From cfcfa6cb74e2b8b95c98491972eba9245b2eb827 Mon Sep 17 00:00:00 2001 From: Antoine Clausse Date: Thu, 4 Sep 2025 11:37:24 +0200 Subject: [PATCH] Remove outdated overrides (sha.js, form-data) (#28258) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update `isomorphic-git` and remove `sha.js` overrides It was fixed in https://github.com/isomorphic-git/isomorphic-git/pull/2190 * `bin/npm update @cypress/request` and remove override Bumps `form-data` to `~4.0.4` which is safe per https://github.com/overleaf/internal/security/dependabot/1533 Now it has the safe versions (2.5.5 and 4.0.4): ``` $ npm ls form-data overleaf@ /Users/aclausse/Code/internal ├─┬ @overleaf/analytics@ -> ./services/analytics │ └─┬ request@2.88.2 overridden │ └── form-data@2.5.5 overridden ├─┬ @overleaf/fetch-utils@0.1.0 -> ./libraries/fetch-utils │ └─┬ @types/node-fetch@2.6.11 │ └── form-data@4.0.4 overridden ├─┬ @overleaf/metrics@4.2.0 -> ./libraries/metrics │ └─┬ @google-cloud/profiler@6.0.3 │ └─┬ @google-cloud/common@5.0.2 │ └─┬ retry-request@7.0.2 overridden │ └─┬ @types/request@2.48.12 overridden │ └── form-data@2.5.5 overridden ├─┬ @overleaf/saas-e2e@ -> ./tools/saas-e2e │ └─┬ mailtrap@3.4.0 │ └─┬ axios@1.8.4 │ └── form-data@4.0.4 deduped ├─┬ @overleaf/tpdsworker@ -> ./services/tpdsworker │ └─┬ chai-http@4.4.0 │ └─┬ superagent@8.1.2 │ └── form-data@4.0.4 deduped ├─┬ @overleaf/web@ -> ./services/web │ └─┬ jsdom@19.0.0 │ └── form-data@4.0.4 deduped ├─┬ latexqc@0.0.1 -> ./services/latexqc │ └─┬ vitest@3.1.2 │ └─┬ jsdom@20.0.3 │ └── form-data@4.0.4 deduped └─┬ overleaf-editor@1.0.0 -> ./services/history-v1 └─┬ swagger-tools@0.10.4 overridden ├─┬ json-refs@3.0.15 │ └─┬ path-loader@1.0.12 │ └─┬ superagent@7.1.6 overridden │ └── form-data@4.0.4 deduped └─┬ superagent@3.8.3 overridden └── form-data@2.5.5 overridden ``` * `bin/npm update @types/request` and remove override Bumps `form-data` to `2.5.5` which is safe per https://github.com/overleaf/internal/security/dependabot/1537 * Remove `form-data` overrides that aren't necessary ``` $ npm ls form-data overleaf@ /Users/aclausse/Code/internal ├─┬ @overleaf/analytics@ -> ./services/analytics │ └─┬ request@2.88.2 overridden │ └── form-data@2.5.5 invalid: "~2.3.2" from node_modules/request ├─┬ @overleaf/fetch-utils@0.1.0 -> ./libraries/fetch-utils │ └─┬ @types/node-fetch@2.6.11 │ └── form-data@4.0.4 ├─┬ @overleaf/metrics@4.2.0 -> ./libraries/metrics │ └─┬ @google-cloud/profiler@6.0.3 │ └─┬ @google-cloud/common@5.0.2 │ └─┬ retry-request@7.0.2 │ └─┬ @types/request@2.48.13 │ └── form-data@2.5.5 ├─┬ @overleaf/saas-e2e@ -> ./tools/saas-e2e │ ├─┬ cypress@13.13.2 │ │ └─┬ @cypress/request@3.0.9 │ │ └── form-data@4.0.4 deduped │ └─┬ mailtrap@3.4.0 │ └─┬ axios@1.8.4 │ └── form-data@4.0.4 deduped ├─┬ @overleaf/tpdsworker@ -> ./services/tpdsworker │ └─┬ chai-http@4.4.0 │ └─┬ superagent@8.1.2 │ └── form-data@4.0.4 deduped ├─┬ @overleaf/web@ -> ./services/web │ └─┬ jsdom@19.0.0 │ └── form-data@4.0.4 deduped ├─┬ latexqc@0.0.1 -> ./services/latexqc │ └─┬ vitest@3.1.2 │ └─┬ jsdom@20.0.3 │ └── form-data@4.0.4 deduped └─┬ overleaf-editor@1.0.0 -> ./services/history-v1 └─┬ swagger-tools@0.10.4 overridden ├─┬ json-refs@3.0.15 │ └─┬ path-loader@1.0.12 │ └─┬ superagent@7.1.6 │ └── form-data@4.0.4 deduped └─┬ superagent@3.8.3 └── form-data@2.5.5 ``` * Remove 2025-08-07-form-data-cypress.json * Reapply the form-data override in request@2.88.2 GitOrigin-RevId: 89143de1a53226dc43fc474db443fc7d7698908a --- package-lock.json | 103 ++++++++++++------------------- package.json | 18 ------ server-ce/test/package-lock.json | 10 +-- server-ce/test/package.json | 7 +-- 4 files changed, 45 insertions(+), 93 deletions(-) diff --git a/package-lock.json b/package-lock.json index 6a274aed6f..65641d4915 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4228,9 +4228,9 @@ } }, "node_modules/@cypress/request": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/@cypress/request/-/request-3.0.1.tgz", - "integrity": "sha512-TWivJlJi8ZDx2wGOw1dbLuHJKUYX7bWySw377nlnGOW3hP9/MUKIsEdXT/YngWxVdgNCHRBmFlBipE+5/2ZZlQ==", + "version": "3.0.9", + "resolved": "https://registry.npmjs.org/@cypress/request/-/request-3.0.9.tgz", + "integrity": "sha512-I3l7FdGRXluAS44/0NguwWlO83J18p0vlr2FYHrJkWdNYhgVoiYo61IXPqaOsL+vNxU1ZqMACzItGK3/KKDsdw==", "dev": true, "license": "Apache-2.0", "dependencies": { @@ -4240,16 +4240,16 @@ "combined-stream": "~1.0.6", "extend": "~3.0.2", "forever-agent": "~0.6.1", - "form-data": "~2.3.2", - "http-signature": "~1.3.6", + "form-data": "~4.0.4", + "http-signature": "~1.4.0", "is-typedarray": "~1.0.0", "isstream": "~0.1.2", "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "performance-now": "^2.1.0", - "qs": "6.10.4", + "qs": "6.14.0", "safe-buffer": "^5.1.2", - "tough-cookie": "^4.1.3", + "tough-cookie": "^5.0.0", "tunnel-agent": "^0.6.0", "uuid": "^8.3.2" }, @@ -4267,34 +4267,16 @@ "node": ">=0.8" } }, - "node_modules/@cypress/request/node_modules/form-data": { - "version": "2.5.5", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.5.5.tgz", - "integrity": "sha512-jqdObeR2rxZZbPSGL+3VckHMYtu+f9//KXBsVny6JSX/pa38Fy+bGjuG8eW/H6USNQWhLi8Num++cU2yOCNz4A==", - "dev": true, - "license": "MIT", - "dependencies": { - "asynckit": "^0.4.0", - "combined-stream": "^1.0.8", - "es-set-tostringtag": "^2.1.0", - "hasown": "^2.0.2", - "mime-types": "^2.1.35", - "safe-buffer": "^5.2.1" - }, - "engines": { - "node": ">= 0.12" - } - }, "node_modules/@cypress/request/node_modules/http-signature": { - "version": "1.3.6", - "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.3.6.tgz", - "integrity": "sha512-3adrsD6zqo4GsTqtO7FyrejHNv+NgiIfAfv68+jVlFmSr9OGy7zrxONceFRLKvnnZA5jbxQBX1u9PpB6Wi32Gw==", + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.4.0.tgz", + "integrity": "sha512-G5akfn7eKbpDN+8nPS/cb57YeA1jLTVxjpCj7tmm3QKPdyDy7T+qSC40e9ptydSWvkwjSXw1VbkpyEm39ukeAg==", "dev": true, "license": "MIT", "dependencies": { "assert-plus": "^1.0.0", "jsprim": "^2.0.2", - "sshpk": "^1.14.1" + "sshpk": "^1.18.0" }, "engines": { "node": ">=0.10" @@ -4317,13 +4299,13 @@ } }, "node_modules/@cypress/request/node_modules/qs": { - "version": "6.10.4", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.10.4.tgz", - "integrity": "sha512-OQiU+C+Ds5qiH91qh/mg0w+8nwQuLjM4F4M/PbmhDOoYehPh+Fb0bDjtR1sOvy7YKxvj28Y/M0PhP5uVX0kB+g==", + "version": "6.14.0", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz", + "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==", "dev": true, "license": "BSD-3-Clause", "dependencies": { - "side-channel": "^1.0.4" + "side-channel": "^1.1.0" }, "engines": { "node": ">=0.6" @@ -4332,26 +4314,18 @@ "url": "https://github.com/sponsors/ljharb" } }, - "node_modules/@cypress/request/node_modules/safe-buffer": { - "version": "5.2.1", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", - "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", + "node_modules/@cypress/request/node_modules/tough-cookie": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-5.1.2.tgz", + "integrity": "sha512-FVDYdxtnj0G6Qm/DhNPSb8Ju59ULcup3tuJxkFb5K8Bv2pUXILbf0xZWU8PX8Ov19OXljbUyveOFwRMwkXzO+A==", "dev": true, - "funding": [ - { - "type": "github", - "url": "https://github.com/sponsors/feross" - }, - { - "type": "patreon", - "url": "https://www.patreon.com/feross" - }, - { - "type": "consulting", - "url": "https://feross.org/support" - } - ], - "license": "MIT" + "license": "BSD-3-Clause", + "dependencies": { + "tldts": "^6.1.32" + }, + "engines": { + "node": ">=16" + } }, "node_modules/@cypress/request/node_modules/uuid": { "version": "8.3.2", @@ -12524,15 +12498,15 @@ "license": "MIT" }, "node_modules/@types/request": { - "version": "2.48.12", - "resolved": "https://registry.npmjs.org/@types/request/-/request-2.48.12.tgz", - "integrity": "sha512-G3sY+NpsA9jnwm0ixhAFQSJ3Q9JkpLZpJbI3GMv0mIAT0y3mRabYeINzal5WOChIiaTEGQYlHOKgkaM9EisWHw==", + "version": "2.48.13", + "resolved": "https://registry.npmjs.org/@types/request/-/request-2.48.13.tgz", + "integrity": "sha512-FGJ6udDNUCjd19pp0Q3iTiDkwhYup7J8hpMW9c4k53NrccQFFWKRho6hvtPPEhnXWKvukfwAlB6DbDz4yhH5Gg==", "license": "MIT", "dependencies": { "@types/caseless": "*", "@types/node": "*", "@types/tough-cookie": "*", - "form-data": "^2.5.0" + "form-data": "^2.5.5" } }, "node_modules/@types/request/node_modules/form-data": { @@ -26568,9 +26542,9 @@ } }, "node_modules/isomorphic-git": { - "version": "1.33.0", - "resolved": "https://registry.npmjs.org/isomorphic-git/-/isomorphic-git-1.33.0.tgz", - "integrity": "sha512-a90aVhiBFtkUUe8JaqmR0gL7Thk1Ol/30rLS9c7nM20CwSbVqDctnwxX9VFSDLz5iq1wyzV6p4uyU7GStQKkag==", + "version": "1.33.1", + "resolved": "https://registry.npmjs.org/isomorphic-git/-/isomorphic-git-1.33.1.tgz", + "integrity": "sha512-Fy5rPAncURJoqL9R+5nJXLl5rQH6YpcjJd7kdCoRJPhrBiLVkLm9b+esRqYQQlT1hKVtKtALbfNtpHjWWJgk6g==", "dev": true, "license": "MIT", "dependencies": { @@ -26584,7 +26558,7 @@ "path-browserify": "^1.0.1", "pify": "^4.0.1", "readable-stream": "^3.4.0", - "sha.js": "^2.4.9", + "sha.js": "^2.4.12", "simple-get": "^4.0.1" }, "bin": { @@ -37446,9 +37420,10 @@ } }, "node_modules/sshpk": { - "version": "1.17.0", - "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.17.0.tgz", - "integrity": "sha512-/9HIEs1ZXGhSPE8X6Ccm7Nam1z8KcoCqPdI7ecm1N33EzAetWahvQWVqLZtaZQ+IDKX4IyA2o0gBzqIMkAagHQ==", + "version": "1.18.0", + "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", + "integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==", + "license": "MIT", "dependencies": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", @@ -46475,7 +46450,7 @@ "adm-zip": "^0.5.12", "cypress": "13.13.2", "cypress-multi-reporters": "^2.0.5", - "isomorphic-git": "^1.33.0", + "isomorphic-git": "^1.33.1", "mailtrap": "^3.4.0", "mocha-junit-reporter": "^2.2.1", "pdf-parse": "^1.1.1", diff --git a/package.json b/package.json index 808b49f839..1d52557c87 100644 --- a/package.json +++ b/package.json @@ -34,27 +34,9 @@ "body-parser": "1.20.3", "multer": "2.0.2" }, - "isomorphic-git@^1.33.0": { - "sha.js": "2.4.12" - }, "request@2.88.2": { "tough-cookie": "5.1.2", "form-data": "2.5.5" - }, - "superagent@7.1.6": { - "form-data": "4.0.4" - }, - "superagent@3.8.3": { - "form-data": "2.5.5" - }, - "retry-request@7.0.2": { - "form-data": "2.5.5" - }, - "@types/request@2.48.12": { - "form-data": "2.5.5" - }, - "@cypress/request@3.0.1": { - "form-data": "2.5.5" } }, "scripts": { diff --git a/server-ce/test/package-lock.json b/server-ce/test/package-lock.json index 8fb274b30d..1aace9cf37 100644 --- a/server-ce/test/package-lock.json +++ b/server-ce/test/package-lock.json @@ -16,7 +16,7 @@ "celebrate": "^15.0.3", "cypress": "13.13.2", "express": "^4.21.2", - "isomorphic-git": "^1.33.0", + "isomorphic-git": "^1.33.1", "js-yaml": "^4.1.0", "pdf-parse": "^1.1.1", "typescript": "^5.0.4", @@ -1855,9 +1855,9 @@ "license": "ISC" }, "node_modules/isomorphic-git": { - "version": "1.33.0", - "resolved": "https://registry.npmjs.org/isomorphic-git/-/isomorphic-git-1.33.0.tgz", - "integrity": "sha512-a90aVhiBFtkUUe8JaqmR0gL7Thk1Ol/30rLS9c7nM20CwSbVqDctnwxX9VFSDLz5iq1wyzV6p4uyU7GStQKkag==", + "version": "1.33.1", + "resolved": "https://registry.npmjs.org/isomorphic-git/-/isomorphic-git-1.33.1.tgz", + "integrity": "sha512-Fy5rPAncURJoqL9R+5nJXLl5rQH6YpcjJd7kdCoRJPhrBiLVkLm9b+esRqYQQlT1hKVtKtALbfNtpHjWWJgk6g==", "license": "MIT", "dependencies": { "async-lock": "^1.4.1", @@ -1870,7 +1870,7 @@ "path-browserify": "^1.0.1", "pify": "^4.0.1", "readable-stream": "^3.4.0", - "sha.js": "^2.4.9", + "sha.js": "^2.4.12", "simple-get": "^4.0.1" }, "bin": { diff --git a/server-ce/test/package.json b/server-ce/test/package.json index 4efcc3cbff..b29df9c819 100644 --- a/server-ce/test/package.json +++ b/server-ce/test/package.json @@ -19,15 +19,10 @@ "celebrate": "^15.0.3", "cypress": "13.13.2", "express": "^4.21.2", - "isomorphic-git": "^1.33.0", + "isomorphic-git": "^1.33.1", "js-yaml": "^4.1.0", "pdf-parse": "^1.1.1", "typescript": "^5.0.4", "uuid": "^9.0.1" - }, - "overrides": { - "isomorphic-git@^1.33.0": { - "sha.js": "2.4.12" - } } }