This is not critical for the vyos-http-api, as explained in
https://github.com/vyos/vyos-http-api-tools/security/dependabot/1
since we are explicitly parsing the form data from request.stream(), and never call request.form().
Nonetheless, to address future issues and possible uses of request.form(), we adopt the change in T5175 to allow updating packages here.