From ed415a6fb76e1b888a073d52ff1c4110d58bc385 Mon Sep 17 00:00:00 2001
From: sophia chen <sophia.chen@thetradedesk.com>
Date: Tue, 16 Jun 2026 13:50:02 +1000
Subject: [PATCH] fix(deps): upgrade form-data to >=4.0.6 via override to fix
 CVE-2026-12143 (UID2-7307)

CVE-2026-12143 (HIGH): form-data multipart library vulnerability.
Updates the npm override from ^4.0.4 to >=4.0.6 so all transitive
consumers of form-data resolve to the patched 4.0.6 release.
---
 package-lock.json | 16 ++++++++--------
 package.json      |  2 +-
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 5c4ab81..c53026a 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -5614,15 +5614,15 @@
       }
     },
     "node_modules/form-data": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz",
-      "integrity": "sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==",
+      "version": "4.0.6",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.6.tgz",
+      "integrity": "sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==",
       "dependencies": {
         "asynckit": "^0.4.0",
         "combined-stream": "^1.0.8",
         "es-set-tostringtag": "^2.1.0",
-        "hasown": "^2.0.2",
-        "mime-types": "^2.1.12"
+        "hasown": "^2.0.4",
+        "mime-types": "^2.1.35"
       },
       "engines": {
         "node": ">= 6"
@@ -6020,9 +6020,9 @@
       }
     },
     "node_modules/hasown": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
-      "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.4.tgz",
+      "integrity": "sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==",
       "dependencies": {
         "function-bind": "^1.1.2"
       },
diff --git a/package.json b/package.json
index 9abdcbe..2f66320 100644
--- a/package.json
+++ b/package.json
@@ -79,7 +79,7 @@
     "path-to-regexp": "^8.4.0"
   },
   "overrides": {
-    "form-data": "^4.0.4",
+    "form-data": ">=4.0.6",
     "qs": "6.14.1",
     "serialize-javascript": "^7.0.3"
   },