Skip to content

update form-data package version in tasks to resolve vulnerability #21242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

update form-data package version in tasks to resolve vulnerability #21242

wants to merge 6 commits into from

Conversation

sanjays-ms
Copy link
Contributor

@sanjays-ms sanjays-ms commented Aug 21, 2025
edited
Loading

Context

update the form-data package version to resolve vulnerability
📌 Component Governance Link

Task Name

HelmDeployV0
HelmDeployV1
MysqlDeploymentOnMachineGroupV1
ReviewAppV0

Description

The form-data package version 2.5.1 is marked as vulnerable. To resolve this vulnerability, we are overriding the package to a latest stable version which does not contain the vulnerability.

Risk Assessment (Low / Medium / High)

Low - only 1 package update

Additional Testing Performed

Testing performed through build and test locally using node make.js commands.
Additional testing done through azure pipelines in Canary Test for HelmDeployV0
Pipeline Link: HelmDeployV0 Canary Test Pipeline

We do not have pipelines for HelmDeployV1, ReviewAppV0 and MySqlDeploymentOnMachineGroupV1.
We also don't have any service connections setup for these pipelines to test in canary test (HelmDeploy requires azure subscription)
MySqlDeploymentOnMachineGroupV1 is marked as deprecated and is only to work with classic pipelines.

Require some assistance from RM Team to help with task verification as we currently don't have pipelines in our test or for this.

Rollback Scenario and Process (Yes/No)

Please revert the PR to roll back the changes.

Checklist

  • Related issue linked (if applicable)
  • Task version was bumped — see versioning guide
  • Verified the task behaves as expected (only through local testing as of now)

@sanjays-ms
Copy link
Contributor Author

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 3 pipeline(s).

@sanjays-ms sanjays-ms marked this pull request as ready for review August 21, 2025 23:15
@sanjays-ms sanjays-ms requested review from manolerazvan and a team as code owners August 21, 2025 23:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manolerazvan manolerazvan manolerazvan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sanjays-ms @manolerazvan