Commit abda313
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
chore(deps): update dependency uuid to v14 [security] (#719)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [uuid](https://redirect.github.com/uuidjs/uuid) | [`9.0.1` →
`14.0.0`](https://renovatebot.com/diffs/npm/uuid/9.0.1/14.0.0) |
|
|
---
### uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
[GHSA-w5hq-g745-h8pq](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq)
<details>
<summary>More information</summary>
#### Details
##### Summary
`v3`, `v5`, and `v6` accept external output buffers but do not reject
out-of-range writes (small `buf` or large `offset`).
By contrast, `v4`, `v1`, and `v7` explicitly throw `RangeError` on
invalid bounds.
This inconsistency allows **silent partial writes** into caller-provided
buffers.
##### Affected code
- `src/v35.ts` (`v3`/`v5` path) writes `buf[offset + i]` without bounds
validation.
- `src/v6.ts` writes `buf[offset + i]` without bounds validation.
##### Reproducible PoC
```bash
cd /home/StrawHat/uuid
npm ci
npm run build
node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
['v4',()=>v4({},new Uint8Array(8),4)],
['v5',()=>v5('x',ns,new Uint8Array(8),4)],
['v6',()=>v6({},new Uint8Array(8),4)],
]) {
try { fn(); console.log(name,'NO_THROW'); }
catch(e){ console.log(name,'THREW',e.name); }
}"
```
Observed:
- `v4 THREW RangeError`
- `v5 NO_THROW`
- `v6 NO_THROW`
Example partial overwrite evidence captured during audit:
```text
same true buf [
170, 170, 170, 170,
75, 224, 100, 63
]
v6 [
187, 187, 187, 187,
31, 19, 185, 64
]
```
##### Security impact
- **Primary**: integrity/robustness issue (silent partial output).
- If an application assumes full UUID writes into preallocated buffers,
this can produce malformed/truncated/partially stale identifiers without
error.
- In systems where caller-controlled offsets/buffer sizes are exposed
indirectly, this may become a security-relevant logic flaw.
##### Suggested fix
Add the same guard used by `v4`/`v1`/`v7`:
```ts
if (offset < 0 || offset + 16 > buf.length) {
throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}
```
Apply to:
- `src/v35.ts` (covers `v3` and `v5`)
- `src/v6.ts`
#### Severity
- CVSS Score: 6.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N`
#### References
-
[https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq](https://redirect.github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq)
-
[https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34](https://redirect.github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34)
-
[https://github.com/uuidjs/uuid/releases/tag/v14.0.0](https://redirect.github.com/uuidjs/uuid/releases/tag/v14.0.0)
-
[https://github.com/advisories/GHSA-w5hq-g745-h8pq](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq)
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Release Notes
<details>
<summary>uuidjs/uuid (uuid)</summary>
###
[`v14.0.0`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1400-2026-04-19)
[Compare
Source](https://redirect.github.com/uuidjs/uuid/compare/v13.0.0...v14.0.0)
##### Security
- Fixes
[GHSA-w5hq-g745-h8pq](https://redirect.github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq):
`v3()`, `v5()`, and `v6()` did not validate that writes would remain
within the bounds of a caller-supplied buffer, allowing out-of-bounds
writes when an invalid `offset` was provided. A `RangeError` is now
thrown if `offset < 0` or `offset + 16 > buf.length`.
