fix(deps): bump uuid to >=11.1.1 via pnpm.overrides (GHSA-w5hq-g745-h8pq) #210

Merged
julien merged 1 commits from fix/ci-audit-uuid-exemption into main 2026-05-24 00:40:39 +02:00
Owner

Summary

pnpm ci:audit was failing on main with one moderate-severity finding:

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
GHSA-w5hq-g745-h8pq
Vulnerable: uuid < 11.1.1
Path:       . > @lhci/cli@0.15.1 > uuid@8.3.2

@lhci/cli@0.15.1 is the latest release and still ships uuid@8.3.2; no upstream fix yet. Renovate cannot solve this on its own.

What lands

File Change
package.json pnpm.overrides: add "uuid@<11.1.1": ">=11.1.1" alongside the existing axios / ajv / brace-expansion / esbuild / follow-redirects / ip-address / protobufjs / tmp / ws / yaml entries.
pnpm-lock.yaml Refreshed. Both @lhci/cli and sockjs (transitive via the rspack / webpack dev-servers) now resolve to uuid@14.0.0 — the same major already in the tree via mermaid. Net uuid versions: 2 → 1.

Notes for the reviewer

  • Why an override and not an auditConfig.ignoreGhsas. The repo already uses pnpm.overrides for 10 prior advisories on transitive deps with no patched release in their consumer — same pattern applied here. An exemption-document path was drafted then dropped: forcing the fix is cleaner than waving away the warning, and the upgrade actually works.

  • Why our usage was not at risk (context, not justification to skip). The advisory affects uuid.v3 / uuid.v5 / uuid.v6 when called with the optional buf argument. Both consumers in the tree only use uuid.v4() (random):

    • @lhci/cli/src/collect/node-runner.js:65\flags-${uuid.v4()}.json``
    • sockjs/lib/transport.js:9uuidv4 = require('uuid').v4
      But the audit gate is set to moderate per ADR-0015; every flagged advisory blocks merge regardless of reachability. Forcing the fix is the documented response.
  • Why uuid@14 works for the CJS consumers. uuid@14 is ESM-only (type: module + conditional exports). @lhci/cli does const uuid = require('uuid') which is a CJS-requires-ESM pattern. Node >= 22.12 supports it natively via the stable require(esm) capability; the workspace pins Node 24 in .nvmrc, so the consumer is fine. Verified locally:

    $ node -e "require('@lhci/cli/src/collect/node-runner.js')"
    # no error
    
  • Side benefit. uuid@8.3.2 was also pulled in transitively via sockjs. After the override, the dep tree consolidates onto a single uuid@14.0.0 — removes the Found 2 versions of uuid dedup notice and aligns with the version mermaid already uses.

  • Closure condition. When @lhci/cli ships a release with uuid >= 11.1.1 (or with uuid@14 directly), Renovate will surface the bump; this override row becomes redundant and can be deleted. Same removal cadence as the other pnpm.overrides entries.

Test plan

  • pnpm ci:audit — clean: No known vulnerabilities found.
  • pnpm ci:check — 13 projects green (no behavioural change against the previous run).
  • Loaded @lhci/cli's node-runner module under the override to confirm require('uuid') resolves without error on Node 24.
  • Post-merge CI on main runs pnpm ci:audit cleanly.
## Summary `pnpm ci:audit` was failing on `main` with one moderate-severity finding: ``` uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided GHSA-w5hq-g745-h8pq Vulnerable: uuid < 11.1.1 Path: . > @lhci/cli@0.15.1 > uuid@8.3.2 ``` `@lhci/cli@0.15.1` is the latest release and still ships `uuid@8.3.2`; no upstream fix yet. Renovate cannot solve this on its own. ## What lands | File | Change | | --- | --- | | `package.json` | `pnpm.overrides`: add `"uuid@<11.1.1": ">=11.1.1"` alongside the existing axios / ajv / brace-expansion / esbuild / follow-redirects / ip-address / protobufjs / tmp / ws / yaml entries. | | `pnpm-lock.yaml` | Refreshed. Both `@lhci/cli` and `sockjs` (transitive via the rspack / webpack dev-servers) now resolve to `uuid@14.0.0` — the same major already in the tree via `mermaid`. Net `uuid` versions: 2 → 1. | ## Notes for the reviewer - **Why an override and not an `auditConfig.ignoreGhsas`.** The repo already uses `pnpm.overrides` for 10 prior advisories on transitive deps with no patched release in their consumer — same pattern applied here. An exemption-document path was drafted then dropped: forcing the fix is cleaner than waving away the warning, and the upgrade actually works. - **Why our usage was not at risk (context, not justification to skip).** The advisory affects `uuid.v3` / `uuid.v5` / `uuid.v6` when called with the optional `buf` argument. Both consumers in the tree only use `uuid.v4()` (random): - `@lhci/cli/src/collect/node-runner.js:65` — `\`flags-${uuid.v4()}.json\`` - `sockjs/lib/transport.js:9` — `uuidv4 = require('uuid').v4` But the audit gate is set to `moderate` per [ADR-0015](docs/decisions/0015-cicd-gitea-actions.md); every flagged advisory blocks merge regardless of reachability. Forcing the fix is the documented response. - **Why `uuid@14` works for the CJS consumers.** `uuid@14` is ESM-only (`type: module` + conditional `exports`). `@lhci/cli` does `const uuid = require('uuid')` which is a CJS-requires-ESM pattern. Node `>= 22.12` supports it natively via the stable `require(esm)` capability; the workspace pins Node 24 in [`.nvmrc`](.nvmrc), so the consumer is fine. Verified locally: ``` $ node -e "require('@lhci/cli/src/collect/node-runner.js')" # no error ``` - **Side benefit.** `uuid@8.3.2` was also pulled in transitively via `sockjs`. After the override, the dep tree consolidates onto a single `uuid@14.0.0` — removes the `Found 2 versions of uuid` dedup notice and aligns with the version `mermaid` already uses. - **Closure condition.** When `@lhci/cli` ships a release with `uuid >= 11.1.1` (or with `uuid@14` directly), Renovate will surface the bump; this override row becomes redundant and can be deleted. Same removal cadence as the other `pnpm.overrides` entries. ## Test plan - [x] `pnpm ci:audit` — clean: `No known vulnerabilities found`. - [x] `pnpm ci:check` — 13 projects green (no behavioural change against the previous run). - [x] Loaded `@lhci/cli`'s node-runner module under the override to confirm `require('uuid')` resolves without error on Node 24. - [ ] Post-merge CI on `main` runs `pnpm ci:audit` cleanly.
julien added 1 commit 2026-05-24 00:37:03 +02:00
fix(deps): bump uuid to >=11.1.1 via pnpm.overrides (GHSA-w5hq-g745-h8pq)
CI / commits (pull_request) Successful in 3m0s
CI / scan (pull_request) Successful in 3m19s
CI / check (pull_request) Successful in 4m17s
CI / a11y (pull_request) Successful in 2m32s
Docs site / build (pull_request) Successful in 4m0s
CI / perf (pull_request) Successful in 7m24s
15da7a5778
pnpm audit was failing ci:audit at moderate severity:

  uuid@<11.1.1 — missing buffer bounds check in v3/v5/v6 when buf
  is provided (GHSA-w5hq-g745-h8pq).
  Path: . > @lhci/cli@0.15.1 > uuid@8.3.2

@lhci/cli pulls in uuid@8.3.2 (uses only uuid.v4()); the advisory
flags the v3/v5/v6 code paths so our usage is technically not at
risk, but the audit gate is set to moderate and any flagged
advisory blocks CI per ADR-0015.

The override matches the pattern already in use for axios / ajv /
brace-expansion / esbuild / follow-redirects / ip-address /
protobufjs / tmp / ws / yaml — force the transitive dep to a
patched range. uuid@14 is the resolved version (latest), already
in the tree via mermaid; consolidating everything onto a single
major also removes the dedup warning.

Compatibility: uuid@14 is ESM-only (`type: module` + conditional
exports). @lhci/cli does `const uuid = require('uuid')` which
works on Node >= 22.12 via the stable `require(esm)` capability.
The workspace pins Node 24 (.nvmrc), so the CJS consumer is fine.
Verified by loading @lhci/cli's node-runner module under the new
resolution — no exception.

Test plan:
- pnpm ci:audit: clean ("No known vulnerabilities found").
- pnpm ci:check: 13 projects green.
julien merged commit 77af6951c9 into main 2026-05-24 00:40:39 +02:00
julien deleted branch fix/ci-audit-uuid-exemption 2026-05-24 00:40:40 +02:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: julien/apf_portal#210