From 9372a7fc343fc4a86e4451f6b9cbc2a84ff38483 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 23 Jun 2026 08:25:37 -0700
Subject: [PATCH 1/3] Bump form-data from 4.0.5 to 4.0.6 (#2522)

Bumps [form-data](https://github.com/form-data/form-data) from 4.0.5 to 4.0.6.
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](https://github.com/form-data/form-data/compare/v4.0.5...v4.0.6)

---
updated-dependencies:
- dependency-name: form-data
  dependency-version: 4.0.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 package-lock.json | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 282df390c..c19696f07 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -14396,20 +14396,33 @@
       }
     },
     "node_modules/form-data": {
-      "version": "4.0.5",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
-      "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==",
+      "version": "4.0.6",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.6.tgz",
+      "integrity": "sha512-vKatAh4SlVfgbv+YtmhiRjhEMJsYpsG1Y2rMQtR+SVSbytsSD1YGzDIcrAJmdFec88u/+VoGmxnl+80gL1tRCQ==",
+      "license": "MIT",
       "dependencies": {
         "asynckit": "^0.4.0",
         "combined-stream": "^1.0.8",
         "es-set-tostringtag": "^2.1.0",
-        "hasown": "^2.0.2",
-        "mime-types": "^2.1.12"
+        "hasown": "^2.0.4",
+        "mime-types": "^2.1.35"
       },
       "engines": {
         "node": ">= 6"
       }
     },
+    "node_modules/form-data/node_modules/hasown": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.4.tgz",
+      "integrity": "sha512-T2UbfbBEF32wiepXIsMlTW9+dDYC6wMh/t/vYA4tuOMKqWz/n3vr1NFSxQiyP+zk2mXsoMA/i/7qV6LKut1t1A==",
+      "license": "MIT",
+      "dependencies": {
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
     "node_modules/format": {
       "version": "0.2.2",
       "resolved": "https://registry.npmjs.org/format/-/format-0.2.2.tgz",
@@ -14495,7 +14508,6 @@
       "version": "2.3.2",
       "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
       "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
-      "dev": true,
       "hasInstallScript": true,
       "optional": true,
       "os": [

From 842051ad5d7bd4124d011693ede50e8062736316 Mon Sep 17 00:00:00 2001
From: asier-isayas <asier.isayas@gmail.com>
Date: Tue, 23 Jun 2026 13:15:15 -0400
Subject: [PATCH 2/3] Remove exposed connection string in test (#2523)

* Address exposed connection string in Data Explorer code

* Address exposed connection string in Data Explorer code

---------

Co-authored-by: Asier Isayas <aisayas@microsoft.com>
---
 src/HostedExplorer.test.tsx | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/src/HostedExplorer.test.tsx b/src/HostedExplorer.test.tsx
index 083700e0e..22629c078 100644
--- a/src/HostedExplorer.test.tsx
+++ b/src/HostedExplorer.test.tsx
@@ -63,11 +63,15 @@ const dispatchPostMessage = (data: unknown, origin: string) => {
   window.dispatchEvent(event);
 };
 
+// Deliberately invalid account name
+const FAKE_ACCOUNT_NAME: string = "-FakeAccount-";
+const FAKE_KEY: string = "<redacted-test-key>";
+
 describe("HostedExplorer tryCosmosDB postMessage handler", () => {
   it("accepts a valid SQL connection string from an allowed origin", async () => {
     render(<App />);
 
-    const validConnStr = "AccountEndpoint=https://myaccount.documents.azure.com:443/;AccountKey=dGVzdGtleQ==;";
+    const validConnStr = `AccountEndpoint=https://${FAKE_ACCOUNT_NAME}.documents.azure.com:443/;AccountKey=${FAKE_KEY};`;
 
     await act(async () => {
       dispatchPostMessage(
@@ -83,7 +87,7 @@ describe("HostedExplorer tryCosmosDB postMessage handler", () => {
   it("accepts a valid Mongo connection string from an allowed origin", async () => {
     render(<App />);
 
-    const mongoConnStr = "mongodb://myaccount:dGVzdGtleQ==@myaccount.documents.azure.com:10255";
+    const mongoConnStr = `mongodb://${FAKE_ACCOUNT_NAME}:${FAKE_KEY}@${FAKE_ACCOUNT_NAME}.documents.azure.com:10255`;
 
     await act(async () => {
       dispatchPostMessage(
@@ -99,8 +103,7 @@ describe("HostedExplorer tryCosmosDB postMessage handler", () => {
   it("accepts a valid Cassandra connection string from an allowed origin", async () => {
     render(<App />);
 
-    const cassandraConnStr =
-      "AccountEndpoint=https://myaccount.cassandra.cosmosdb.azure.com:443/;AccountKey=dGVzdGtleQ==;";
+    const cassandraConnStr = `AccountEndpoint=https://${FAKE_ACCOUNT_NAME}.cassandra.cosmosdb.azure.com:443/;AccountKey=${FAKE_KEY};`;
 
     await act(async () => {
       dispatchPostMessage(
@@ -116,8 +119,7 @@ describe("HostedExplorer tryCosmosDB postMessage handler", () => {
   it("accepts a valid Table connection string from an allowed origin", async () => {
     render(<App />);
 
