Bump form-data to bring in fix for critical vulnerability (#618)

The vulnerability:

    $ npm audit --audit-level=high
    # npm audit report

    form-data  >=4.0.0 <4.0.4 || <2.5.4
    Severity: critical
    form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
    form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
    fix available via `npm audit fix`
    node_modules/@azure/core-http/node_modules/form-data
    node_modules/@types/node-fetch/node_modules/form-data
    node_modules/form-data

    1 critical severity vulnerability

    To address all issues, run:
      npm audit fix

This change is the result of from running `npm audit fix` and then
using[1] to update licenses via `licensed cache`.

It doesn't look like `dependabot` previously raised any PRs for this
dependency, so this bumps it from `4.0.0` to `4.0.4`, see the
changelog[2] for details.

Link: https://github.com/licensee/licensed [1]
Link: https://github.com/form-data/form-data/blob/v4.0.4/CHANGELOG.md [2]

.licenses/npm/form-data-2.5.5.dep.yml

@@ -4,7 +4,7 @@ version: 2.5.5
 type: npm
 summary: A library to create readable "multipart/form-data" streams. Can be used to
   submit forms and file uploads to other web applications.
-homepage:
+homepage: 
 license: mit
 licenses:
 - sources: License

.licenses/npm/form-data-4.0.4.dep.yml

@@ -4,7 +4,7 @@ version: 4.0.4
 type: npm
 summary: A library to create readable "multipart/form-data" streams. Can be used to
   submit forms and file uploads to other web applications.
-homepage:
+homepage: 
 license: mit
 licenses:
 - sources: License

.licenses/npm/function-bind.dep.yml

@@ -29,4 +29,3 @@ licenses:
     THE SOFTWARE.
 
 notices: []
-...

package-lock.json

@@ -35,9 +35,6 @@
         "prettier": "^2.8.4",
         "ts-jest": "^29.3.2",
         "typescript": "^5.8.3"
-      },
-      "engines": {
-        "node": ">=24.0.0"
       }
     },
     "node_modules/@aashutoshrathi/word-wrap": {

package.json

@@ -4,9 +4,6 @@
   "private": true,
   "description": "setup go action",
   "main": "lib/setup-go.js",
-   "engines": {
-    "node": ">=24.0.0"
-  },
   "scripts": {
     "build": "tsc && ncc build -o dist/setup src/setup-go.ts && ncc build -o dist/cache-save src/cache-save.ts",
     "format": "prettier --no-error-on-unmatched-pattern --config ./.prettierrc.js --write \"**/*.{ts,yml,yaml}\"",

src/installer.ts

@@ -7,7 +7,6 @@ import * as sys from './system';
 import fs from 'fs';
 import os from 'os';
 import {StableReleaseAlias, isSelfHosted} from './utils';
-import {Architecture} from './types';
 
 const MANIFEST_REPO_OWNER = 'actions';
 const MANIFEST_REPO_NAME = 'go-versions';
@@ -40,7 +39,7 @@ export async function getGo(
   versionSpec: string,
   checkLatest: boolean,
   auth: string | undefined,
-  arch: Architecture = os.arch() as Architecture
+  arch = os.arch()
 ) {
   let manifest: tc.IToolRelease[] | undefined;
   const osPlat: string = os.platform();
@@ -152,7 +151,7 @@ async function resolveVersionFromManifest(
   versionSpec: string,
   stable: boolean,
   auth: string | undefined,
-  arch: Architecture,
+  arch: string,
   manifest: tc.IToolRelease[] | undefined
 ): Promise<string | undefined> {
   try {
@@ -354,7 +353,7 @@ export async function getInfoFromManifest(
   versionSpec: string,
   stable: boolean,
   auth: string | undefined,
-  arch: Architecture = os.arch() as Architecture,
+  arch = os.arch(),
   manifest?: tc.IToolRelease[] | undefined
 ): Promise<IGoVersionInfo | null> {
   let info: IGoVersionInfo | null = null;
@@ -380,7 +379,7 @@ export async function getInfoFromManifest(
 
 async function getInfoFromDist(
   versionSpec: string,
-  arch: Architecture
+  arch: string
 ): Promise<IGoVersionInfo | null> {
   const version: IGoVersion | undefined = await findMatch(versionSpec, arch);
   if (!version) {
@@ -399,7 +398,7 @@ async function getInfoFromDist(
 
 export async function findMatch(
   versionSpec: string,
-  arch: Architecture = os.arch() as Architecture
+  arch = os.arch()
 ): Promise<IGoVersion | undefined> {
   const archFilter = sys.getArch(arch);
   const platFilter = sys.getPlatform();
@@ -503,10 +502,7 @@ export function parseGoVersionFile(versionFilePath: string): string {
   return contents.trim();
 }
 
-async function resolveStableVersionDist(
-  versionSpec: string,
-  arch: Architecture
-) {
+async function resolveStableVersionDist(versionSpec: string, arch: string) {
   const archFilter = sys.getArch(arch);
   const platFilter = sys.getPlatform();
   const dlUrl = 'https://golang.org/dl/?mode=json&include=all';

src/main.ts

@@ -8,7 +8,6 @@ import {isCacheFeatureAvailable} from './cache-utils';
 import cp from 'child_process';
 import fs from 'fs';
 import os from 'os';
-import {Architecture} from './types';
 
 export async function run() {
   try {
@@ -21,10 +20,10 @@ export async function run() {
     const cache = core.getBooleanInput('cache');
     core.info(`Setup go version spec ${versionSpec}`);
 
-    let arch = core.getInput('architecture') as Architecture;
+    let arch = core.getInput('architecture');
 
     if (!arch) {
-      arch = os.arch() as Architecture;
+      arch = os.arch();
     }
 
     if (versionSpec) {

src/system.ts

@@ -1,5 +1,4 @@
 import os from 'os';
-import {Architecture} from './types';
 
 export function getPlatform(): string {
   // darwin and linux match already
@@ -16,7 +15,7 @@ export function getPlatform(): string {
   return plat;
 }
 
-export function getArch(arch: Architecture): string {
+export function getArch(arch: string): string {
   // 'arm', 'arm64', 'ia32', 'mips', 'mipsel', 'ppc', 'ppc64', 's390', 's390x', 'x32', and 'x64'.
 
   // wants amd64, 386, arm64, armv61, ppc641e, s390x

src/types.ts

@@ -1,2 +0,0 @@
-// match what @actions/tool-cache expects
-export type Architecture = string;