From 15da7a5778a8e46c01ab54311218c5d826ce3408 Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Sun, 24 May 2026 00:25:59 +0200 Subject: [PATCH] fix(deps): bump uuid to >=11.1.1 via pnpm.overrides (GHSA-w5hq-g745-h8pq) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pnpm audit was failing ci:audit at moderate severity: uuid@<11.1.1 — missing buffer bounds check in v3/v5/v6 when buf is provided (GHSA-w5hq-g745-h8pq). Path: . > @lhci/cli@0.15.1 > uuid@8.3.2 @lhci/cli pulls in uuid@8.3.2 (uses only uuid.v4()); the advisory flags the v3/v5/v6 code paths so our usage is technically not at risk, but the audit gate is set to moderate and any flagged advisory blocks CI per ADR-0015. The override matches the pattern already in use for axios / ajv / brace-expansion / esbuild / follow-redirects / ip-address / protobufjs / tmp / ws / yaml — force the transitive dep to a patched range. uuid@14 is the resolved version (latest), already in the tree via mermaid; consolidating everything onto a single major also removes the dedup warning. Compatibility: uuid@14 is ESM-only (`type: module` + conditional exports). @lhci/cli does `const uuid = require('uuid')` which works on Node >= 22.12 via the stable `require(esm)` capability. The workspace pins Node 24 (.nvmrc), so the CJS consumer is fine. Verified by loading @lhci/cli's node-runner module under the new resolution — no exception. Test plan: - pnpm ci:audit: clean ("No known vulnerabilities found"). - pnpm ci:check: 13 projects green. --- package.json | 1 + pnpm-lock.yaml | 12 +++--------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/package.json b/package.json index 5a6fa6b..3196ab0 100644 --- a/package.json +++ b/package.json @@ -47,6 +47,7 @@ "ip-address@<10.1.1": ">=10.1.1", "protobufjs@<8.0.2": ">=8.0.2", "tmp@<0.2.4": ">=0.2.4", + "uuid@<11.1.1": ">=11.1.1", "vitepress>vite": ">=6.4.2 <7", "ws@>=8.0.0 <8.20.1": ">=8.20.1", "yaml@<2.8.3": ">=2.8.3", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 801f5e5..85d5095 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -13,6 +13,7 @@ overrides: ip-address@<10.1.1: '>=10.1.1' protobufjs@<8.0.2: '>=8.0.2' tmp@<0.2.4: '>=0.2.4' + uuid@<11.1.1: '>=11.1.1' vitepress>vite: '>=6.4.2 <7' ws@>=8.0.0 <8.20.1: '>=8.20.1' yaml@<2.8.3: '>=2.8.3' @@ -10806,11 +10807,6 @@ packages: resolution: {integrity: sha512-Qo+uWgilfSmAhXCMav1uYFynlQO7fMFiMVZsQqZRMIXp0O7rR7qjkj+cPvBHLgBqi960QCoo/PH2/6ZtVqKvrg==} hasBin: true - uuid@8.3.2: - resolution: {integrity: sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==} - deprecated: uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028). - hasBin: true - v8-compile-cache-lib@3.0.1: resolution: {integrity: sha512-wa7YjyUGfNZngI/vtK0UHAN+lgDCxBPCylVXGp0zu59Fz5aiGtNXaq3DhIov063MorB+VfufLh3JlF2KdTK3xg==} @@ -13711,7 +13707,7 @@ snapshots: open: 7.4.2 proxy-agent: 6.5.0 tmp: 0.2.5 - uuid: 8.3.2 + uuid: 14.0.0 yargs: 15.4.1 yargs-parser: 13.1.2 transitivePeerDependencies: @@ -22470,7 +22466,7 @@ snapshots: sockjs@0.3.24: dependencies: faye-websocket: 0.11.4 - uuid: 8.3.2 + uuid: 14.0.0 websocket-driver: 0.7.4 socks-proxy-agent@8.0.5: @@ -23194,8 +23190,6 @@ snapshots: uuid@14.0.0: {} - uuid@8.3.2: {} - v8-compile-cache-lib@3.0.1: {} v8-to-istanbul@9.3.0: