fix(root): resolve form-data, esbuild, and @babel/core dependency vulnerabilities fixes DOC-357

[cursor]

Summary

Scheduled dependency security audit fixes for three actionable advisories not covered by open PRs #1117 and #1124.

Linear: DOC-357

Fixed vulnerabilities

Package	Severity	Advisory	Strategy
form-data	high	GHSA-hmw2-7cc7-3qxx	pnpm override form-data@>=4.0.0 <4.0.6 → ^4.0.6 (transitive via @inkeep/cxkit-react)
esbuild	high	GHSA-gv7w-rqvm-qjhr	pnpm override esbuild@>=0.17.0 <0.28.1 → ^0.28.1 (transitive via tsx)
@babel/core	low	GHSA-4x5r-pxfx-6jf8	pnpm override @babel/core@<=7.29.0 → ^7.29.6 (transitive via @svgr/webpack)

Validation

• pnpm audit — advisories 1120743, 1120679, 1120793 no longer reported
• pnpm build — passed

Skipped (already in open PRs)

• shell-quote, fast-xml-parser, uuid — PR fix(root): resolve shell-quote, fast-xml-parser, and uuid dependency vulnerabilities fixes DOC-344 #1124
• js-cookie, postcss, ws — PR fix(root): resolve js-cookie, postcss, and ws dependency vulnerabilities #1117

Skipped (not safely fixable)

• js-yaml (moderate) — forcing ^4.2.0 breaks gray-matter which requires js-yaml 3.x API (yaml.safeLoad)

  

Greptile Summary

• Updates pnpm dependency overrides to remediate targeted advisories for form-data, esbuild, and @babel/core.
• Refreshes pnpm-lock.yaml to reflect the updated transitive dependency resolutions.
• Keeps the changes scoped to package metadata and workspace dependency resolution.

Confidence Score: 5/5

The dependency metadata updates are narrowly scoped and align with the stated vulnerability remediation.

The changes are limited to package override and lockfile resolution updates, with no application code paths modified.

T-Rex Logs

What T-Rex did

• T-Rex captured the pre-change dependency state, noting the base override and the installed versions of form-data, esbuild, and @babel/core, along with the initial audit advisories.
• T-Rex applied head overrides and updated the installed versions to @babel/core@7.29.7, esbuild@0.28.1, and form-data@4.0.6, with the audit reporting 9 unrelated vulnerabilities and no advisory URLs.
• T-Rex attempted the production build twice with pnpm build, but both runs were killed (exit code 137) due to environment limits, blocking practical build validation.

_{Ran code and verified through T-Rex}

_{Reviews (1): Last reviewed commit: "fix(root): resolve form-data, esbuild, a..." | Re-trigger Greptile}

[linear-code]

DOC-357

[netlify]

✅ Deploy Preview for docs-novu ready!

Name	Link
🔨 Latest commit	2d15874
🔍 Latest deploy log	https://app.netlify.com/projects/docs-novu/deploys/6a323a43a33a5c00086a83c7
😎 Deploy Preview	https://deploy-preview-1131--docs-novu.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm js-yaml is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/eslint@8.57.1 → npm/fumadocs-openapi@8.1.2 → npm/@svgr/webpack@8.1.0 → npm/js-yaml@4.2.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report