fix(deps): resolve uuid to ^11.1.1 to address CVE-2026-41907 in v5#14839
Conversation
uuid < 11.1.1 is vulnerable to GHSA-w5hq-g745-h8pq (CVE-2026-41907): the v3/v5/v6 methods skip output-buffer bounds validation, allowing silent partial writes that can produce truncated/malformed identifiers. A fresh install of aws-amplify v5 pulls uuid@3.4.0 transitively via analytics, api-graphql, datastore, notifications, predictions, pubsub and the bundled @aws-sdk v3.6 clients. Add a root resolution forcing uuid@^11.1.1, mirroring the v6 fix (#14828, already released). All v5 source uses named imports (`{ v1 }`/`{ v4 }`), which are API compatible from uuid v3 through v11, so no source changes are needed. This completes the v5 security updates started in #14832 (axios, js-cookie, fast-xml-parser, qs); uuid was the remaining item from #14827. Refs #14827
|
soberm
left a comment
There was a problem hiding this comment.
uuid is direct dependency of multiple Amplify packages. A resolution will not work.
…ckages Address review feedback: uuid is a direct dependency of multiple Amplify packages, so a root yarn 'resolutions' entry does not fix it for consumers (resolutions are not published; each package still ships its own uuid range). A fresh 'npm install aws-amplify@5' would still pull the vulnerable uuid@3.4.0. Bump uuid to ^11.1.1 directly in each package that declares it: analytics, api-graphql, datastore, notifications, predictions, pubsub. Also bump datastore's @types/uuid 3.4.6 -> ^9.0.0 (the old v3 types describe a default export that no longer exists in v11), matching v6. Remove the previously added root resolution. uuid < 11.1.1 is vulnerable to GHSA-w5hq-g745-h8pq (CVE-2026-41907): v3/v5/v6 skip output-buffer bounds validation, allowing silent partial writes. All source uses named imports ({ v1 }/{ v4 }), API-compatible v3 through v11, so no source changes are required. Refs #14827
|
Good catch, thanks @soberm — you're right. A root I've pushed a new commit that bumps All source uses named imports ( |
…eact Native (#14842) uuid was bumped to ^11.1.1 (#14839) to address CVE-2026-41907. uuid v11's v4() throws when crypto.getRandomValues is unavailable, whereas uuid v3 fell back to Math.random(). On React Native crypto.getRandomValues is not present unless the react-native-get-random-values polyfill is loaded, so every DataStore.save() of a syncable model (which mints its primary key via uuid4()) now throws on RN. This loads the polyfill from within @aws-amplify/datastore via a platform-resolved side-effect module (loadGetRandomValues.native.ts on RN, a no-op on web/Node, selected automatically by Metro's .native resolution), mirroring the loadGetRandomValues mechanism already shipped on v6/main. RN consumers no longer need to add 'import "react-native-get-random-values"' themselves. react-native-get-random-values is declared as an optional peerDependency so package managers surface the install/pod requirement without affecting web/Node consumers.
Issue
Closes part of #14827.
A fresh install of
aws-amplify@^5still pulls a vulnerableuuid@3.4.0transitively:uuid < 11.1.1is affected by GHSA-w5hq-g745-h8pq (CVE-2026-41907) — thev3()/v5()/v6()methods skip bounds validation on caller-provided output buffers, allowing silent partial writes that can produce truncated/malformed identifiers.The other items from #14827 — axios, js-cookie, fast-xml-parser, qs — were already addressed in #14832. uuid was the remaining gap.
Change
Add a root
resolutionsentry forcinguuid@^11.1.1, mirroring the v6 fix in #14828 (already released):After this, all
uuidranges collapse to a single resolved11.1.1inyarn.lock(the vulnerable 3.4.0 / 7.0.3 / 8.3.2 entries are removed).Compatibility
uuid changed its import surface in v7 (named exports only), so I verified every import site in v5 source:
All usages are named imports of
v1/v4— API-compatible from uuid v3 through v11. There are no default imports (import uuid from 'uuid') oruuid.v4()member-access patterns that v7+ removed, so no source changes are required. Confirmedrequire('uuid')in the installed 11.1.1 exposesv1/v3/v4/v5as functions.Notes
package.json+yarn.lock, onlyuuidentries change..changeset/).pubsub/api-graphqlTypeScript build errors (symbolindex types) on v5-stable are unrelated to this change — they reproduce on a pristinev5-stablecheckout (introduced by the Node 24 toolchain bump in chore: bump node from 18/22 to 24 in v5 #14784) and are unaffected by this resolution.