fix: formidable dependency vulnerable to arbitrary

[jasonsaayman]

Closes #6366

---

Summary by cubic

Updates formidable to v3 to address the reported vulnerability (Linear 6366). Updates the test server and assertions to the new API (arrays for fields/files).

Description

• Summary of changes

  • Bumped formidable from ^2.1.5 to ^3.2.4 (lockfile to 3.5.4).
  • Switched to the IncomingForm named export in the test server and tests.
  • Updated multipart assertions to expect array shapes for fields and files.

• Reasoning

  • Fixes the security vulnerability tracked in Linear 6366.
  • Aligns test code with formidable@3 API changes.

• Additional context

  • formidable is a dev-only dependency used in tests/local servers.
  • No changes expected for consumers.

Docs

• No user-facing API changes.
• Contributor note: multipart parse results now return arrays per key (e.g., fields.foo => ['bar'], files.file1[0]).

Testing

• Modified tests in tests/setup/server.js and tests/unit/adapters/http.test.js to use IncomingForm and array-shaped results.
• No new tests added; updates bring existing tests in line with formidable@3 behavior.

^{Written for commit c4fe4d1. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 5 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.