fix(security): bump form-data to >=4.0.6 in n8n (GHSA-hmw2-7cc7-3qxx)

[andriy-sudo]

Vulnerability Fix

Package	Old	New	Advisory	CVSS
form-data	4.0.4	4.0.6	GHSA-hmw2-7cc7-3qxx	7.5

Fix

form-data is a transitive dependency pulled in by n8n-workflow (which pins it at 4.0.4). Added "form-data": "^4.0.6" to overrides in n8n/package.json and regenerated n8n/package-lock.json — form-data now resolves to 4.0.6.

Changelog impact summary

Package	Old	New	Classification	Key changes
form-data	4.0.4	4.0.6	Patch/security	GHSA-hmw2-7cc7-3qxx (prototype pollution in form-data boundary generation); no API changes

[coderabbitai]

📝 Walkthrough

Walkthrough

The overrides section in n8n/package.json now includes a form-data entry pinned to ^4.0.6, alongside the existing lodash override at 4.18.1. No other package metadata or scripts were changed.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the security-focused form-data bump and references the relevant advisory.
Description check	✅ Passed	The description clearly explains the form-data vulnerability fix and the override change.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch andriy/inf-form-data-n8n

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@n8n/package.json`:
- Around line 52-53: The `form-data` pin in `package.json` is only applied via
root-level overrides, so consumers installing this package directly will not get
the fix. Move the resolution into a dependency that ships with the package, such
as bumping `n8n-workflow`, or add a package-level lock mechanism like
`npm-shrinkwrap.json` if you need to preserve the resolved tree. Use the
existing `n8n-nodes-tinyfish` package manifest and its dependency on
`n8n-workflow` to locate the right place to apply the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5ac988a2-088d-4938-9fc5-afe1680fb1be

📥 Commits

Reviewing files that changed from the base of the PR and between d4857f0 and 51569bf.

⛔ Files ignored due to path filters (1)

• n8n/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• n8n/package.json

[andriy-sudo]

@paveldudka — SPOC review request. All CI green, CodeRabbit complete (comment addressed). Please review, approve, and merge when ready.