fix(deps): update dependency uuid to v14 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
uuid	^13.0.0 → ^14.0.0

---

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

GHSA-w5hq-g745-h8pq

More information

Details

Summary

v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4, v1, and v7 explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code

• src/v35.ts (v3/v5 path) writes buf[offset + i] without bounds validation.
• src/v6.ts writes buf[offset + i] without bounds validation.

Reproducible PoC

cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4',()=>v4({},new Uint8Array(8),4)],
  ['v5',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Observed:

• v4 THREW RangeError
• v5 NO_THROW
• v6 NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]

Security impact

• Primary: integrity/robustness issue (silent partial output).
• If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
• In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.

Suggested fix

Add the same guard used by v4/v1/v7:

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

• src/v35.ts (covers v3 and v5)
• src/v6.ts

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq
• https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34
• https://github.com/uuidjs/uuid/releases/tag/v14.0.0
• https://github.com/advisories/GHSA-w5hq-g745-h8pq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

uuidjs/uuid (uuid)

v14.0.0

Compare Source

Security

• Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

• crypto is now expected to be globally defined (requires node@​20+) (#​935)
• drop node@​18 support (#​934)
• upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

v13.0.1

Compare Source

Bug Fixes

• backport fix for GHSA-w5hq-g745-h8pq (9d27ddf)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: be35ba1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[nx-cloud]

View your CI Pipeline Execution ↗ for commit be35ba1

Command	Status	Duration	Result
nx run-many -t build --no-agents	✅ Succeeded	<1s	View ↗
nx affected -t build lint test typecheck e2e-ci	✅ Succeeded	1m 54s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-04-29 14:42:34 UTC

[nx-cloud]

Important

At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.

Nx Cloud has identified a possible root cause for your failed CI:

We investigated the @forgerock/davinci-suites:e2e-ci--src/form-fields.test.ts failure and confirmed it is a pre-existing issue also present on main, unrelated to this PR's changes. Our analysis shows no causal link between the uuid v13→v14 security update and the Playwright strict mode violation caused by duplicate #phone-number-input elements in the DOM. This failure should be addressed independently of this dependency update.

No code changes were suggested for this issue.

Trigger a rerun:

View detailed reasoning on Nx Cloud ↗

_{🎓 Learn more about Self-Healing CI on nx.dev}

[pkg-pr-new]

Open in StackBlitz

@forgerock/davinci-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/davinci-client@601

@forgerock/device-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/device-client@601

@forgerock/journey-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/journey-client@601

@forgerock/oidc-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/oidc-client@601

@forgerock/protect

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/protect@601

@forgerock/sdk-types

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-types@601

@forgerock/sdk-utilities

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-utilities@601

@forgerock/iframe-manager

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/iframe-manager@601

@forgerock/sdk-logger

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-logger@601

@forgerock/sdk-oidc

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-oidc@601

@forgerock/sdk-request-middleware

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-request-middleware@601

@forgerock/storage

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/storage@601

commit: be35ba1

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 15.78%. Comparing base (5d6747a) to head (be35ba1).
⚠️ Report is 47 commits behind head on main.

❌ Your project status has failed because the head coverage (15.78%) is below the target coverage (40.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #601       +/-   ##
===========================================
- Coverage   70.90%   15.78%   -55.12%     
===========================================
  Files          53      154      +101     
  Lines        2021    26701    +24680     
  Branches      377     1142      +765     
===========================================
+ Hits         1433     4215     +2782     
- Misses        588    22486    +21898     

see 101 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Deployed 8586537 to https://ForgeRock.github.io/ping-javascript-sdk/pr-601/8586537c59c3c013796ef9595d9d527f02c6ce37 branch gh-pages in ForgeRock/ping-javascript-sdk

[github-actions]

📦 Bundle Size Analysis

📦 Bundle Size Analysis

🚨 Significant Changes

🔻 @forgerock/device-client - 0.0 KB (-9.9 KB, -100.0%)
🔻 @forgerock/journey-client - 0.0 KB (-90.1 KB, -100.0%)

📊 Minor Changes

📉 @forgerock/device-client - 9.9 KB (-0.0 KB)

➖ No Changes

➖ @forgerock/davinci-client - 48.3 KB
➖ @forgerock/oidc-client - 25.2 KB
➖ @forgerock/sdk-utilities - 11.2 KB
➖ @forgerock/sdk-types - 7.9 KB
➖ @forgerock/protect - 150.1 KB
➖ @forgerock/journey-client - 90.1 KB
➖ @forgerock/storage - 1.5 KB
➖ @forgerock/sdk-oidc - 4.8 KB
➖ @forgerock/sdk-request-middleware - 4.5 KB
➖ @forgerock/sdk-logger - 1.6 KB
➖ @forgerock/iframe-manager - 2.4 KB

---

14 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated

• Current Size: Total gzipped size of all files in the package's dist directory
• Baseline: Comparison against the latest build from the main branch
• Files included: All build outputs except source maps and TypeScript build cache
• Exclusions: .map, .tsbuildinfo, and .d.ts.map files

---

_{🔄 Updated automatically on each push to this PR}