From 0c0b53b640bbaa7249571ba86ea97295dee50869 Mon Sep 17 00:00:00 2001
From: Merkys <merkys.maliukevicius@hostinger.com>
Date: Wed, 21 Jan 2026 15:22:42 +0200
Subject: [PATCH] fix: resolve form-data security vulnerability via npm
 override
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Added npm override to force form-data to ^4.0.4 (fixes CVE in versions < 4.0.4)
- n8n-workflow pins form-data to vulnerable 4.0.0 and hasn't updated in 6+ months
- This override ensures we use the patched version (4.0.5) without breaking compatibility
- Vulnerability: Predictable boundary generation using Math.random() instead of crypto
- Reference: https://github.com/advisories/GHSA-fjxv-7rqg-78g4

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>
---
 package-lock.json | 28 +++++++++++++++++++++++-----
 package.json      |  5 +++++
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index f794916..5111485 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "n8n-nodes-hostinger-api",
-  "version": "1.0.13",
+  "version": "1.0.14",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "n8n-nodes-hostinger-api",
-      "version": "1.0.13",
+      "version": "1.0.14",
       "license": "MIT",
       "devDependencies": {
         "@n8n/node-cli": "*",
@@ -3236,6 +3236,22 @@
         "node": ">= 0.4"
       }
     },
+    "node_modules/es-set-tostringtag": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz",
+      "integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==",
+      "license": "MIT",
+      "peer": true,
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.6",
+        "has-tostringtag": "^1.0.2",
+        "hasown": "^2.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
     "node_modules/escalade": {
       "version": "3.2.0",
       "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz",
@@ -3893,14 +3909,16 @@
       }
     },
     "node_modules/form-data": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz",
-      "integrity": "sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==",
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
+      "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==",
       "license": "MIT",
       "peer": true,
       "dependencies": {
         "asynckit": "^0.4.0",
         "combined-stream": "^1.0.8",
+        "es-set-tostringtag": "^2.1.0",
+        "hasown": "^2.0.2",
         "mime-types": "^2.1.12"
       },
       "engines": {
diff --git a/package.json b/package.json
index 2578389..e811a34 100644
--- a/package.json
+++ b/package.json
@@ -46,5 +46,10 @@
   },
   "peerDependencies": {
     "n8n-workflow": "*"
+  },
+  "overrides": {
+    "n8n-workflow": {
+      "form-data": "^4.0.4"
+    }
   }
 }