Skip to content

Update dependency uuid to v14 [SECURITY] - abandoned#8794

Open
backstage-goalie[bot] wants to merge 2 commits into
mainfrom
renovate/npm-uuid-vulnerability
Open

Update dependency uuid to v14 [SECURITY] - abandoned#8794
backstage-goalie[bot] wants to merge 2 commits into
mainfrom
renovate/npm-uuid-vulnerability

Conversation

@backstage-goalie
Copy link
Copy Markdown
Contributor

@backstage-goalie backstage-goalie Bot commented Apr 23, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
uuid ^9.0.0^14.0.0 age confidence
uuid ^13.0.0^14.0.0 age confidence
uuid ^11.0.0^14.0.0 age confidence
uuid ^11.1.0^14.0.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

GHSA-w5hq-g745-h8pq

More information

Details

Summary

v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4, v1, and v7 explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code
  • src/v35.ts (v3/v5 path) writes buf[offset + i] without bounds validation.
  • src/v6.ts writes buf[offset + i] without bounds validation.
Reproducible PoC
cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4',()=>v4({},new Uint8Array(8),4)],
  ['v5',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Observed:

  • v4 THREW RangeError
  • v5 NO_THROW
  • v6 NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]
Security impact
  • Primary: integrity/robustness issue (silent partial output).
  • If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
  • In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.
Suggested fix

Add the same guard used by v4/v1/v7:

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

  • src/v35.ts (covers v3 and v5)
  • src/v6.ts

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

uuidjs/uuid (uuid)

v14.0.0

Compare Source

Security
  • Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.
⚠ BREAKING CHANGES
  • crypto is now expected to be globally defined (requires node@​20+) (#​935)
  • drop node@​18 support (#​934)
  • upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

v13.0.0

Compare Source

⚠ BREAKING CHANGES
  • make browser exports the default (#​901)
Bug Fixes

v12.0.0

Compare Source

⚠ BREAKING CHANGES
  • update to typescript@​5.2 (#​887)
  • remove CommonJS support (#​886)
  • drop node@​16 support (#​883)
Features
Bug Fixes

v11.1.0

Compare Source

Features
  • update TS types to allowUint8Array subtypes for buffer option (#​865) (a5231e7)

v11.0.5

Compare Source

Bug Fixes

v11.0.4

Compare Source

Bug Fixes

v11.0.3

Compare Source

Bug Fixes

v11.0.2

Compare Source

Bug Fixes

v11.0.1

Compare Source

Bug Fixes

v11.0.0

Compare Source

⚠ BREAKING CHANGES
  • refactor v1 internal state and options logic (#​780)
  • refactor v7 internal state and options logic, fixes #​764 (#​779)
  • Port to TypeScript, closes #​762 (#​763)
  • update node support matrix (only support node 16-20) (#​750)
Features
Bug Fixes

v10.0.0

Compare Source

⚠ BREAKING CHANGES
  • update node support (drop node@​12, node@​14, add node@​20) (#​750)
Features
Bug Fixes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot AI review requested due to automatic review settings April 23, 2026 01:42
@backstage-goalie backstage-goalie Bot added dependencies Pull requests that update a dependency file security labels Apr 23, 2026
@backstage-goalie backstage-goalie Bot review requested due to automatic review settings April 23, 2026 01:42
@backstage-service backstage-service added workspace/announcements Used to tag announcements workspace isses and pull requests workspace/tech-insights Used to tag tech-insights workspace issues and pull requests workspace/shortcuts workspace/keycloak workspace/agent-forge workspace/pingidentity labels Apr 23, 2026
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread workspaces/agent-forge/plugins/agent-forge/package.json
"@mui/styles": "^5.16.6",
"react-use": "^17.2.4",
"uuid": "^11.1.0"
"uuid": "^14.0.0"
Copy link

Copilot AI Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

uuid@^14 lists TypeScript >= 5.4.3 as the minimum supported version, but this workspace is pinned to typescript@~5.3.0 (resolves to 5.3.3 in this workspace yarn.lock). This can cause type-check/build failures; please bump the workspace TypeScript version (or otherwise ensure tsc runs on >=5.4.3) alongside this uuid upgrade.

Copilot uses AI. Check for mistakes.
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread workspaces/mcp-chat/plugins/mcp-chat-backend/package.json
"knex": "^3.1.0",
"ollama": "^0.6.0",
"uuid": "^11.0.0"
"uuid": "^14.0.0"
Copy link

Copilot AI Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upgrading to uuid@^14 raises the runtime requirement to Node.js 20+ (uuid now expects a global crypto). The plugin docs currently state Node.js 18+; please either update the stated support/docs (and/or add an engines.node constraint) or avoid this upgrade if Node 18 support is still required.

