uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

[noraj]

This vulnerability (GHSA-w5hq-g745-h8pq) is raising for anyone using even latest version of web-ext, for example:

  "devDependencies": {
    "web-ext": "10.1.0"
  },

uuid is a sub-dependency or transitive dependency.

Dependabot tells me it is via node-notifier@10.0.1 (which has been unmaintained for 3 years)

https://github.com/mikaelbr/node-notifier/blob/b36c237f0d913f9df3a2bd45adc08b33ff717f6a/package.json#L67

Locally, I can resolve:

npm ls --all
└─┬ web-ext@10.1.0
  ├─┬ node-notifier@10.0.1
  │ ├── uuid@8.3.2

Which is weird because I see no reference to node-notifier in web-ext 10.1.0, it seems the dependency was dropped in the past.

However, I see in package-lock.json that web-ext 10.1.0 is pulling istanbul-lib-processinfo 3.0.0 which is itself pulling uuid 8.3.2.

web-ext/package-lock.json

Lines 15934 to 15945 in e582e8f

	"istanbul-lib-processinfo": {
	"version": "3.0.0",
	"resolved": "https://registry.npmjs.org/istanbul-lib-processinfo/-/istanbul-lib-processinfo-3.0.0.tgz",
	"integrity": "sha512-P7nLXRRlo7Sqinty6lNa7+4o9jBUYGpqtejqCOZKfgXlRoxY/QArflcB86YO500Ahj4pDJEG34JjMRbQgePLnQ==",
	"dev": true,
	"requires": {
	"archy": "^1.0.0",
	"cross-spawn": "^7.0.3",
	"istanbul-lib-coverage": "^3.2.0",
	"p-map": "^3.0.0",
	"rimraf": "^6.1.3",
	"uuid": "^8.3.2"

Whatever, web-ext 10.1.0 seems to still pull uuid@8.3.2 and triggers this security alert.

I'd recommend to:

• update the direct dependency if not latest,
• report upstream to the direct dependency you pull to update their pull of uuid if maintained,
• if unmaintained then remove or replace the middle dependency,
• if all this is impossible then use npm-force-resolutions to force install transitive dependency version, in this case uuid 14.0.0+

Probably this uuid vulnerability won't affect web-ext in any way, but just making the annoying security alert for thousands of people would still be nice.

[Rob--W]

Already fixed by #3689, will be included in the next update.