From 70211fcad7cd39d9df9fda66f7db700ea535f2e4 Mon Sep 17 00:00:00 2001 From: le king fu Date: Tue, 5 May 2026 21:35:46 -0400 Subject: [PATCH] fix(security): bump uuid override to ^11.1.1 to close GHSA-w5hq-g745-h8pq The previous override ^11.0.0 allowed the vulnerable range 11.0.0 - 11.1.0. npm resolved on 11.1.0, leaving the buffer-bounds-check CVE active in v3/v5/v6 with buf arg. Bumping to ^11.1.1 stays in the 11.x major (CJS compat preserved per past revert at 800f777) and fixes the advisory. npm audit: 0 vulnerabilities. smoke tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) --- package-lock.json | 6 +++--- package.json | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index 27a72cd..9713864 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11863,9 +11863,9 @@ } }, "node_modules/uuid": { - "version": "11.1.0", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.0.tgz", - "integrity": "sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==", + "version": "11.1.1", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.1.tgz", + "integrity": "sha512-vIYxrBCC/N/K+Js3qSN88go7kIfNPssr/hHCesKCQNAjmgvYS2oqr69kIufEG+O4+PfezOH4EbIeHCfFov8ZgQ==", "funding": [ "https://github.com/sponsors/broofa", "https://github.com/sponsors/ctavan" diff --git a/package.json b/package.json index f41f48e..c1eff2c 100644 --- a/package.json +++ b/package.json @@ -67,7 +67,7 @@ "overrides": { "esbuild": "^0.25.0", "@xmldom/xmldom": "^0.8.13", - "uuid": "^11.0.0", + "uuid": "^11.1.1", "postcss": "^8.5.10" }, "private": true