On 7/27/25 19:29, Pragyansh Chaturvedi wrote:
Hi
upstream has the fix: https://github.com/form-data/form-data/
commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0
while debian has the fix: https://salsa.debian.org/js-team/node-form-
data/-/commit/cee782f6ff789f389e6ce2f34ae9549d291e85be
These fixes are different. The CVE fix in debian does not have a 50
character boundary anymore, but a 62 character boundary now.
This causes autopkgtest failure in node-superagent: https://
ci.debian.net/packages/n/node-superagent/testing/amd64/62420387/, the
payload size asserts now fail. This does not allow node-form-data to
migrate.
Please use the upstream's fix for this CVE instead of
crypto.randomUUID() to preserve boundary length and not break other
packages.
Upstream added a dependency instead of using built-in module, applying
upstream dependency is impossible for Trixie.
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