##### ⚠ BREAKING CHANGES
- `crypto` is now expected to be globally defined (requires
node\@​20+)
([#​935](https://redirect.github.com/uuidjs/uuid/issues/935))
- drop node\@​18 support
([#​934](https://redirect.github.com/uuidjs/uuid/issues/934))
- upgrade minimum supported TypeScript version to 5.4.3, in keeping with
the project's policy of supporting TypeScript versions released within
the last two years
###
[`v13.0.0`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1300-2025-09-08)
[Compare
Source](https://redirect.github.com/uuidjs/uuid/compare/v12.0.0...v13.0.0)
##### ⚠ BREAKING CHANGES
- make browser exports the default
([#​901](https://redirect.github.com/uuidjs/uuid/issues/901))
##### Bug Fixes
- make browser exports the default
([#​901](https://redirect.github.com/uuidjs/uuid/issues/901))
([bce9d72](https://redirect.github.com/uuidjs/uuid/commit/bce9d72a3ae5b9a3dcd8eb21ef6d1820288a427a))
###
[`v12.0.0`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1200-2025-09-05)
[Compare
Source](https://redirect.github.com/uuidjs/uuid/compare/v11.1.0...v12.0.0)
##### ⚠ BREAKING CHANGES
- update to typescript\@​5.2
([#​887](https://redirect.github.com/uuidjs/uuid/issues/887))
- remove CommonJS support
([#​886](https://redirect.github.com/uuidjs/uuid/issues/886))
- drop node\@​16 support
([#​883](https://redirect.github.com/uuidjs/uuid/issues/883))
##### Features
- add node\@​24 to ci matrix
([#​879](https://redirect.github.com/uuidjs/uuid/issues/879))
([42b6178](https://redirect.github.com/uuidjs/uuid/commit/42b6178aa21a593257f0a72abacd220f0b7b8a92))
- drop node\@​16 support
([#​883](https://redirect.github.com/uuidjs/uuid/issues/883))
([0f38cf1](https://redirect.github.com/uuidjs/uuid/commit/0f38cf10366ab074f9328ae2021eea04d5f2e530))
- remove CommonJS support
([#​886](https://redirect.github.com/uuidjs/uuid/issues/886))
([ae786e2](https://redirect.github.com/uuidjs/uuid/commit/ae786e27265f50bcf7cead196c29f1869297c42f))
- update to typescript\@​5.2
([#​887](https://redirect.github.com/uuidjs/uuid/issues/887))
([c7ee405](https://redirect.github.com/uuidjs/uuid/commit/c7ee40598ed78584d81ab78dffded9fe5ff20b01))
##### Bug Fixes
- improve v4() performance
([#​894](https://redirect.github.com/uuidjs/uuid/issues/894))
([5fd974c](https://redirect.github.com/uuidjs/uuid/commit/5fd974c12718c8848035650b69b8948f12ace197))
- restore node: prefix
([#​889](https://redirect.github.com/uuidjs/uuid/issues/889))
([e1f42a3](https://redirect.github.com/uuidjs/uuid/commit/e1f42a354593093ba0479f0b4047dae82d28c507))
###
[`v11.1.0`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1110-2025-02-19)
[Compare
Source](https://redirect.github.com/uuidjs/uuid/compare/v11.0.5...v11.1.0)
##### Features
- update TS types to allow`Uint8Array` subtypes for `buffer` option
([#​865](https://redirect.github.com/uuidjs/uuid/issues/865))
([a5231e7](https://redirect.github.com/uuidjs/uuid/commit/a5231e7e1b98c20b23c35402a232167f476b39a2))
###
[`v11.0.5`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1105-2025-01-09)
[Compare
Source](https://redirect.github.com/uuidjs/uuid/compare/v11.0.4...v11.0.5)
##### Bug Fixes
- add TS unit test, pin to typescript\@​5.0.4
([#​860](https://redirect.github.com/uuidjs/uuid/issues/860))
([24ac2fd](https://redirect.github.com/uuidjs/uuid/commit/24ac2fd067e5bab97a5ccea3f6f365a64c01d140))
###
[`v11.0.4`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1104-2025-01-05)
[Compare
Source](https://redirect.github.com/uuidjs/uuid/compare/v11.0.3...v11.0.4)
##### Bug Fixes
- **docs:** insure -> ensure
([#​843](https://redirect.github.com/uuidjs/uuid/issues/843))
([d2a61e1](https://redirect.github.com/uuidjs/uuid/commit/d2a61e154d861e58549466e753bb9e4d5bfffb68))
- exclude tests from published package
([#​840](https://redirect.github.com/uuidjs/uuid/issues/840))
([f992ff4](https://redirect.github.com/uuidjs/uuid/commit/f992ff4780937089b0134195fa22e76e2e1cb3a7))
- Test for invalid byte array sizes and ranges in `v1()`, `v4()`, and
`v7()`
([#​845](https://redirect.github.com/uuidjs/uuid/issues/845))
([e0ee900](https://redirect.github.com/uuidjs/uuid/commit/e0ee90051ebd13475bbcff4d371330aa4f9bd1dd))
###
[`v11.0.3`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1103-2024-11-04)
[Compare
Source](https://redirect.github.com/uuidjs/uuid/compare/v11.0.2...v11.0.3)
##### Bug Fixes
- apply stricter typing to the v\* signatures
([#​831](https://redirect.github.com/uuidjs/uuid/issues/831))
([c2d3fed](https://redirect.github.com/uuidjs/uuid/commit/c2d3fed22cfd47c22c8f22f6154abb5060648ce5))
- export internal uuid types
([#​833](https://redirect.github.com/uuidjs/uuid/issues/833))
([341edf4](https://redirect.github.com/uuidjs/uuid/commit/341edf444ced63708ba336285dbec29443523939))
- remove sourcemaps
([#​827](https://redirect.github.com/uuidjs/uuid/issues/827))
([b93ea10](https://redirect.github.com/uuidjs/uuid/commit/b93ea101af7382053032d4fb61cc85599d6c7216))
- revert "simplify type for v3 and v5"
([#​835](https://redirect.github.com/uuidjs/uuid/issues/835))
([e2dee69](https://redirect.github.com/uuidjs/uuid/commit/e2dee691e95aba854a892d2507d8cd9f009bf61d))
###
[`v11.0.2`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1102-2024-10-28)
[Compare
Source](https://redirect.github.com/uuidjs/uuid/compare/v11.0.1...v11.0.2)
##### Bug Fixes
- remove wrapper.mjs
([#​822](https://redirect.github.com/uuidjs/uuid/issues/822))
([6683ad3](https://redirect.github.com/uuidjs/uuid/commit/6683ad38b048375b451eac1194960f24ba20e0ca))
###
[`v11.0.1`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1101-2024-10-27)
[Compare
Source](https://redirect.github.com/uuidjs/uuid/compare/v11.0.0...v11.0.1)
##### Bug Fixes
- restore package.json#browser field
([#​817](https://redirect.github.com/uuidjs/uuid/issues/817))
([ae8f386](https://redirect.github.com/uuidjs/uuid/commit/ae8f38657bca0ee053bf29c88c006b1ea05af1b5))
###
[`v11.0.0`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1100-2024-10-26)
[Compare
Source](https://redirect.github.com/uuidjs/uuid/compare/v10.0.0...v11.0.0)
##### ⚠ BREAKING CHANGES
- refactor v1 internal state and options logic
([#​780](https://redirect.github.com/uuidjs/uuid/issues/780))
- refactor v7 internal state and options logic, fixes
[#​764](https://redirect.github.com/uuidjs/uuid/issues/764)
([#​779](https://redirect.github.com/uuidjs/uuid/issues/779))
- Port to TypeScript, closes
[#​762](https://redirect.github.com/uuidjs/uuid/issues/762)
([#​763](https://redirect.github.com/uuidjs/uuid/issues/763))
- update node support matrix (only support node 16-20)
([#​750](https://redirect.github.com/uuidjs/uuid/issues/750))
##### Features
- Port to TypeScript, closes
[#​762](https://redirect.github.com/uuidjs/uuid/issues/762)
([#​763](https://redirect.github.com/uuidjs/uuid/issues/763))
([1e0f987](https://redirect.github.com/uuidjs/uuid/commit/1e0f9870db864ca93f7a69db0d468b5e1b7605e7))
- update node support matrix (only support node 16-20)
([#​750](https://redirect.github.com/uuidjs/uuid/issues/750))
([883b163](https://redirect.github.com/uuidjs/uuid/commit/883b163b9ab9d6655bfbd8a35e61a3c71674dfe1))
