Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: form-data/form-data
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v4.0.5
Choose a base ref
...
head repository: form-data/form-data
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v4.0.6
Choose a head ref
  • 5 commits
  • 4 files changed
  • 1 contributor

Commits on Jun 10, 2026

  1. [Fix] escape CR, LF, and " in field names and filenames

    A field name or filename containing CRLF (or a `"`) was concatenated
    verbatim into the `Content-Disposition` header, letting a caller that
    passes attacker-controlled names break out of the header line to inject
    additional headers or smuggle extra multipart parts (CWE-93).
    
    Escape `\r`, `\n`, and `"` as `%0D`, `%0A`, and `%22`, matching the
    WHATWG HTML multipart/form-data encoding browsers use.
    
    Ref: GHSA-hmw2-7cc7-3qxx
    ljharb committed Jun 10, 2026
    Configuration menu
    Copy the full SHA
    8dff42c View commit details
    Browse the repository at this point in the history

Commits on Jun 11, 2026

  1. [Dev Deps] update js-randomness-predictor

    1.x cannot predict V8 randomness on node >= 25, which made
    `test-boundary-prediction` fail on node 26; 3.x supports node < 27.
    ljharb committed Jun 11, 2026
    Configuration menu
    Copy the full SHA
    67b0f65 View commit details
    Browse the repository at this point in the history

Commits on Jun 12, 2026

  1. Configuration menu
    Copy the full SHA
    f31d21e View commit details
    Browse the repository at this point in the history
  2. Configuration menu
    Copy the full SHA
    92ae0eb View commit details
    Browse the repository at this point in the history
  3. v4.0.6

    ljharb committed Jun 12, 2026
    Configuration menu
    Copy the full SHA
    64190db View commit details
    Browse the repository at this point in the history
Loading