fix(deps): bump uuid to >=11.1.1 via pnpm.overrides (GHSA-w5hq-g745-h8pq) #210

Merged
julien merged 1 commits from fix/ci-audit-uuid-exemption into main 2026-05-24 00:40:39 +02:00

1 Commits

Author SHA1 Message Date
Julien Gautier 15da7a5778 fix(deps): bump uuid to >=11.1.1 via pnpm.overrides (GHSA-w5hq-g745-h8pq)
CI / commits (pull_request) Successful in 3m0s
CI / scan (pull_request) Successful in 3m19s
CI / check (pull_request) Successful in 4m17s
CI / a11y (pull_request) Successful in 2m32s
Docs site / build (pull_request) Successful in 4m0s
CI / perf (pull_request) Successful in 7m24s
pnpm audit was failing ci:audit at moderate severity:

  uuid@<11.1.1 — missing buffer bounds check in v3/v5/v6 when buf
  is provided (GHSA-w5hq-g745-h8pq).
  Path: . > @lhci/cli@0.15.1 > uuid@8.3.2

@lhci/cli pulls in uuid@8.3.2 (uses only uuid.v4()); the advisory
flags the v3/v5/v6 code paths so our usage is technically not at
risk, but the audit gate is set to moderate and any flagged
advisory blocks CI per ADR-0015.

The override matches the pattern already in use for axios / ajv /
brace-expansion / esbuild / follow-redirects / ip-address /
protobufjs / tmp / ws / yaml — force the transitive dep to a
patched range. uuid@14 is the resolved version (latest), already
in the tree via mermaid; consolidating everything onto a single
major also removes the dedup warning.

Compatibility: uuid@14 is ESM-only (`type: module` + conditional
exports). @lhci/cli does `const uuid = require('uuid')` which
works on Node >= 22.12 via the stable `require(esm)` capability.
The workspace pins Node 24 (.nvmrc), so the CJS consumer is fine.
Verified by loading @lhci/cli's node-runner module under the new
resolution — no exception.

Test plan:
- pnpm ci:audit: clean ("No known vulnerabilities found").
- pnpm ci:check: 13 projects green.
2026-05-24 00:25:59 +02:00