fix(security): override uuid to ^11.0.0
Resolves GHSA-w5hq-g745-h8pq in the transitive chain (xcode + @expo/ngrok). Per spec decision D3, we pin ^11.0.0 (not ^14.0.0) to avoid ESM-only breaking CJS consumers. Actual vulnerable code paths (v3/v5/v6 with buf param) are not used by xcode or @expo/ngrok — they only call uuid.v4() — so the override is safe in practice even though npm advisory range is <14.0.0. Refs #75 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
le king fu
parent
5842a686b2
commit
ed4c10f29c
2 changed files with 10 additions and 15 deletions
22
package-lock.json
generated
22
package-lock.json
generated
|
|
@ -2534,16 +2534,6 @@
|
|||
"win32"
|
||||
]
|
||||
},
|
||||
"node_modules/@expo/ngrok/node_modules/uuid": {
|
||||
"version": "3.4.0",
|
||||
"resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz",
|
||||
"integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==",
|
||||
"deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.",
|
||||
"license": "MIT",
|
||||
"bin": {
|
||||
"uuid": "bin/uuid"
|
||||
}
|
||||
},
|
||||
"node_modules/@expo/ngrok/node_modules/yaml": {
|
||||
"version": "1.10.3",
|
||||
"resolved": "https://registry.npmjs.org/yaml/-/yaml-1.10.3.tgz",
|
||||
|
|
@ -11873,12 +11863,16 @@
|
|||
}
|
||||
},
|
||||
"node_modules/uuid": {
|
||||
"version": "7.0.3",
|
||||
"resolved": "https://registry.npmjs.org/uuid/-/uuid-7.0.3.tgz",
|
||||
"integrity": "sha512-DPSke0pXhTZgoF/d+WSt2QaKMCFSfx7QegxEWT+JOuHF5aWrKEn0G+ztjuJg/gG8/ItK+rbPCD/yNv8yyih6Cg==",
|
||||
"version": "11.1.0",
|
||||
"resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.0.tgz",
|
||||
"integrity": "sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==",
|
||||
"funding": [
|
||||
"https://github.com/sponsors/broofa",
|
||||
"https://github.com/sponsors/ctavan"
|
||||
],
|
||||
"license": "MIT",
|
||||
"bin": {
|
||||
"uuid": "dist/bin/uuid"
|
||||
"uuid": "dist/esm/bin/uuid"
|
||||
}
|
||||
},
|
||||
"node_modules/validate-npm-package-name": {
|
||||
|
|
|
|||
|
|
@ -65,7 +65,8 @@
|
|||
},
|
||||
"overrides": {
|
||||
"esbuild": "^0.25.0",
|
||||
"@xmldom/xmldom": "^0.8.13"
|
||||
"@xmldom/xmldom": "^0.8.13",
|
||||
"uuid": "^11.0.0"
|
||||
},
|
||||
"private": true
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue