Pin transitive uuid to 11.1.1 to remediate GHSA-w5hq-g745-h8pq#54
Merged
Conversation
Copilot
AI
changed the title
[WIP] Fix buffer bounds check in uuid v3/v5/v6
Pin transitive Jul 8, 2026
uuid to 11.1.1 to remediate GHSA-w5hq-g745-h8pq
mageroni
approved these changes
Jul 8, 2026
mageroni
approved these changes
Jul 8, 2026
There was a problem hiding this comment.
Pull request overview
Pins a vulnerable transitive uuid@8.3.2 dependency to the minimum patched baseline (11.1.1) using npm overrides, and updates the lockfile so installs resolve the remediated version. This fits the codebase’s dependency hygiene/security maintenance by addressing a Dependabot alert without migrating direct dependencies.
Changes:
- Add
uuid: 11.1.1topackage.jsonoverrides. - Regenerate
package-lock.jsonsonode_modules/uuidresolves to11.1.1instead of8.3.2.
Show a summary per file
| File | Description |
|---|---|
| package.json | Adds an npm override to force uuid to the patched version. |
| package-lock.json | Updates resolved uuid package metadata to 11.1.1 in the lockfile. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/2 changed files
- Comments generated: 1
- Review effort level: Low
Comment on lines
35
to
38
| "overrides": { | ||
| "protobufjs": "8.6.3" | ||
| "protobufjs": "8.6.3", | ||
| "uuid": "11.1.1" | ||
| }, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
uuid@8.3.2was present transitively and is affected by GHSA-w5hq-g745-h8pq / CVE-2026-41907 (v3/v5/v6can perform out-of-bounds partial buffer writes). This change moves resolution to the minimum patched version (11.1.1) with the smallest possible dependency-scope update.Dependency remediation
uuidto11.1.1(patched baseline).uuid@8.3.2.Lockfile impact
package-lock.jsonnow resolvesnode_modules/uuidto11.1.1.Reachability Assessment
uuidAPIsv3(),v5(), andv6()with external buffer usage.uuidimports and no call sites ofv3/v5/v6.applicationinsightschain), so this is primarily scanner/risk-hardening remediation rather than a confirmed active code path.{ "overrides": { "protobufjs": "8.6.3", "uuid": "11.1.1" } }Original prompt
This section details the Dependabot vulnerability alert you should resolve
<alert_title>uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided</alert_title>
<alert_description>### Summary
The
v3(),v5(), andv6()API methods (notuuidrelease versions) accept external output buffers but do not reject out-of-range writes (smallbufor largeoffset).By contrast,
v4(),v1(), andv7()API methods explicitly throwRangeErroron invalid bounds.This inconsistency allows silent partial writes into caller-provided buffers.
Affected code
src/v35.ts(v3()/v5()path) writesbuf[offset + i]without bounds validation.src/v6.tswritesbuf[offset + i]without bounds validation.Reproducible PoC
Observed:
v4() THREW RangeErrorv5() NO_THROWv6() NO_THROWExample partial overwrite evidence captured during audit:
Security impact
Suggested fix
Add the same guard used by
v4()/v1()/v7():Apply to:
src/v35.ts(coversv3()andv5())src/v6.ts</alert_description>moderate
https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34 https://github.com/uuidjs/uuid/releases/tag/v14.0.0 https://nvd.nist.gov/vuln/detail/CVE-2026-41907 https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a https://github.com/uuidjs/uuid/releases/tag/v11.1.1 https://github.com/uuidjs/uuid/releases/tag/v12.0.1 https://github.com/uuidjs/uuid/releases/tag/v13.0.1 https://github.com/advisories/GHSA-w5hq-g745-h8pqGHSA-w5hq-g745-h8pq, CVE-2026-41907
uuid
npm
<vulnerable_versions>8.3.2</vulnerable_versions>
<patched_version>11.1.1</patched_version>
<manifest_path>package-lock.json</manifest_path>
<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachability Assessment section in the PR description. Review the alert_description field to understand which APIs, features, or configurations are affected, then search the codebase for usage of those specific items. If the vulnerable code path is reachable, explain how (which files, APIs, or call sites use the affected functionality) and note that the codebase is actively exposed to this vulnerability. If the vulnerable code path is not reachable, explain why (e.g. the affected API is never called, the vulnerable configuration is not used) and note that the update is primarily to satisfy vulnerability scanners rather than to address an active risk. If the advisory is too vague to determine reachability (e.g. 'improper input validation' with no specific API named), state that reachability could not be determined and explain why. Include a confidence level in the reachability assessment (e.g. high confidence if the advisory names a specific API and you confirmed it is or is not called, low confidence if the usage is indirect and hard to trace). If no patched version is available, check the alert_description field for a Workarounds section — the advisory may describe configuration changes or usage patterns that mitigate the vulnerability without a version update. If a workaround is available, apply it and leave a code comment referencing the advisory identifier explaining it is a temporary mitigation. If neither a p...