chore(deps): upgrade uuid to v14#529
Open
orien wants to merge 1 commit into
Open
Conversation
uuid v12+ is ESM-only and uses the exports field / Web Crypto API. Adapt the Jest 24 harness to resolve and transform it: - map bare uuid import to its entry file (Jest 24 predates exports) - allow Babel to transpile uuid's ESM - polyfill Web Crypto in the jsdom test setup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
The project depends on
uuid^8.3.1. It uses a single symbol —import { v4 as uuidv4 } from 'uuid'— to generate instance and node IDs.Version 8 is no longer maintained. The uuid team currently ships fixes only for
latest(v14) plus three backport lines, exposed as thelegacy-11(11.1.1),legacy-12(12.0.1), andlegacy-13(13.0.2) npm dist-tags; majors at or below v10 receive no updates. That gap matters here because alluuidreleases before 11.1.1 (8.3.1 among them) are affected by CVE-2026-41907: a missing buffer bounds check in the v3/v5/v6 functions when abufargument is supplied, allowing an out-of-bounds write (CWE-787, CVSS 7.5). The fix was backported as far as 11.1.1 — the oldest still-maintained line — and never to v8. This project only callsv4()with no buffer, so the flaw is not exploitable in our usage, but the unmaintained, affected version still surfaces in dependency audits.Changes
uuidto^14, moving onto a maintained major and clearing the affected version. The runtime source is unchanged; thev4import is stable across v8→v14 and the library build (tsc) passes untouched.jest.config.json: map the bareuuidimport to its entry file (Jest 24 predates theexportsfield) and adduuidto thetransformIgnorePatternsexception so Babel transpiles its ESM.jest/setup.ts: polyfill the Web Crypto API in the jsdom environment, which uuid v14 relies on forgetRandomValues/randomUUID.Considerations
exportsfield and does not provide the Web Crypto API in its jsdom environment. uuid dropped CommonJS in v12 and is ESM-only from there on, which is why the harness — not the source — required adaptation.moduleNameMappermapping.uuid@3.4.0still reaches the tree viacoveralls > request; it is unaffected by this change and would be cleared by upgrading those dev dependencies.npm run buildpasses andnpm testpasses all 4 suites (79 passed, 2 pre-existing skips).