docs: clarify formData security considerations by mcollina · Pull Request #5320 · nodejs/undici (original) (raw)

Skip to content

Navigation Menu

• Pricing

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sign up

Appearance settings

Merged

mcollina

merged 3 commits into

May 24, 2026

Conversation

Summary

• document that body.formData() buffers and parses the entire body
• clarify it must only be used on responses from trusted servers
• update the security threat model for untrusted body.formData() usage

Signed-off-by: Matteo Collina hello@matteocollina.com

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.22%. Comparing base (f33ecbc) to head (70c060c).

Additional details and impacted files

@@ Coverage Diff @@ ## main #5320 +/- ##

Coverage 93.22% 93.22%

Files 110 110
Lines 36599 36599

Hits 34120 34120
Misses 2479 2479

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Co-authored-by: Khafra maitken033380023@gmail.com

Co-authored-by: Khafra maitken033380023@gmail.com

mcollina deleted the docs/formdata-trusted-servers branch

May 24, 2026 18:08

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})