fix(deps): bump uuid to >=11.1.1 via pnpm.overrides (GHSA-w5hq-g745-h8pq) (#210)
## Summary `pnpm ci:audit` was failing on `main` with one moderate-severity finding: ``` uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq Vulnerable: uuid < 11.1.1 Path: . > @lhci/cli@0.15.1 > uuid@8.3.2 ``` `@lhci/cli@0.15.1` is the latest release and still ships `uuid@8.3.2`; no upstream fix yet. Renovate cannot solve this on its own. ## What lands | File | Change | | --- | --- | | `package.json` | `pnpm.overrides`: add `"uuid@<11.1.1": ">=11.1.1"` alongside the existing axios / ajv / brace-expansion / esbuild / follow-redirects / ip-address / protobufjs / tmp / ws / yaml entries. | | `pnpm-lock.yaml` | Refreshed. Both `@lhci/cli` and `sockjs` (transitive via the rspack / webpack dev-servers) now resolve to `uuid@14.0.0` — the same major already in the tree via `mermaid`. Net `uuid` versions: 2 → 1. | ## Notes for the reviewer - **Why an override and not an `auditConfig.ignoreGhsas`.** The repo already uses `pnpm.overrides` for 10 prior advisories on transitive deps with no patched release in their consumer — same pattern applied here. An exemption-document path was drafted then dropped: forcing the fix is cleaner than waving away the warning, and the upgrade actually works. - **Why our usage was not at risk (context, not justification to skip).** The advisory affects `uuid.v3` / `uuid.v5` / `uuid.v6` when called with the optional `buf` argument. Both consumers in the tree only use `uuid.v4()` (random): - `@lhci/cli/src/collect/node-runner.js:65` — `\`flags-${uuid.v4()}.json\`` - `sockjs/lib/transport.js:9` — `uuidv4 = require('uuid').v4` But the audit gate is set to `moderate` per [ADR-0015](docs/decisions/0015-cicd-gitea-actions.md); every flagged advisory blocks merge regardless of reachability. Forcing the fix is the documented response. - **Why `uuid@14` works for the CJS consumers.** `uuid@14` is ESM-only (`type: module` + conditional `exports`). `@lhci/cli` does `const uuid = require('uuid')` which is a CJS-requires-ESM pattern. Node `>= 22.12` supports it natively via the stable `require(esm)` capability; the workspace pins Node 24 in [`.nvmrc`](.nvmrc), so the consumer is fine. Verified locally: ``` $ node -e "require('@lhci/cli/src/collect/node-runner.js')" # no error ``` - **Side benefit.** `uuid@8.3.2` was also pulled in transitively via `sockjs`. After the override, the dep tree consolidates onto a single `uuid@14.0.0` — removes the `Found 2 versions of uuid` dedup notice and aligns with the version `mermaid` already uses. - **Closure condition.** When `@lhci/cli` ships a release with `uuid >= 11.1.1` (or with `uuid@14` directly), Renovate will surface the bump; this override row becomes redundant and can be deleted. Same removal cadence as the other `pnpm.overrides` entries. ## Test plan - [x] `pnpm ci:audit` — clean: `No known vulnerabilities found`. - [x] `pnpm ci:check` — 13 projects green (no behavioural change against the previous run). - [x] Loaded `@lhci/cli`'s node-runner module under the override to confirm `require('uuid')` resolves without error on Node 24. - [ ] Post-merge CI on `main` runs `pnpm ci:audit` cleanly. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #210
This commit was merged in pull request #210.
