Skip to content

[agent] chore(deps): bump transitive uuid to ^11.1.1 (GHSA-w5hq-g745-h8pq)#762

Draft
github-actions[bot] wants to merge 1 commit into
mainfrom
fix/security-uuid-11-71046cc2d2eb1e4a
Draft

[agent] chore(deps): bump transitive uuid to ^11.1.1 (GHSA-w5hq-g745-h8pq)#762
github-actions[bot] wants to merge 1 commit into
mainfrom
fix/security-uuid-11-71046cc2d2eb1e4a

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

Summary

Fixes Dependabot alert #263GHSA-w5hq-g745-h8pq / CVE-2026-41907: uuid missing buffer bounds check in v3/v5/v6 when an external buffer is provided.

Vulnerable range: uuid < 11.1.1. First patched version: 11.1.1.

Root cause

uuid appears transitively via two paths:

Path Version Scope
dl-centeraws-sdk@^2.xuuid 8.0.0 runtime
nycistanbul-lib-processinfouuid 8.3.2 dev

Neither aws-sdk v2 nor istanbul-lib-processinfo@2.x has shipped a release that pulls in uuid >= 11.1.1, so there is no direct-dependency version bump that resolves the advisory.

Fix

Added an npm overrides entry in the root package.json to force uuid@^11.1.1 across the entire tree:

"overrides": {
  "uuid": "^11.1.1"
}

After applying the override and running npm install:

  • aws-sdk now resolves to uuid@11.1.1 overridden (top-level, deduplicated)
  • istanbul-lib-processinfo now resolves to uuid@11.1.1 deduped

aws-sdk v2 uses only uuid's v4() API for generating request IDs; this API is fully backward-compatible between v8 and v11.

Generated by Dependabot remediation agent · ● 2.1M ·

Add npm overrides to force uuid >= 11.1.1 across all transitive dependencies.

Two vulnerable paths were identified:
- aws-sdk@2.x -> uuid@8.0.0 (runtime)
- nyc -> istanbul-lib-processinfo -> uuid@^8.3.2 (dev)

Neither maintainer has shipped a release that resolves uuid to >= 11.1.1,
so an npm overrides entry is used to force the patched version.
aws-sdk was verified to only use uuid's v4() API, which is compatible.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants