Update dependency uuid [SECURITY]#8794
Conversation
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 24 out of 36 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
I removed deprecated |
Autoclosing SkippedThis PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error. |
|
👋 Reminder: This Renovate major PR has been open for 21 days. Please review and merge if the changes look good. If no action is taken, this PR will be labeled |
PatAKnight
left a comment
There was a problem hiding this comment.
LGTM for PingIdentity and Keycloak
Signed-off-by: Renovate Bot <bot@renovateapp.com>
awanlin
left a comment
There was a problem hiding this comment.
Approving then will merge based on agreement to force merged PRs with that label 👍
This PR contains the following updates:
13.0.0→13.0.111.1.0→11.1.1Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
CVE-2026-41907 / GHSA-w5hq-g745-h8pq
More information
Details
Summary
The
v3(),v5(), andv6()API methods (notuuidrelease versions) accept external output buffers but do not reject out-of-range writes (smallbufor largeoffset).By contrast,
v4(),v1(), andv7()API methods explicitly throwRangeErroron invalid bounds.This inconsistency allows silent partial writes into caller-provided buffers.
Affected code
src/v35.ts(v3()/v5()path) writesbuf[offset + i]without bounds validation.src/v6.tswritesbuf[offset + i]without bounds validation.Reproducible PoC
Observed:
v4() THREW RangeErrorv5() NO_THROWv6() NO_THROWExample partial overwrite evidence captured during audit:
Security impact
Suggested fix
Add the same guard used by
v4()/v1()/v7():Apply to:
src/v35.ts(coversv3()andv5())src/v6.tsSeverity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
uuidjs/uuid (uuid)
v13.0.1Compare Source
Bug Fixes
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.