##### Bug Fixes
- missing v7 expectations in browser spec
([#​751](https://redirect.github.com/uuidjs/uuid/issues/751))
([f54a866](https://redirect.github.com/uuidjs/uuid/commit/f54a866cedb2b3b96581157c1f4ac935a0b11411))
- refactor v1 internal state and options logic
([#​780](https://redirect.github.com/uuidjs/uuid/issues/780))
([031b3d3](https://redirect.github.com/uuidjs/uuid/commit/031b3d3d738bc6694501ac0a37152b95ed500989))
- refactor v7 internal state and options logic, fixes
[#​764](https://redirect.github.com/uuidjs/uuid/issues/764)
([#​779](https://redirect.github.com/uuidjs/uuid/issues/779))
([9dbd1cd](https://redirect.github.com/uuidjs/uuid/commit/9dbd1cd4177c43fcaac961a3b16fb2d044c9940a))
- remove v4 options default assignment preventing native.randomUUID from
being used
([#​786](https://redirect.github.com/uuidjs/uuid/issues/786))
([afe6232](https://redirect.github.com/uuidjs/uuid/commit/afe62323c4408a824755a39d7b971a8ae06f7199)),
closes [#​763](https://redirect.github.com/uuidjs/uuid/issues/763)
- seq\_hi shift for byte 6
([#​775](https://redirect.github.com/uuidjs/uuid/issues/775))
([1d532ca](https://redirect.github.com/uuidjs/uuid/commit/1d532ca374f181932a24a83fa98f71a5bd4f3e96))
- tsconfig module type
([#​778](https://redirect.github.com/uuidjs/uuid/issues/778))
([7eff835](https://redirect.github.com/uuidjs/uuid/commit/7eff835cba334ad418f57768c00d15b918a9b419))
###
[`v10.0.0`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1000-2024-06-07)
[Compare
Source](https://redirect.github.com/uuidjs/uuid/compare/v9.0.1...v10.0.0)
##### ⚠ BREAKING CHANGES
- update node support (drop node\@​12, node\@​14, add
node\@​20)
([#​750](https://redirect.github.com/uuidjs/uuid/issues/750))
##### Features
- support support rfc9562 MAX uuid (new in RFC9562)
([#​714](https://redirect.github.com/uuidjs/uuid/issues/714))
([0385cd3](https://redirect.github.com/uuidjs/uuid/commit/0385cd3f18ae9920678b2849932fa7a9d9aee7d0))
- support rfc9562 v6 uuids
([#​754](https://redirect.github.com/uuidjs/uuid/issues/754))
([c4ed13e](https://redirect.github.com/uuidjs/uuid/commit/c4ed13e7159d87c9e42a349bdd9dc955f1af46b6))
- support rfc9562 v7 uuids
([#​681](https://redirect.github.com/uuidjs/uuid/issues/681))
([db76a12](https://redirect.github.com/uuidjs/uuid/commit/db76a1284760c441438f50a57924b322dae08891))
- update node support matrix (only support node 16-20)
([#​750](https://redirect.github.com/uuidjs/uuid/issues/750))
([883b163](https://redirect.github.com/uuidjs/uuid/commit/883b163b9ab9d6655bfbd8a35e61a3c71674dfe1))
- support rfc9562 v8 uuids
([#​759](https://redirect.github.com/uuidjs/uuid/issues/759))
([35a5342](https://redirect.github.com/uuidjs/uuid/commit/35a53428202657e402e6b4aa68f56c08194541bf))
##### Bug Fixes
- revert "perf: remove superfluous call to toLowerCase
([#​677](https://redirect.github.com/uuidjs/uuid/issues/677))"
([#​738](https://redirect.github.com/uuidjs/uuid/issues/738))
([e267b90](https://redirect.github.com/uuidjs/uuid/commit/e267b9073df1d0ce119ee53c0487fe76acb2be37))
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- ""
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/sequelize/umzug).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjEzOS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent 61d255d commit abda313
2 files changed
Lines changed: 7 additions & 7 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
43 | 43 | | |
44 | 44 | | |
45 | 45 | | |
46 | | - | |
| 46 | + | |
47 | 47 | | |
48 | 48 | | |
49 | 49 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments