From bd4d7321202d8a1febe37c0c16fa6e3a498ed2b3 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 4 Feb 2025 15:36:42 +0000
Subject: [PATCH 1/2] Bump undici from 5.28.4 to 5.28.5

Bumps [undici](https://github.com/nodejs/undici) from 5.28.4 to 5.28.5.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.4...v5.28.5)

---
updated-dependencies:
- dependency-name: undici
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package-lock.json | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/package-lock.json b/package-lock.json
index e57ca32..2e9f918 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -5140,7 +5140,9 @@
       }
     },
     "node_modules/undici": {
-      "version": "5.28.4",
+      "version": "5.28.5",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.5.tgz",
+      "integrity": "sha512-zICwjrDrcrUE0pyyJc1I2QzBkLM8FINsgOrt6WjA+BgajVq9Nxu2PbFFXUrAggLfDXlZGZBVZYw7WNV5KiBiBA==",
       "license": "MIT",
       "dependencies": {
         "@fastify/busboy": "^2.0.0"

From 0d214b803ed91377dfadb028ee247a45c56c948e Mon Sep 17 00:00:00 2001
From: Jerome Wolff <Ic3w0lf@users.noreply.github.com>
Date: Tue, 18 Feb 2025 14:36:39 +0100
Subject: [PATCH 2/2] Security fixes

---
 dist/index.js     | 18 +++++++++++++++++-
 package-lock.json |  5 +++--
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/dist/index.js b/dist/index.js
index 3b4231c..61bff0a 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -39711,6 +39711,14 @@ const { isUint8Array, isArrayBuffer } = __nccwpck_require__(4978)
 const { File: UndiciFile } = __nccwpck_require__(8511)
 const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(685)
 
+let random
+try {
+  const crypto = __nccwpck_require__(6005)
+  random = (max) => crypto.randomInt(0, max)
+} catch {
+  random = (max) => Math.floor(Math.random(max))
+}
+
 let ReadableStream = globalThis.ReadableStream
 
 /** @type {globalThis['File']} */
@@ -39796,7 +39804,7 @@ function extractBody (object, keepalive = false) {
     // Set source to a copy of the bytes held by object.
     source = new Uint8Array(object.buffer.slice(object.byteOffset, object.byteOffset + object.byteLength))
   } else if (util.isFormDataLike(object)) {
-    const boundary = `----formdata-undici-0${`${Math.floor(Math.random() * 1e11)}`.padStart(11, '0')}`
+    const boundary = `----formdata-undici-0${`${random(1e11)}`.padStart(11, '0')}`
     const prefix = `--${boundary}\r\nContent-Disposition: form-data`
 
     /*! formdata-polyfill. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> */
@@ -54612,6 +54620,14 @@ module.exports = require("net");
 
 /***/ }),
 
+/***/ 6005:
+/***/ ((module) => {
+
+"use strict";
+module.exports = require("node:crypto");
+
+/***/ }),
+
 /***/ 5673:
 /***/ ((module) => {
 
diff --git a/package-lock.json b/package-lock.json
index 2e9f918..a0f3d12 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2889,9 +2889,10 @@
       }
     },
     "node_modules/cross-spawn": {
-      "version": "7.0.3",
+      "version": "7.0.6",
+      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
+      "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==",
       "dev": true,
-      "license": "MIT",
       "dependencies": {
         "path-key": "^3.1.0",
         "shebang-command": "^2.0.0",