chore(deps): bump uuid from 9.0.1 to 11.1.0 in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: uuid.

Updates uuid from 9.0.1 to 11.1.0

Release notes

Sourced from uuid's releases.

v11.1.0

11.1.0 (2025-02-19)

Features

• update TS types to allowUint8Array subtypes for buffer option (#865) (a5231e7)

v11.0.5

11.0.5 (2025-01-09)

Bug Fixes

• add TS unit test, pin to typescript@5.0.4 (#860) (24ac2fd)

v11.0.4

11.0.4 (2025-01-05)

Bug Fixes

• docs: insure -> ensure (#843) (d2a61e1)
• exclude tests from published package (#840) (f992ff4)
• Test for invalid byte array sizes and ranges in v1(), v4(), and v7() (#845) (e0ee900)

v11.0.3

11.0.3 (2024-11-04)

Bug Fixes

• apply stricter typing to the v* signatures (#831) (c2d3fed)
• export internal uuid types (#833) (341edf4)
• remove sourcemaps (#827) (b93ea10)
• revert "simplify type for v3 and v5" (#835) (e2dee69)

v11.0.2

11.0.2 (2024-10-28)

Bug Fixes

• remove wrapper.mjs (2a18871)
• remove wrapper.mjs (#822) (6683ad3)

v11.0.1

11.0.1 (2024-10-27)

... (truncated)

Changelog

Sourced from uuid's changelog.

11.1.0 (2025-02-19)

Features

• update TS types to allowUint8Array subtypes for buffer option (#865) (a5231e7)

11.0.5 (2025-01-09)

Bug Fixes

• add TS unit test, pin to typescript@5.0.4 (#860) (24ac2fd)

11.0.4 (2025-01-05)

Bug Fixes

• docs: insure -> ensure (#843) (d2a61e1)
• exclude tests from published package (#840) (f992ff4)
• Test for invalid byte array sizes and ranges in v1(), v4(), and v7() (#845) (e0ee900)

11.0.3 (2024-11-04)

Bug Fixes

• apply stricter typing to the v* signatures (#831) (c2d3fed)
• export internal uuid types (#833) (341edf4)
• remove sourcemaps (#827) (b93ea10)
• revert "simplify type for v3 and v5" (#835) (e2dee69)

11.0.2 (2024-10-28)

Bug Fixes

• remove wrapper.mjs (#822) (6683ad3)

11.0.1 (2024-10-27)

Bug Fixes

• restore package.json#browser field (#817) (ae8f386)

11.0.0 (2024-10-26)

⚠ BREAKING CHANGES

• refactor v1 internal state and options logic (#780)

... (truncated)

Commits

• 3d1eba0 chore(main): release 11.1.0 (#866)
• a5231e7 feat: update TS types to allowUint8Array subtypes for buffer option (#865)
• aeabb60 docs: docs housecleaning (#864)
• 46ada3c chore(main): release 11.0.5 (#861)
• 24ac2fd fix: add TS unit test, pin to typescript@5.0.4 (#860)
• e426aaa build: use npm pack tarball for local examples and testing instead of .loca...
• 050cd5b chore(main): release 11.0.4 (#842)
• e0ee900 fix: Test for invalid byte array sizes and ranges in v1(), v4(), and `v7(...
• 6e83b3a chore: update deps (#848)
• 5f58b43 docs: Ensure link to getrandomvalues-not-supported is maintained (#844)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by broofa, a new releaser for uuid since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	fireargs	c08d9ba	Commit Preview URL Branch Preview URL	May 15 2026, 10:36 AM

[claude]

Claude finished @dependabot[bot]'s task in 1m 30s —— View job

---

PR Review: uuid 9.0.1 → 11.1.0

• Gather context: review changed files and uuid usage in codebase
• Analyze breaking changes (v9 → v11 major version bump)
• Security review (OWASP Top 10 + additional checks)
• Post findings

---

Summary

This PR only modifies pnpm-lock.yaml — no source code changes. Severity: LOW.

---

Findings

1. PR title vs. actual diff mismatch — LOW

The PR title claims bumping uuid 9.0.1 → 11.1.0, but the actual lockfile diff shows:

• uuid@11.1.0 → uuid@11.1.1 (transitive dep of mermaid)
• uuid@9.0.1 is still present as a transitive dep of mdx-bundler@10.1.1

The promised upgrade of uuid@9.0.1 did not happen. The deprecated version remains in the tree with this note in the lockfile:

deprecated: uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest.

Since mdx-bundler pins uuid@9.x internally, this can only be resolved by updating mdx-bundler itself or waiting for it to upgrade its dependency.

2. @ungap/structured-clone@1.3.0 — CWE-502 deprecation note — LOW

The diff adds a new deprecated metadata entry for @ungap/structured-clone@1.3.0:

deprecated: Potential CWE-502 - Update to 1.3.1 or higher

CWE-502 is "Deserialization of Untrusted Data." This package is not a direct dependency, and this note is informational metadata from the npm registry — it's not introduced by this PR. The package was already in the lockfile. However, it's worth tracking: @ungap/structured-clone is used by hast-util-sanitize, hast-util-to-mdast, and mdast-util-to-hast, all of which appear to be dev tooling / docs dependencies.

Since structured-clone is a native browser/Node API, this transitive dep is unlikely to handle untrusted data in this project's context.

3. Additional transitive bumps (unrelated to uuid) — NONE

The diff also includes:

• seroval 1.5.2 → 1.5.4 (via solid-js — dev dependency)
• tinyexec 1.1.1 → 1.1.2 (via vitest — dev dependency)
• seroval-plugins bumped to match

These are routine transitive updates with no security concerns.

---

OWASP Top 10 / Security Checklist

Category	Status
SQL Injection	N/A — lockfile only
XSS	N/A
Broken Authentication	N/A
Sensitive Data Exposure	No secrets in diff
XXE	N/A
Broken Access Control	N/A
Security Misconfiguration	N/A
CSRF	N/A
Known Vulnerable Components	uuid@9.0.1 deprecated (still present); @ungap/structured-clone@1.3.0 CWE-502 note (pre-existing)
Insufficient Logging	N/A

---

Recommendation

Safe to merge as-is — the actual code risk is negligible since all changes are transitive dev/docs dependencies. But note that uuid@9.0.1 was not removed as the PR title suggests. If eliminating the deprecated version is a goal, mdx-bundler would need to be updated separately.