chore(deps): bump uuid from 10.0.0 to 13.0.2#809
Conversation
Bumps [uuid](https://github.com/uuidjs/uuid) from 10.0.0 to 13.0.2. - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/v13.0.2/CHANGELOG.md) - [Commits](uuidjs/uuid@v10.0.0...v13.0.2) --- updated-dependencies: - dependency-name: uuid dependency-version: 13.0.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM, lock-file-only patch bump of a transitive uuid dependency (13.0.0 → 13.0.2).
Extended reasoning...
Overview
This Dependabot PR modifies only pnpm-lock.yaml. Despite the title saying "10.0.0 to 13.0.2", the actual diff shows the transitive uuid dependency (pulled in by @langchain/langgraph-sdk or similar) being bumped from 13.0.0 to 13.0.2. The top-level uuid@10.0.0 entry is left in place. The 13.0.2 release is a re-release to fix npm provenance; 13.0.1 was a backport of a security fix (GHSA-w5hq-g745-h8pq).
Security risks
None introduced by this change. The bump pulls in a security-fix backport (GHSA-w5hq-g745-h8pq) via 13.0.1 and a provenance fix in 13.0.2 — both directionally positive.
Level of scrutiny
Minimal. This is a lock-file-only patch version bump generated by Dependabot, with no source code changes. CI build/test signals are the appropriate gate.
Other factors
The dependency advances within the same major (13.x), so no breaking-change exposure relative to the previously-resolved 13.0.0. The Dependabot install-script warning about a new prepare script applies to the project's own prepare semantics in newer uuid releases, but since uuid is only consumed as a runtime library (not built from source here), this isn't a meaningful supply-chain concern at install time.
Bumps uuid from 10.0.0 to 13.0.2.
Release notes
Sourced from uuid's releases.
... (truncated)
Changelog
Sourced from uuid's changelog.
... (truncated)
Commits
bd34976chore(13.x): release 13.0.2 (#953)49ccb35fix: rerelease to fix provenance.fc3a84dchore: update workflowf01d6ddchore: fix workflow0643802Merge branch '13.x' of github.com:uuidjs/uuid into 13.xe52c9cechore: fix workflowe5424b6chore(13.x): release 13.0.1 (#943)04f488bworkflow: update release-please workflow9d27ddffix: backport fix for GHSA-w5hq-g745-h8pq24c1238chore(main): release 13.0.0 (#902)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.
Install script changes
This version adds
preparescript that runs during installation. Review the package contents before updating.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.