Fix CVE-2025-7783: Override form-data to 4.0.5 (merged with master fixes)

[Copilot]

✅ Structure Fix: Reordered package.json sections

Changes:

• Reordered package.json to match master's structure
• Moved "overrides" section before "browser" section
• No functional changes - all dependencies and overrides remain the same
• Verified form-data 4.0.5 is still installed (vulnerability fixed)
• Verified axios 1.13.2 is still installed (SSRF vulnerability fixed)
• Linting passes

Why This Change:

GitHub was detecting a conflict due to the different ordering of sections in package.json between this branch and master. By matching master's structure exactly (overrides before browser), the conflict is resolved.

Verification:

• ✅ form-data: 4.0.5 (overridden)
• ✅ axios: 1.13.2 (overridden)
• ✅ Linting passes
• ✅ package.json structure matches master

Original prompt

Security Vulnerability: CVE-2025-7783 in form-data

Issue

Dependabot has identified a security vulnerability in the form-data package (npm). The current version 4.0.0 is vulnerable to boundary prediction attacks due to unsafe use of Math.random().

Reference: Dependabot alert devsecopsmaturitymodel#46

Vulnerability Details

• Package: form-data (npm)
• Current Version: 4.0.0 (via transitive dependency)
• Affected Versions: >= 4.0.0, < 4.0.4
• Fixed Version: 4.0.4 or higher
• Dependency Chain: @angular-eslint/builder 13.5.0 → ... → form-data 4.0.0

Problem

The form-data package uses Math.random() to generate boundary values for multipart form-encoded data. Since Math.random() produces predictable pseudo-random values, an attacker who can observe these values could predict future boundaries and inject malicious parameters into requests.

Required Fix

Update the dependency chain to use form-data version 4.0.4 or higher. This can be achieved by:

1. Primary approach: Update @angular-eslint/builder from version 13.5.0 to a recent version that depends on the patched form-data (version 4.0.4+)

2. Alternative approach (if direct update causes breaking changes): Use npm overrides to force form-data to version 4.0.4 or higher by adding to package.json:

{
  "overrides": {
    "form-data": ">=4.0.4"
  }
}

Acceptance Criteria

• form-data is updated to version 4.0.4 or higher
• package-lock.json reflects the updated dependency version
• Running npm list form-data shows version 4.0.4 or higher
• Running npm audit no longer shows this vulnerability
• All existing tests pass
• The project builds successfully

Testing

After applying the fix, verify with:

npm list form-data
npm audit
npm run build
npm test

Additional Context

This vulnerability requires specific conditions to be exploited (user-controlled data in form submissions + observable Math.random() values), but should still be addressed to maintain security best practices.

This pull request was created from Copilot chat.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[qodo-code-review]

PR Code Suggestions ✨

No code suggestions found for the PR.

[granatonatalia]

@copilot Resolva os conflitos.

[Copilot]

@copilot Resolva os conflitos.

Conflitos resolvidos no commit cccaaaa. A branch master foi mesclada, combinando os overrides de form-data e axios. Ambas as vulnerabilidades estão corrigidas:

• form-data: 4.0.5 ✓
• axios: 1.13.2 ✓

[granatonatalia]

@copilot Resolva os conflitos.

[Copilot]

@copilot Resolva os conflitos.

Conflitos resolvidos no commit dc71e36. A estrutura do package.json foi ajustada para corresponder exatamente à branch master (seção "overrides" antes de "browser"). Nenhuma mudança funcional - as vulnerabilidades continuam corrigidas:

• form-data: 4.0.5 ✓
• axios: 1.13.2 ✓