fix(security): bump uuid override to ^11.1.1 to close GHSA-w5hq-g745-h8pq

The previous override ^11.0.0 allowed the vulnerable range 11.0.0 - 11.1.0. npm resolved on 11.1.0, leaving the buffer-bounds-check CVE active in v3/v5/v6 with buf arg. Bumping to ^11.1.1 stays in the 11.x major (CJS compat preserved per past revert at 800f777) and fixes the advisory. npm audit: 0 vulnerabilities. smoke tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 21:35:46 -04:00 · 2026-05-05 21:35:46 -04:00 · 70211fcad7
commit 70211fcad7
parent 097d3f2d35
2 changed files with 4 additions and 4 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -11863,9 +11863,9 @@
      }
    },
    "node_modules/uuid": {
-      "version": "11.1.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.0.tgz",
-      "integrity": "sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.1.tgz",
+      "integrity": "sha512-vIYxrBCC/N/K+Js3qSN88go7kIfNPssr/hHCesKCQNAjmgvYS2oqr69kIufEG+O4+PfezOH4EbIeHCfFov8ZgQ==",
      "funding": [
        "https://github.com/sponsors/broofa",
        "https://github.com/sponsors/ctavan"
--- a/package.json
+++ b/package.json
@ -67,7 +67,7 @@
  "overrides": {
    "esbuild": "^0.25.0",
    "@xmldom/xmldom": "^0.8.13",
-    "uuid": "^11.0.0",
+    "uuid": "^11.1.1",
    "postcss": "^8.5.10"
  },
  "private": true