Skip to content

fix(deps): update uuid (medium)#44

Merged
DTCurrie merged 1 commit intomainfrom
claude/dependabot-sweep-uuid
Apr 27, 2026
Merged

fix(deps): update uuid (medium)#44
DTCurrie merged 1 commit intomainfrom
claude/dependabot-sweep-uuid

Conversation

@claude
Copy link
Copy Markdown
Contributor

@claude claude Bot commented Apr 27, 2026

Summary

  • Override uuid to >=14.0.0 via pnpm.overrides to resolve GHSA-w5hq-g745-h8pq (medium severity: missing buffer bounds check in v3/v5/v6 when buf is provided)
  • uuid is a transitive dependency of vite-plugin-devtools-json@1.0.0, which depends on uuid@^11.1.0. No version of vite-plugin-devtools-json exists that pulls in uuid@>=14.0.0, so a pnpm override was required as a last resort.
  • The override should be removed once vite-plugin-devtools-json releases a version that depends on uuid@>=14.0.0.

Advisories resolved

GHSA ID Severity Patched version
GHSA-w5hq-g745-h8pq medium 14.0.0

Lockfiles modified

  • pnpm-lock.yaml

Unresolved alerts

None — all alerts resolved.

Test plan

  • pnpm install succeeds
  • pnpm build succeeds
  • pnpm why uuid confirms uuid@14.0.0

Resolves #42

@github-actions @claude
fix(deps): override uuid to >=14.0.0 for GHSA-w5hq-g745-h8pq
89b5e6d 
uuid is a transitive dependency of vite-plugin-devtools-json, which
has no version that depends on uuid>=14.0.0. Added pnpm override to
force the patched version.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 27, 2026

⚠️ No Changeset found

Latest commit: 89b5e6d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

claude[bot]
claude Bot commented Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@claude claude Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: fix(deps): update uuid (medium)

This is a correct, minimal security override. No blocking issues.

What was reviewed:

  • package.json: new pnpm.overrides block forcing uuid to >=14.0.0
  • pnpm-lock.yaml: uuid upgraded from 11.1.014.0.0 in both the resolution and snapshot sections

Findings:

Override placement is correct. pnpm.overrides is the right mechanism here — vite-plugin-devtools-json@1.0.0 pins uuid@^11.1.0 with no released version that pulls >=14.0.0, so an override is the only option short of forking the plugin.

Lockfile is consistent. All three locations in pnpm-lock.yaml are updated (overrides block, packages section, and the vite-plugin-devtools-json snapshot). uuid@14.0.0 has no transitive dependencies ({}), so there's no hidden dependency churn.

Scope is correct. uuid-tool@2.0.3 (a completely separate package used by @viamrobotics/prime-core) is untouched.

Change is minimal. No source files, no tests, no config files other than what's required.

Minor observation (non-blocking): The range >=14.0.0 is wide — a future pnpm update uuid could install uuid@15+ which may have breaking changes. ^14.0.0 would be more conservative. In practice the lockfile pins 14.0.0 so this only matters on an explicit pnpm update, and the PR description already notes the override should be removed when vite-plugin-devtools-json ships a compatible version. Acceptable as-is.

@DTCurrie DTCurrie merged commit 078cc1d into main Apr 27, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DTCurrie DTCurrie DTCurrie approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(deps): update uuid (medium, 1 alerts)

1 participant

@DTCurrie