`form-data` child dependency vulnerability

[minh-pham1]

Our team noticed that there is an open vulnerability with form-data versions 3.0.0 (used by httpsnippet v2) and 4.0.0 (used by httpsnippet v3) for CVE-2025-7783.

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.

This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Explanation: The `form-data` package is vulnerable to HTTP Parameter Pollution (HPP) due to the use of insufficiently random values in generating boundaries. The `_generateBoundary()` function in the `form_data.js` file generates a predictable boundary using `Math.random()`, which allows future values to be predicted. A remote attacker could exploit this vulnerability by crafting a boundary value, which would allow them to inject additional parameters into the HTTP request. This leads to arbitrary requests being made to internal systems.

Is it possible to unlock the form-data dependency to allow ^4.0.4 or is it necessary to lock it to that version?