fix(security): override uuid to ^11.0.0 (#75) #78

Merged

maximus merged 1 commit from fix/vuln-B-uuid-override into master

2026-04-24 18:14:25 +00:00

Author	SHA1	Message	Date
le king fu	ed4c10f29c	fix(security): override uuid to ^11.0.0 Resolves GHSA-w5hq-g745-h8pq in the transitive chain (xcode + @expo/ngrok). Per spec decision D3, we pin ^11.0.0 (not ^14.0.0) to avoid ESM-only breaking CJS consumers. Actual vulnerable code paths (v3/v5/v6 with buf param) are not used by xcode or @expo/ngrok — they only call uuid.v4() — so the override is safe in practice even though npm advisory range is <14.0.0. Refs #75 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-24 07:16:35 -04:00

Author

SHA1

Message

Date

le king fu

ed4c10f29c

fix(security): override uuid to ^11.0.0

Resolves GHSA-w5hq-g745-h8pq in the transitive chain (xcode + @expo/ngrok).
Per spec decision D3, we pin ^11.0.0 (not ^14.0.0) to avoid ESM-only breaking
CJS consumers. Actual vulnerable code paths (v3/v5/v6 with buf param) are not
used by xcode or @expo/ngrok — they only call uuid.v4() — so the override is
safe in practice even though npm advisory range is <14.0.0.

Refs #75

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-24 07:16:35 -04:00