencies:
@@ -22007,7 +22017,7 @@ snapshots:

  eslint-module-utils@2.8.0(@typescript-eslint/parser@7.2.0(eslint@8.57.0)(typescript@5.8.2))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.6.1)(eslint@8.57.0):
    dependencies:
-      debug: 3.2.7(supports-color@8.1.1)
+      debug: 3.2.7(supports-color@5.5.0)
    optionalDependencies:
      '@typescript-eslint/parser': 7.2.0(eslint@8.57.0)(typescript@5.8.2)
      eslint: 8.57.0
@@ -22027,7 +22037,7 @@ snapshots:
      array.prototype.findlastindex: 1.2.3
      array.prototype.flat: 1.3.2
      array.prototype.flatmap: 1.3.2
-      debug: 3.2.7(supports-color@8.1.1)
+      debug: 3.2.7(supports-color@5.5.0)
      doctrine: 2.1.0
      eslint: 8.57.0
      eslint-import-resolver-node: 0.3.9
@@ -22580,10 +22590,10 @@ snapshots:

  formdata-node@6.0.3: {}

-  formidable@3.5.1:
+  formidable@3.5.4:
    dependencies:
+      '@paralleldrive/cuid2': 2.2.2
      dezalgo: 1.0.4
-      hexoid: 1.0.0
      once: 1.4.0

  forwarded-parse@2.1.2: {}
@@ -22846,7 +22856,7 @@ snapshots:
      array-parallel: 0.1.3
      array-series: 0.1.5
      cross-spawn: 7.0.6
-      debug: 3.2.7(supports-color@8.1.1)
+      debug: 3.2.7(supports-color@5.5.0)
    transitivePeerDependencies:
      - supports-color

@@ -22995,8 +23005,6 @@ snapshots:

  help-me@5.0.0: {}

-  hexoid@1.0.0: {}
-
  highlight.js@11.9.0: {}

  homedir-polyfill@1.0.3:
@@ -23142,7 +23150,7 @@ snapshots:
      '@types/debug': 4.1.12
      '@types/node': 18.16.16
      '@types/tough-cookie': 4.0.2
-      axios: 1.8.3
+      axios: 1.8.3(debug@4.4.0)
      camelcase: 6.3.0
      debug: 4.4.0(supports-color@8.1.1)
      dotenv: 16.4.5
@@ -23152,7 +23160,7 @@ snapshots:
      isstream: 0.1.2
      jsonwebtoken: 9.0.2
      mime-types: 2.1.35
-      retry-axios: 2.6.0(axios@1.8.3(debug@4.4.0))
+      retry-axios: 2.6.0(axios@1.8.3)
      tough-cookie: 4.1.3
    transitivePeerDependencies:
      - supports-color
@@ -24146,7 +24154,7 @@ snapshots:

  kuler@2.0.0: {}

-  langchain@0.3.11(e320b1d8e94e7308fefdef3743329630):
+  langchain@0.3.11(73c39badb3fd5b3eb4d1084b1fb22de6):
    dependencies:
      '@langchain/core': 0.3.30(openai@4.78.1(encoding@0.1.13)(zod@3.24.1))
      '@langchain/openai': 0.3.17(@langchain/core@0.3.30(openai@4.78.1(encoding@0.1.13)(zod@3.24.1)))(encoding@0.1.13)
@@ -25707,7 +25715,7 @@ snapshots:

  pdf-parse@1.1.1:
    dependencies:
-      debug: 3.2.7(supports-color@8.1.1)
+      debug: 3.2.7(supports-color@5.5.0)
      node-ensure: 0.0.0
    transitivePeerDependencies:
      - supports-color
@@ -26519,7 +26527,7 @@ snapshots:
      onetime: 5.1.2
      signal-exit: 3.0.7

-  retry-axios@2.6.0(axios@1.8.3(debug@4.4.0)):
+  retry-axios@2.6.0(axios@1.8.3):
    dependencies:
      axios: 1.8.3

@@ -26546,7 +26554,7 @@ snapshots:

  rhea@1.0.24:
    dependencies:
-      debug: 3.2.7(supports-color@8.1.1)
+      debug: 3.2.7(supports-color@5.5.0)
    transitivePeerDependencies:
      - supports-color

@@ -27320,24 +27328,24 @@ snapshots:
      pirates: 4.0.6
      ts-interface-checker: 0.1.13

-  superagent@9.0.2:
+  superagent@10.2.1:
    dependencies:
      component-emitter: 1.3.0
      cookiejar: 2.1.4
      debug: 4.4.0(supports-color@8.1.1)
      fast-safe-stringify: 2.1.1
      form-data: 4.0.0
-      formidable: 3.5.1
+      formidable: 3.5.4
      methods: 1.1.2
      mime: 2.6.0
      qs: 6.11.0
    transitivePeerDependencies:
      - supports-color

-  supertest@7.0.0:
+  supertest@7.1.1:
    dependencies:
      methods: 1.1.2
-      superagent: 9.0.2
+      superagent: 10.2.1
    transitivePeerDependencies:
      - supports-color