-    const tableConnStr =
-      "DefaultEndpointsProtocol=https;AccountName=myaccount;AccountKey=dGVzdGtleQ==;TableEndpoint=https://myaccount.table.cosmosdb.azure.com:443/;";
+    const tableConnStr = `DefaultEndpointsProtocol=https;AccountName=${FAKE_ACCOUNT_NAME};AccountKey=${FAKE_KEY};TableEndpoint=https://${FAKE_ACCOUNT_NAME}.table.cosmosdb.azure.com:443/;`;
 
     await act(async () => {
       dispatchPostMessage(
@@ -133,8 +135,7 @@ describe("HostedExplorer tryCosmosDB postMessage handler", () => {
   it("accepts a valid Gremlin connection string from an allowed origin", async () => {
     render(<App />);
 
-    const gremlinConnStr =
-      "AccountEndpoint=https://myaccount.documents.azure.com:443/;AccountKey=dGVzdGtleQ==;ApiKind=Gremlin;";
+    const gremlinConnStr = `AccountEndpoint=https://${FAKE_ACCOUNT_NAME}.documents.azure.com:443/;AccountKey=${FAKE_KEY};ApiKind=Gremlin;`;
 
     await act(async () => {
       dispatchPostMessage(
@@ -150,7 +151,7 @@ describe("HostedExplorer tryCosmosDB postMessage handler", () => {
   it("rejects messages from a disallowed origin", async () => {
     render(<App />);
 
-    const validConnStr = "AccountEndpoint=https://myaccount.documents.azure.com:443/;AccountKey=dGVzdGtleQ==;";
+    const validConnStr = `AccountEndpoint=https://${FAKE_ACCOUNT_NAME}.documents.azure.com:443/;AccountKey=${FAKE_KEY};`;
 
     await act(async () => {
       dispatchPostMessage(
@@ -198,7 +199,7 @@ describe("HostedExplorer tryCosmosDB postMessage handler", () => {
   it("ignores messages with an unrelated type", async () => {
     render(<App />);
 
-    const validConnStr = "AccountEndpoint=https://myaccount.documents.azure.com:443/;AccountKey=dGVzdGtleQ==;";
+    const validConnStr = `AccountEndpoint=https://${FAKE_ACCOUNT_NAME}.documents.azure.com:443/;AccountKey=${FAKE_KEY};`;
 
     await act(async () => {
       dispatchPostMessage({ type: "someOtherMessage", connectionString: validConnStr }, "https://cosmos.azure.com");

From 1ca8dc4e5dcaa2fcfc7cf07ab24619f3d014b8be Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 23 Jun 2026 15:29:56 -0700
Subject: [PATCH 3/3] Bump http-proxy-middleware from 3.0.5 to 3.0.7 in
 /preview (#2521)

Bumps [http-proxy-middleware](https://github.com/chimurai/http-proxy-middleware) from 3.0.5 to 3.0.7.
- [Release notes](https://github.com/chimurai/http-proxy-middleware/releases)
- [Changelog](https://github.com/chimurai/http-proxy-middleware/blob/v3.0.7/CHANGELOG.md)
- [Commits](https://github.com/chimurai/http-proxy-middleware/compare/v3.0.5...v3.0.7)

---
updated-dependencies:
- dependency-name: http-proxy-middleware
  dependency-version: 3.0.7
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 preview/package-lock.json | 11 ++++++-----
 preview/package.json      |  2 +-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/preview/package-lock.json b/preview/package-lock.json
index 93cf042fd..c2e55e8dd 100644
--- a/preview/package-lock.json
+++ b/preview/package-lock.json
@@ -11,7 +11,7 @@
         "body-parser": "^2.2.2",
         "express": "^5.2.1",
         "follow-redirects": "^1.16.0",
-        "http-proxy-middleware": "^3.0.5",
+        "http-proxy-middleware": "^3.0.7",
         "node": "^20.19.5",
         "node-fetch": "^2.6.1",
         "path-to-regexp": "^0.1.13"
@@ -416,9 +416,10 @@
       }
     },
     "node_modules/http-proxy-middleware": {
-      "version": "3.0.5",
-      "resolved": "https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-3.0.5.tgz",
-      "integrity": "sha512-GLZZm1X38BPY4lkXA01jhwxvDoOkkXqjgVyUzVxiEK4iuRu03PZoYHhHRwxnfhQMDuaxi3vVri0YgSro/1oWqg==",
+      "version": "3.0.7",
+      "resolved": "https://registry.npmjs.org/http-proxy-middleware/-/http-proxy-middleware-3.0.7.tgz",
+      "integrity": "sha512-iwbQltVlx8bCrqePUM8C+hllHvdawVhQJaLrj1X7qllkvFQdXFsr16pW/mo9+JDVjN+QO2XUx9jd8SmoFkE5qw==",
+      "license": "MIT",
       "dependencies": {
         "@types/http-proxy": "^1.17.15",
         "debug": "^4.3.6",
@@ -428,7 +429,7 @@
         "micromatch": "^4.0.8"
       },
       "engines": {
-        "node": "^14.15.0 || ^16.10.0 || >=18.0.0"
+        "node": "^14.18.0 || ^16.10.0 || >=18.0.0"
       }
     },
     "node_modules/http-proxy-middleware/node_modules/braces": {
diff --git a/preview/package.json b/preview/package.json
index 5812e4659..2dc8e5c4e 100644
--- a/preview/package.json
+++ b/preview/package.json
@@ -14,7 +14,7 @@
     "body-parser": "^2.2.2",
     "express": "^5.2.1",
     "follow-redirects": "^1.16.0",
-    "http-proxy-middleware": "^3.0.5",
+    "http-proxy-middleware": "^3.0.7",
     "node": "^20.19.5",
     "node-fetch": "^2.6.1",
     "path-to-regexp": "^0.1.13"