fix(deps): bump uuid to >=11.1.1 via pnpm.overrides (GHSA-w5hq-g745-h8pq)
CI / commits (pull_request) Successful in 3m0s
CI / scan (pull_request) Successful in 3m19s
CI / check (pull_request) Successful in 4m17s
CI / a11y (pull_request) Successful in 2m32s
Docs site / build (pull_request) Successful in 4m0s
CI / perf (pull_request) Successful in 7m24s

pnpm audit was failing ci:audit at moderate severity:

  uuid@<11.1.1 — missing buffer bounds check in v3/v5/v6 when buf
  is provided (GHSA-w5hq-g745-h8pq).
  Path: . > @lhci/cli@0.15.1 > uuid@8.3.2

@lhci/cli pulls in uuid@8.3.2 (uses only uuid.v4()); the advisory
flags the v3/v5/v6 code paths so our usage is technically not at
risk, but the audit gate is set to moderate and any flagged
advisory blocks CI per ADR-0015.

The override matches the pattern already in use for axios / ajv /
brace-expansion / esbuild / follow-redirects / ip-address /
protobufjs / tmp / ws / yaml — force the transitive dep to a
patched range. uuid@14 is the resolved version (latest), already
in the tree via mermaid; consolidating everything onto a single
major also removes the dedup warning.

Compatibility: uuid@14 is ESM-only (`type: module` + conditional
exports). @lhci/cli does `const uuid = require('uuid')` which
works on Node >= 22.12 via the stable `require(esm)` capability.
The workspace pins Node 24 (.nvmrc), so the CJS consumer is fine.
Verified by loading @lhci/cli's node-runner module under the new
resolution — no exception.

Test plan:
- pnpm ci:audit: clean ("No known vulnerabilities found").
- pnpm ci:check: 13 projects green.
This commit is contained in:
Julien Gautier
2026-05-24 00:25:59 +02:00
parent 5f1ef2444a
commit 15da7a5778
2 changed files with 4 additions and 9 deletions
+1
View File
@@ -47,6 +47,7 @@
"ip-address@<10.1.1": ">=10.1.1",
"protobufjs@<8.0.2": ">=8.0.2",
"tmp@<0.2.4": ">=0.2.4",
"uuid@<11.1.1": ">=11.1.1",
"vitepress>vite": ">=6.4.2 <7",
"ws@>=8.0.0 <8.20.1": ">=8.20.1",
"yaml@<2.8.3": ">=2.8.3",
+3 -9
View File
@@ -13,6 +13,7 @@ overrides:
ip-address@<10.1.1: '>=10.1.1'
protobufjs@<8.0.2: '>=8.0.2'
tmp@<0.2.4: '>=0.2.4'
uuid@<11.1.1: '>=11.1.1'
vitepress>vite: '>=6.4.2 <7'
ws@>=8.0.0 <8.20.1: '>=8.20.1'
yaml@<2.8.3: '>=2.8.3'
@@ -10806,11 +10807,6 @@ packages:
resolution: {integrity: sha512-Qo+uWgilfSmAhXCMav1uYFynlQO7fMFiMVZsQqZRMIXp0O7rR7qjkj+cPvBHLgBqi960QCoo/PH2/6ZtVqKvrg==}
hasBin: true
uuid@8.3.2:
resolution: {integrity: sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==}
deprecated: uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
hasBin: true
v8-compile-cache-lib@3.0.1:
resolution: {integrity: sha512-wa7YjyUGfNZngI/vtK0UHAN+lgDCxBPCylVXGp0zu59Fz5aiGtNXaq3DhIov063MorB+VfufLh3JlF2KdTK3xg==}
@@ -13711,7 +13707,7 @@ snapshots:
open: 7.4.2
proxy-agent: 6.5.0
tmp: 0.2.5
uuid: 8.3.2
uuid: 14.0.0
yargs: 15.4.1
yargs-parser: 13.1.2
transitivePeerDependencies:
@@ -22470,7 +22466,7 @@ snapshots:
sockjs@0.3.24:
dependencies:
faye-websocket: 0.11.4
uuid: 8.3.2
uuid: 14.0.0
websocket-driver: 0.7.4
socks-proxy-agent@8.0.5:
@@ -23194,8 +23190,6 @@ snapshots:
uuid@14.0.0: {}
uuid@8.3.2: {}
v8-compile-cache-lib@3.0.1: {}
v8-to-istanbul@9.3.0: