chore(npm): Bump form-data

[aterga]

Changes

• Security Fix: The bump to form-data 4.0.5 addresses CVE-2025-7783, a vulnerability where multipart boundaries were generated using Math.random(). This allowed attackers to predict boundaries and potentially perform HTTP Parameter Pollution (HPP) or inject arbitrary parameters.
• Improved Randomness: Version 4.0.4 switched to crypto.random for secure boundary generation.
• Version Transition: Updated from 4.0.1/4.0.2 to 4.0.5.
• pnpm Overrides: Since form-data is a transitive dependency of axios and jsdom, using an override ensures all project dependencies are patched immediately without waiting for upstream releases.
  Impact: No breaking changes are expected.

[Copilot]

Pull request overview

This PR updates the form-data package from versions 4.0.1 and 4.0.2 to version 4.0.5 by introducing a pnpm override. The form-data package is a transitive dependency used by axios and jsdom within the monorepo. The lockfile changes reflect the version bump and automatic dependency resolution updates.

Changes:

• Added pnpm override to enforce form-data version ^4.0.4 (which resolves to 4.0.5)
• Updated form-data package resolution from 4.0.1/4.0.2 to 4.0.5 in lockfile
• Automatic removal of optional: true flags from various dependencies due to form-data 4.0.5 adding new required dependencies (es-set-tostringtag and hasown)

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
package.json	Added pnpm overrides configuration to enforce form-data version ^4.0.4
pnpm-lock.yaml	Updated form-data package definitions and snapshots from 4.0.1/4.0.2 to 4.0.5, with corresponding dependency tree updates reflecting new required dependencies

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.