This commit is contained in:
@@ -47,6 +47,7 @@
|
|||||||
"ip-address@<10.1.1": ">=10.1.1",
|
"ip-address@<10.1.1": ">=10.1.1",
|
||||||
"protobufjs@<8.0.2": ">=8.0.2",
|
"protobufjs@<8.0.2": ">=8.0.2",
|
||||||
"tmp@<0.2.4": ">=0.2.4",
|
"tmp@<0.2.4": ">=0.2.4",
|
||||||
|
"uuid@<11.1.1": ">=11.1.1",
|
||||||
"vitepress>vite": ">=6.4.2 <7",
|
"vitepress>vite": ">=6.4.2 <7",
|
||||||
"ws@>=8.0.0 <8.20.1": ">=8.20.1",
|
"ws@>=8.0.0 <8.20.1": ">=8.20.1",
|
||||||
"yaml@<2.8.3": ">=2.8.3",
|
"yaml@<2.8.3": ">=2.8.3",
|
||||||
|
|||||||
Generated
+3
-9
@@ -13,6 +13,7 @@ overrides:
|
|||||||
ip-address@<10.1.1: '>=10.1.1'
|
ip-address@<10.1.1: '>=10.1.1'
|
||||||
protobufjs@<8.0.2: '>=8.0.2'
|
protobufjs@<8.0.2: '>=8.0.2'
|
||||||
tmp@<0.2.4: '>=0.2.4'
|
tmp@<0.2.4: '>=0.2.4'
|
||||||
|
uuid@<11.1.1: '>=11.1.1'
|
||||||
vitepress>vite: '>=6.4.2 <7'
|
vitepress>vite: '>=6.4.2 <7'
|
||||||
ws@>=8.0.0 <8.20.1: '>=8.20.1'
|
ws@>=8.0.0 <8.20.1: '>=8.20.1'
|
||||||
yaml@<2.8.3: '>=2.8.3'
|
yaml@<2.8.3: '>=2.8.3'
|
||||||
@@ -10806,11 +10807,6 @@ packages:
|
|||||||
resolution: {integrity: sha512-Qo+uWgilfSmAhXCMav1uYFynlQO7fMFiMVZsQqZRMIXp0O7rR7qjkj+cPvBHLgBqi960QCoo/PH2/6ZtVqKvrg==}
|
resolution: {integrity: sha512-Qo+uWgilfSmAhXCMav1uYFynlQO7fMFiMVZsQqZRMIXp0O7rR7qjkj+cPvBHLgBqi960QCoo/PH2/6ZtVqKvrg==}
|
||||||
hasBin: true
|
hasBin: true
|
||||||
|
|
||||||
uuid@8.3.2:
|
|
||||||
resolution: {integrity: sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==}
|
|
||||||
deprecated: uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
|
|
||||||
hasBin: true
|
|
||||||
|
|
||||||
v8-compile-cache-lib@3.0.1:
|
v8-compile-cache-lib@3.0.1:
|
||||||
resolution: {integrity: sha512-wa7YjyUGfNZngI/vtK0UHAN+lgDCxBPCylVXGp0zu59Fz5aiGtNXaq3DhIov063MorB+VfufLh3JlF2KdTK3xg==}
|
resolution: {integrity: sha512-wa7YjyUGfNZngI/vtK0UHAN+lgDCxBPCylVXGp0zu59Fz5aiGtNXaq3DhIov063MorB+VfufLh3JlF2KdTK3xg==}
|
||||||
|
|
||||||
@@ -13711,7 +13707,7 @@ snapshots:
|
|||||||
open: 7.4.2
|
open: 7.4.2
|
||||||
proxy-agent: 6.5.0
|
proxy-agent: 6.5.0
|
||||||
tmp: 0.2.5
|
tmp: 0.2.5
|
||||||
uuid: 8.3.2
|
uuid: 14.0.0
|
||||||
yargs: 15.4.1
|
yargs: 15.4.1
|
||||||
yargs-parser: 13.1.2
|
yargs-parser: 13.1.2
|
||||||
transitivePeerDependencies:
|
transitivePeerDependencies:
|
||||||
@@ -22470,7 +22466,7 @@ snapshots:
|
|||||||
sockjs@0.3.24:
|
sockjs@0.3.24:
|
||||||
dependencies:
|
dependencies:
|
||||||
faye-websocket: 0.11.4
|
faye-websocket: 0.11.4
|
||||||
uuid: 8.3.2
|
uuid: 14.0.0
|
||||||
websocket-driver: 0.7.4
|
websocket-driver: 0.7.4
|
||||||
|
|
||||||
socks-proxy-agent@8.0.5:
|
socks-proxy-agent@8.0.5:
|
||||||
@@ -23194,8 +23190,6 @@ snapshots:
|
|||||||
|
|
||||||
uuid@14.0.0: {}
|
uuid@14.0.0: {}
|
||||||
|
|
||||||
uuid@8.3.2: {}
|
|
||||||
|
|
||||||
v8-compile-cache-lib@3.0.1: {}
|
v8-compile-cache-lib@3.0.1: {}
|
||||||
|
|
||||||
v8-to-istanbul@9.3.0:
|
v8-to-istanbul@9.3.0:
|
||||||
|
|||||||
Reference in New Issue
Block a user