update form-data package in tasks to resolve vulnerability issues #21234

sanjays-ms · 2025-08-19T08:12:03Z

Context

Update the form-data package version to resolve vulnerability.
📌 Component Governance Link

Task Name

NpmV0
NpmV1
PublishTestResultsV1
PublishTestResultsV2
VsTestPlatformToolInstallerV1

Description

The form-data package version 2.5.1 is marked as vulnerable. To resolve this update the package version to latest stable version 4.0.4

Risk Assessment (Low / Medium / High)

Low - Update to only 1 package

Additional Testing Performed

We do not have test pipelines for VsTestPlatformToolInstallerV1, NpmV0,NpmV1, PublishTestResultsV1 in canary test.
These were tested in a private test org (Reviewers please request access).
Canary Test Pipelines
PublishTestResultsV2

Private Org Pipelines
PublishTestResultsV1
NpmV0 & NpmV1 (Both are in the same pipeline and uses the tfs-cli repo to install dependencies and packages the repo)
VsTestPlatformToolInstallerV1

Some Notes:

Pipelines run in the private org for testing does not include testing against arm architecture since the org does not have it available
VsTestPlatformToolInstallerV1 was only tested on Windows 22 and 25 since it is windows exclusive and does not run on other OS
Testing was generally done with Ubuntu 24, Windows 25 and Mac 14
The local test cases for NpmV0 when running node make.js test --task NpmV0 is failing due to the test file L0.js being renamed as L0-ToBeFixed.ts

Rollback Scenario and Process (Yes/No)

Please revert the PR to revert changes

Checklist

Related issue linked (if applicable)
Task version was bumped — see versioning guide
Verified the task behaves as expected

sanjays-ms · 2025-08-19T11:43:04Z

/azp run

azure-pipelines · 2025-08-19T11:43:24Z