auto-audit: unfixable npm vulnerabilities

[github-actions]

npm audit reports vulnerabilities with no upstream fix available (fixAvailable: false). These need manual triage - pinning, patching, swapping the dependency, or accepting the risk.

form-data - critical (vulnerable: <2.5.4)

• form-data uses unsafe random function in form-data for choosing boundary - critical · CVSS 0

qs - high (vulnerable: <=6.14.0)

• Prototype Pollution Protection Bypass in qs - high · CVSS 7.5
• Denial-of-Service Extended Event Loop Blocking in qs - high · CVSS 0
• Denial-of-Service Memory Exhaustion in qs - high · CVSS 0
• qs vulnerable to Prototype Pollution - high · CVSS 7.5
• qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - moderate · CVSS 3.7

request - critical (vulnerable: *)

• Server-Side Request Forgery in Request - moderate · CVSS 6.1

tough-cookie - moderate (vulnerable: <4.1.3)

• tough-cookie Prototype Pollution vulnerability - moderate · CVSS 6.5

uuid - moderate (vulnerable: <11.1.1)

• uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - moderate · CVSS 7.5

---

Last updated by run: https://github.com/surajkumar/auto-audit/actions/runs/27394650553