Skip to content

fix(deps): resolve uuid to ^11.1.1 to address CVE-2026-41907 in v5#14839

Merged
osama-rizk merged 2 commits into
v5-stablefrom
fix/uuid-cve-v5
Jun 10, 2026
Merged

fix(deps): resolve uuid to ^11.1.1 to address CVE-2026-41907 in v5#14839
osama-rizk merged 2 commits into
v5-stablefrom
fix/uuid-cve-v5

Conversation

@osama-rizk

Copy link
Copy Markdown
Contributor

Issue

Closes part of #14827.

A fresh install of aws-amplify@^5 still pulls a vulnerable uuid@3.4.0 transitively:

% npm why uuid | grep uuid
uuid@3.4.0
  uuid@"^3.2.1" from @aws-amplify/analytics
  uuid@"^3.2.1" from @aws-amplify/api-graphql
  uuid@"3.4.0"  from @aws-amplify/datastore
  uuid@"^3.2.1" from @aws-amplify/notifications
  uuid@"^3.2.1" from @aws-amplify/predictions
  uuid@"^3.2.1" from @aws-amplify/pubsub
  uuid@"^3.0.0" from @aws-sdk/client-comprehend / client-translate / middleware-retry

uuid < 11.1.1 is affected by GHSA-w5hq-g745-h8pq (CVE-2026-41907) — the v3()/v5()/v6() methods skip bounds validation on caller-provided output buffers, allowing silent partial writes that can produce truncated/malformed identifiers.

The other items from #14827axios, js-cookie, fast-xml-parser, qs — were already addressed in #14832. uuid was the remaining gap.

Change

Add a root resolutions entry forcing uuid@^11.1.1, mirroring the v6 fix in #14828 (already released):

   "lodash": "^4.18.1",
-  "js-cookie": "^3.0.7"
+  "js-cookie": "^3.0.7",
+  "uuid": "^11.1.1"

After this, all uuid ranges collapse to a single resolved 11.1.1 in yarn.lock (the vulnerable 3.4.0 / 7.0.3 / 8.3.2 entries are removed).

Compatibility

uuid changed its import surface in v7 (named exports only), so I verified every import site in v5 source:

packages/*/src: import { v1 as uuid } from 'uuid';
                import { v4 as uuid } from 'uuid';
                import { v4 as uuid4 } from 'uuid';

All usages are named imports of v1/v4 — API-compatible from uuid v3 through v11. There are no default imports (import uuid from 'uuid') or uuid.v4() member-access patterns that v7+ removed, so no source changes are required. Confirmed require('uuid') in the installed 11.1.1 exposes v1/v3/v4/v5 as functions.

Notes

uuid < 11.1.1 is vulnerable to GHSA-w5hq-g745-h8pq (CVE-2026-41907):
the v3/v5/v6 methods skip output-buffer bounds validation, allowing
silent partial writes that can produce truncated/malformed identifiers.

A fresh install of aws-amplify v5 pulls uuid@3.4.0 transitively via
analytics, api-graphql, datastore, notifications, predictions, pubsub
and the bundled @aws-sdk v3.6 clients. Add a root resolution forcing
uuid@^11.1.1, mirroring the v6 fix (#14828, already released).

All v5 source uses named imports (`{ v1 }`/`{ v4 }`), which are API
compatible from uuid v3 through v11, so no source changes are needed.
This completes the v5 security updates started in #14832 (axios,
js-cookie, fast-xml-parser, qs); uuid was the remaining item from #14827.

Refs #14827
@osama-rizk osama-rizk requested a review from a team as a code owner June 10, 2026 08:28
@changeset-bot

changeset-bot Bot commented Jun 10, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 3a1afa5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@soberm soberm left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

uuid is direct dependency of multiple Amplify packages. A resolution will not work.

…ckages

Address review feedback: uuid is a direct dependency of multiple Amplify
packages, so a root yarn 'resolutions' entry does not fix it for
consumers (resolutions are not published; each package still ships its
own uuid range). A fresh 'npm install aws-amplify@5' would still pull the
vulnerable uuid@3.4.0.

Bump uuid to ^11.1.1 directly in each package that declares it:
analytics, api-graphql, datastore, notifications, predictions, pubsub.
Also bump datastore's @types/uuid 3.4.6 -> ^9.0.0 (the old v3 types
describe a default export that no longer exists in v11), matching v6.
Remove the previously added root resolution.

uuid < 11.1.1 is vulnerable to GHSA-w5hq-g745-h8pq (CVE-2026-41907):
v3/v5/v6 skip output-buffer bounds validation, allowing silent partial
writes. All source uses named imports ({ v1 }/{ v4 }), API-compatible
v3 through v11, so no source changes are required.

Refs #14827
@osama-rizk osama-rizk requested a review from a team as a code owner June 10, 2026 09:24
@osama-rizk

Copy link
Copy Markdown
Contributor Author

Good catch, thanks @soberm — you're right. A root resolutions entry only affects this monorepo's own install and isn't published, so consumers running npm install aws-amplify@5 would still resolve the vulnerable uuid@3.4.0 via each package's declared range.

I've pushed a new commit that bumps uuid to ^11.1.1 as a direct dependency in every package that declares it — analytics, api-graphql, datastore, notifications, predictions, pubsub — and removed the root resolution. I also bumped datastore's @types/uuid 3.4.6^9.0.0 (the v3 types describe a default export that no longer exists in v11), matching what v6 does.

All source uses named imports ({ v1 }/{ v4 }), which are API-compatible from uuid v3 through v11, so no source changes were needed. PTAL 🙏

@osama-rizk osama-rizk merged commit 08eb8c4 into v5-stable Jun 10, 2026
28 checks passed
@osama-rizk osama-rizk deleted the fix/uuid-cve-v5 branch June 10, 2026 09:41
osama-rizk added a commit that referenced this pull request Jun 12, 2026
…eact Native (#14842)

uuid was bumped to ^11.1.1 (#14839) to address CVE-2026-41907. uuid v11's
v4() throws when crypto.getRandomValues is unavailable, whereas uuid v3 fell
back to Math.random(). On React Native crypto.getRandomValues is not present
unless the react-native-get-random-values polyfill is loaded, so every
DataStore.save() of a syncable model (which mints its primary key via uuid4())
now throws on RN.

This loads the polyfill from within @aws-amplify/datastore via a
platform-resolved side-effect module (loadGetRandomValues.native.ts on RN,
a no-op on web/Node, selected automatically by Metro's .native resolution),
mirroring the loadGetRandomValues mechanism already shipped on v6/main. RN
consumers no longer need to add 'import "react-native-get-random-values"'
themselves. react-native-get-random-values is declared as an optional
peerDependency so package managers surface the install/pod requirement
without affecting web/Node consumers.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants