Fix: Resolve form-data security vulnerability (CVE < 4.0.4)

[merkys7]

Summary

• Fixes critical security vulnerability in form-data package (versions < 4.0.4) -- https://hostingers.atlassian.net/browse/VPS-4410 -- Security issue lasting for 6 months
• Adds npm override to force form-data@^4.0.4 instead of vulnerable 4.0.0

Problem

Dependabot cannot automatically fix this vulnerability because:

• n8n-workflow (all versions) pins form-data to exactly 4.0.0
• The vulnerability requires form-data@4.0.4 or higher
• n8n maintainers have marked this as "won't fix" (see n8n-io/n8n#20914)

Solution

Using npm overrides to force the secure version without waiting for upstream fix. This is safe because:

• Changes from 4.0.0 to 4.0.4 are only bug fixes and security patches
• No breaking changes or API modifications
• Successfully tested with build and lint commands

Security Details

• Vulnerability: Predictable boundary generation using Math.random() instead of crypto
• Severity: Critical
• Reference: GHSA-fjxv-7rqg-78g4
• Fixed in: form-data@4.0.4+

Test plan

• npm install works without errors
• npm run build completes successfully
• npm run lint passes (except unrelated sorting issue)
• form-data resolves to 4.0.5 (latest patch)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated dependency configuration to pin a transitive dependency version, enhancing installation consistency across environments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a top-level overrides field in package.json to pin the transitive dependency version of form-data to ^4.0.4 for the n8n-workflow package, without modifying its declared peer version.

Changes

Cohort / File(s)	Summary
Dependency override configuration package.json	Added overrides field with nested structure to constrain form-data version (^4.0.4) for n8n-workflow transitive dependency resolution

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change: adding an npm override to resolve a form-data security vulnerability in versions below 4.0.4, which directly matches the PR's primary objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[fizikiukas]

Will be solved together with - #35