arcade-mcp/contrib
Evan Tahler b3a90889c6
Npm-form-data security vulnerability (#743)
Remediate CVE-2025-7783 critical vulnerability in the `form-data`
package across the repository.

The `form-data` package (versions >= 4.0.0 and < 4.0.4) used
`Math.random()` to generate boundary values, which is predictable and
could allow attackers to inject additional parameters into requests.
This PR updates the affected dependencies to a secure version (>= 4.0.4)
by running `npm audit fix` in `openai-agents-ts` and adding a pnpm
override in `langchain-ts`.

---
Linear Issue:
[TOO-333](https://linear.app/arcadedev/issue/TOO-333/vanta-remediate-critical-vulnerabilities-identified-in-packages-are)

<a
href="https://cursor.com/background-agent?bcId=bc-10abc1b2-8ec1-42cc-8ab9-6c7d1ff8a69d"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/open-in-cursor-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in
Cursor"
src="https://cursor.com/open-in-cursor.svg"></picture></a>&nbsp;<a
href="https://cursor.com/agents?id=bc-10abc1b2-8ec1-42cc-8ab9-6c7d1ff8a69d"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/open-in-web-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web"
src="https://cursor.com/open-in-web.svg"></picture></a>

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Security and dependency updates**
> 
> - Adds `pnpm` override in `contrib/examples/langchain-ts/package.json`
to force `form-data@>=4.0.4`
> - Refreshes `pnpm-lock.yaml` for `langchain-ts`, upgrading `form-data`
to `4.0.5` and bumping related transitive deps (e.g., `axios`,
`follow-redirects`, `ws`, `dotenv`, `jsonwebtoken`,
`zod-to-json-schema`)
> - Updates `contrib/examples/openai-agents-ts/package-lock.json`:
upgrades `@modelcontextprotocol/sdk` to `1.25.3` (adds optional
`@hono/node-server`, `hono`, `jose`, `json-schema-typed`) and bumps `qs`
to `6.14.1`
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
ae26b3d994d8fb0a6f4a88be34b7f17fb98cef6e. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
2026-01-20 18:17:56 -08:00
..
crewai Fix broken links (#738) 2026-01-05 13:27:16 -08:00
examples Npm-form-data security vulnerability (#743) 2026-01-20 18:17:56 -08:00
langchain Fix broken links (#738) 2026-01-05 13:27:16 -08:00