Copilot uses AI. Check for mistakes.
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (2)

workspaces/tech-insights/plugins/tech-insights-backend/package.json:1

  • uuid@14 includes breaking runtime/platform expectations (notably Node support changes and reliance on a globally-defined crypto, per upstream release notes). Since this PR updates the dependency range, it should also update the package's supported-runtime signaling (e.g., engines.node and/or CI node matrix) to ensure consumers on unsupported Node versions fail fast during install/CI rather than at runtime. Apply the same adjustment consistently to the other workspaces bumped to ^14.0.0.
    workspaces/tech-insights/.changeset/renovate-3deaa6f.md:1
  • The Changeset marks this as a patch, but upgrading to uuid@14 can imply a breaking change for consumers if it effectively raises the minimum supported Node/runtime requirements (or changes module system expectations). If this package previously supported older Node versions, consider bumping the Changeset to major (or at least minor) to reflect the compatibility impact; alternatively, explicitly constrain engines.node so the change is clearly communicated and enforced.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread workspaces/agent-forge/plugins/agent-forge/package.json
Comment on lines 44 to 46
"react-use": "^17.2.4",
"uuid": "^11.1.0"
"uuid": "^14.0.0"
},
Copy link

Copilot AI Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

uuid@14.0.0 raises the uuid project’s minimum supported TypeScript version to 5.4.3 (per its v14 release notes). This workspace currently pins TypeScript to ~5.3.0 (workspaces/agent-forge/package.json), which can lead to type-check/build failures; please bump the workspace TypeScript version to >=5.4.3 (or align with the repo’s newer TypeScript versions) before landing this update.

Copilot uses AI. Check for mistakes.
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@backstage-goalie
Update dependency uuid to v14 [SECURITY]
999b642 
Signed-off-by: Renovate Bot <bot@renovateapp.com>
Copilot AI reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@gaelgoth
chore(mcp-chat): Remove deprecated types/uuid dependency
4f4aa4b 
Signed-off-by: gaelgoth <gothuey.gael@gmail.com>
@gaelgoth
Copy link
Copy Markdown
Member

gaelgoth commented Apr 26, 2026

I removed deprecated @types/uuid in mcp-chat to get CI green. @Lucifergene @christoph-jerolimov @Eswaraiahsapram Ping for quick eyes 👀

@backstage-goalie
Copy link
Copy Markdown
Contributor Author

backstage-goalie Bot commented Apr 26, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@backstage-goalie
Copy link
Copy Markdown
Contributor Author

backstage-goalie Bot commented Apr 28, 2026

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

@backstage-service
Copy link
Copy Markdown
Collaborator

backstage-service commented May 14, 2026

👋 Reminder: This Renovate major PR has been open for 21 days.

Please review and merge if the changes look good. If no action is taken, this PR will be labeled force-merge in 21 days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@christoph-jerolimov christoph-jerolimov christoph-jerolimov approved these changes

@Sarabadu Sarabadu Sarabadu approved these changes

@gaelgoth gaelgoth gaelgoth approved these changes

@Xantier Xantier Awaiting requested review from Xantier Xantier is a code owner

@punkle punkle Awaiting requested review from punkle punkle is a code owner

@kurtaking kurtaking Awaiting requested review from kurtaking kurtaking is a code owner

@kuangp kuangp Awaiting requested review from kuangp kuangp is a code owner

@JessicaJHee JessicaJHee Awaiting requested review from JessicaJHee JessicaJHee is a code owner

@AndrienkoAleksandr AndrienkoAleksandr Awaiting requested review from AndrienkoAleksandr AndrienkoAleksandr is a code owner

@dzemanov dzemanov Awaiting requested review from dzemanov dzemanov is a code owner

@lholmquist lholmquist Awaiting requested review from lholmquist lholmquist is a code owner

@PatAKnight PatAKnight Awaiting requested review from PatAKnight PatAKnight is a code owner

@djanickova djanickova Awaiting requested review from djanickova djanickova is a code owner

@Lucifergene Lucifergene Awaiting requested review from Lucifergene Lucifergene is a code owner

@Eswaraiahsapram Eswaraiahsapram Awaiting requested review from Eswaraiahsapram Eswaraiahsapram is a code owner

@awanlin awanlin Awaiting requested review from awanlin awanlin is a code owner

@alde alde Awaiting requested review from alde alde is a code owner

@sriaradhyula sriaradhyula Awaiting requested review from sriaradhyula sriaradhyula is a code owner

@subbaksh subbaksh Awaiting requested review from subbaksh subbaksh is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file owner/area-maintainers security workspace/agent-forge workspace/announcements Used to tag announcements workspace isses and pull requests workspace/azure-resources workspace/badges workspace/code-coverage workspace/keycloak workspace/linguist workspace/mcp-chat workspace/pingidentity workspace/playlist workspace/shortcuts workspace/tech-insights Used to tag tech-insights workspace issues and pull requests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@gaelgoth @backstage-service @christoph-jerolimov @Sarabadu