[CVE-2022-29622] resolve formidable to ^3.2.4

Currently the latest superagent still uses formidable@2.0.1 which causes the security issue. https://github.com/visionmedia/superagent/blob/e8d532632bea846e6a8c7677a268dca3641271e7/package.json#L27 Formidable bump to v3.2.4 includes breaking changes: https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md In this PR, we resolve formidable to 3.2.4+. The fix will not be backported to 2.x. Issue Resolved: opensearch-project#1593 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh · Nov 1, 2022 · 0bfb7ee · 0bfb7ee
1 parent 57fdef6
commit 0bfb7ee
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/package.json b/package.json
@@ -94,7 +94,8 @@
     "**/trim": "^0.0.3",
     "**/typescript": "4.0.2",
     "**/unset-value": "^2.0.1",
-    "**/minimatch": "^3.0.5"
+    "**/minimatch": "^3.0.5",
+    "**/formidable": "^3.2.4"
   },
   "workspaces": {
     "packages": [

diff --git a/yarn.lock b/yarn.lock
@@ -8915,15 +8915,14 @@ form-data@~2.3.2:
     combined-stream "^1.0.6"
     mime-types "^2.1.12"
 
-formidable@^2.0.1:
-  version "2.0.1"
-  resolved "https://registry.yarnpkg.com/formidable/-/formidable-2.0.1.tgz#4310bc7965d185536f9565184dee74fbb75557ff"
-  integrity sha512-rjTMNbp2BpfQShhFbR3Ruk3qk2y9jKpvMW78nJgx8QKtxjDVrwbZG+wvDOmVbifHyOUOQJXxqEy6r0faRrPzTQ==
+formidable@^2.0.1, formidable@^3.2.4:
+  version "3.2.5"
+  resolved "https://registry.yarnpkg.com/formidable/-/formidable-3.2.5.tgz#95d6e0b0110c5e6f31ef5be4b0bd2d0791fd9232"
+  integrity sha512-GRGDJTWAZ3H+umZbF2bKcqjsTov25zgon1St05ziKdiSw3kxvI+meMJrXx3ylRmuSADOpviSakBuS4yvGCGnSg==
   dependencies:
     dezalgo "1.0.3"
     hexoid "1.0.0"
     once "1.4.0"
-    qs "6.9.3"
 
 forwarded-parse@^2.1.0:
   version "2.1.2"
@@ -14557,7 +14556,7 @@ punycode@^1.2.4:
   resolved "https://registry.yarnpkg.com/punycode/-/punycode-1.4.1.tgz#c0d5a63b2718800ad8e1eb0fa5269c84dd41845e"
   integrity sha1-wNWmOycYgArY4esPpSachN1BhF4=
 
-qs@6.9.3, qs@^6.10.1, qs@^6.10.3, qs@~6.5.2:
+qs@^6.10.1, qs@^6.10.3, qs@~6.5.2:
   version "6.11.0"
   resolved "https://registry.yarnpkg.com/qs/-/qs-6.11.0.tgz#fd0d963446f7a65e1367e01abd85429453f0c37a"
   integrity sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==