@slack/webhooks - form-data vulnerability in axios dependency

[optomate-tech]

(Filling out the following with as much detail as you can provide will help us solve your issue sooner.)

Packages:

Select all that apply:

• @slack/webhooks

Reproducible in:

The Slack SDK version

(Paste the output of)

npm ls | grep -o "\S\+@\S\+$" | tr @ ' ' | awk -v q='"' '{print q$1q": "q"^"$2q","}' | grep slack

or refer to your package.json
"slack/webhook": "^7.0.5",

Node.js runtime version

(Paste the output of node --version)
v22.17.0

OS info

(Paste the output of sw_vers && uname -v on macOS/Linux or ver on Windows OS)
#157-Ubuntu SMP Mon Jun 16 07:33:10 UTC 2025

Steps to reproduce:

(Share the commands to run, source code, and project settings)

1. npm audit
2. npm ls form-data

Expected result:

form-data 4.0.0 - 4.0.3
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4

└─┬ @slack/webhook@7.0.5
└─┬ axios@1.10.0
└── form-data@4.0.3

(Tell what you expected to happen)

Actual result:

(Tell what actually happened with logs, screenshots)

Requirements

For general questions/issues about Slack API platform or its server-side, could you submit questions at https://my.slack.com/help/requests/new instead. 🙇

Please read the Contributing guidelines and Code of Conduct before creating this issue or pull request. By submitting, you are agreeing to those rules.

[mwbrooks]

Hi @optomate-tech 👋🏻

Thanks for taking the time to report this vulnerability in form-data. 🙇🏻

The npm package form-data is a dependency of axios, which @slack/webhooks package uses. The @slack/webhooks package does not directly depend on form-data.

Thankfully, the axios project has released axios@1.11.0 that upgrades the form-data dependency to fix the vulnerability.

In your project, please run npm update to update to the axios@1.11.0. This should remove the audit warning.

[zimeg]

🗣️ We've just released @slack/webhook@7.0.6 with the latest dependencies!