fix(deps): bump uuid to >=11.1.1 via pnpm.overrides (GHSA-w5hq-g745-h8pq) #210
Reference in New Issue
Block a user
Delete Branch "fix/ci-audit-uuid-exemption"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
pnpm ci:auditwas failing onmainwith one moderate-severity finding:@lhci/cli@0.15.1is the latest release and still shipsuuid@8.3.2; no upstream fix yet. Renovate cannot solve this on its own.What lands
package.jsonpnpm.overrides: add"uuid@<11.1.1": ">=11.1.1"alongside the existing axios / ajv / brace-expansion / esbuild / follow-redirects / ip-address / protobufjs / tmp / ws / yaml entries.pnpm-lock.yaml@lhci/cliandsockjs(transitive via the rspack / webpack dev-servers) now resolve touuid@14.0.0— the same major already in the tree viamermaid. Netuuidversions: 2 → 1.Notes for the reviewer
Why an override and not an
auditConfig.ignoreGhsas. The repo already usespnpm.overridesfor 10 prior advisories on transitive deps with no patched release in their consumer — same pattern applied here. An exemption-document path was drafted then dropped: forcing the fix is cleaner than waving away the warning, and the upgrade actually works.Why our usage was not at risk (context, not justification to skip). The advisory affects
uuid.v3/uuid.v5/uuid.v6when called with the optionalbufargument. Both consumers in the tree only useuuid.v4()(random):@lhci/cli/src/collect/node-runner.js:65—\flags-${uuid.v4()}.json``sockjs/lib/transport.js:9—uuidv4 = require('uuid').v4But the audit gate is set to
moderateper ADR-0015; every flagged advisory blocks merge regardless of reachability. Forcing the fix is the documented response.Why
uuid@14works for the CJS consumers.uuid@14is ESM-only (type: module+ conditionalexports).@lhci/clidoesconst uuid = require('uuid')which is a CJS-requires-ESM pattern. Node>= 22.12supports it natively via the stablerequire(esm)capability; the workspace pins Node 24 in.nvmrc, so the consumer is fine. Verified locally:Side benefit.
uuid@8.3.2was also pulled in transitively viasockjs. After the override, the dep tree consolidates onto a singleuuid@14.0.0— removes theFound 2 versions of uuiddedup notice and aligns with the versionmermaidalready uses.Closure condition. When
@lhci/cliships a release withuuid >= 11.1.1(or withuuid@14directly), Renovate will surface the bump; this override row becomes redundant and can be deleted. Same removal cadence as the otherpnpm.overridesentries.Test plan
pnpm ci:audit— clean:No known vulnerabilities found.pnpm ci:check— 13 projects green (no behavioural change against the previous run).@lhci/cli's node-runner module under the override to confirmrequire('uuid')resolves without error on Node 24.mainrunspnpm ci:auditcleanly.