pnpm audit was failing ci:audit at moderate severity:
uuid@<11.1.1 — missing buffer bounds check in v3/v5/v6 when buf
is provided (GHSA-w5hq-g745-h8pq).
Path: . > @lhci/cli@0.15.1 > uuid@8.3.2
@lhci/cli pulls in uuid@8.3.2 (uses only uuid.v4()); the advisory
flags the v3/v5/v6 code paths so our usage is technically not at
risk, but the audit gate is set to moderate and any flagged
advisory blocks CI per ADR-0015.
The override matches the pattern already in use for axios / ajv /
brace-expansion / esbuild / follow-redirects / ip-address /
protobufjs / tmp / ws / yaml — force the transitive dep to a
patched range. uuid@14 is the resolved version (latest), already
in the tree via mermaid; consolidating everything onto a single
major also removes the dedup warning.
Compatibility: uuid@14 is ESM-only (`type: module` + conditional
exports). @lhci/cli does `const uuid = require('uuid')` which
works on Node >= 22.12 via the stable `require(esm)` capability.
The workspace pins Node 24 (.nvmrc), so the CJS consumer is fine.
Verified by loading @lhci/cli's node-runner module under the new
resolution — no exception.
Test plan:
- pnpm ci:audit: clean ("No known vulnerabilities found").
- pnpm ci:check: 13 projects green.