Update dependency uuid to v11 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
uuid	9.0.1 → 11.1.1

---

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

CVE-2026-41907 / GHSA-w5hq-g745-h8pq

More information

Details

Summary

The v3(), v5(), and v6() API methods (not uuid release versions) accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4(), v1(), and v7() API methods explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code

• src/v35.ts (v3()/v5() path) writes buf[offset + i] without bounds validation.
• src/v6.ts writes buf[offset + i] without bounds validation.

Reproducible PoC

cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4()',()=>v4({},new Uint8Array(8),4)],
  ['v5()',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6()',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Observed:

• v4() THREW RangeError
• v5() NO_THROW
• v6() NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]

Security impact

• Primary: integrity/robustness issue (silent partial output).
• If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
• In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.

Suggested fix

Add the same guard used by v4()/v1()/v7():

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

• src/v35.ts (covers v3() and v5())
• src/v6.ts

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq
• https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34
• https://github.com/uuidjs/uuid/releases/tag/v14.0.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-41907
• https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e
• https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d
• https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a
• https://github.com/uuidjs/uuid/releases/tag/v11.1.1
• https://github.com/uuidjs/uuid/releases/tag/v12.0.1
• https://github.com/uuidjs/uuid/releases/tag/v13.0.1
• https://github.com/advisories/GHSA-w5hq-g745-h8pq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

uuidjs/uuid (uuid)

v11.1.1

Compare Source

v11.1.0

Compare Source

Features

• update TS types to allowUint8Array subtypes for buffer option (#​865) (a5231e7)

v11.0.5

Compare Source

Bug Fixes

• add TS unit test, pin to typescript@​5.0.4 (#​860) (24ac2fd)

v11.0.4

Compare Source

Bug Fixes

• docs: insure -> ensure (#​843) (d2a61e1)
• exclude tests from published package (#​840) (f992ff4)
• Test for invalid byte array sizes and ranges in v1(), v4(), and v7() (#​845) (e0ee900)

v11.0.3

Compare Source

Bug Fixes

• apply stricter typing to the v* signatures (#​831) (c2d3fed)
• export internal uuid types (#​833) (341edf4)
• remove sourcemaps (#​827) (b93ea10)
• revert "simplify type for v3 and v5" (#​835) (e2dee69)

v11.0.2

Compare Source

Bug Fixes

• remove wrapper.mjs (#​822) (6683ad3)

v11.0.1

Compare Source

Bug Fixes

• restore package.json#browser field (#​817) (ae8f386)

v11.0.0

Compare Source

⚠ BREAKING CHANGES

• refactor v1 internal state and options logic (#​780)
• refactor v7 internal state and options logic, fixes #​764 (#​779)
• Port to TypeScript, closes #​762 (#​763)
• update node support matrix (only support node 16-20) (#​750)

Features

• Port to TypeScript, closes #​762 (#​763) (1e0f987)
• update node support matrix (only support node 16-20) (#​750) (883b163)

Bug Fixes

• missing v7 expectations in browser spec (#​751) (f54a866)
• refactor v1 internal state and options logic (#​780) (031b3d3)
• refactor v7 internal state and options logic, fixes #​764 (#​779) (9dbd1cd)
• remove v4 options default assignment preventing native.randomUUID from being used (#​786) (afe6232), closes #​763
• seq_hi shift for byte 6 (#​775) (1d532ca)
• tsconfig module type (#​778) (7eff835)

v10.0.0

Compare Source

⚠ BREAKING CHANGES

• update node support (drop node@​12, node@​14, add node@​20) (#​750)

Features

• support support rfc9562 MAX uuid (new in RFC9562) (#​714) (0385cd3)
• support rfc9562 v6 uuids (#​754) (c4ed13e)
• support rfc9562 v7 uuids (#​681) (db76a12)
• update node support matrix (only support node 16-20) (#​750) (883b163)
• support rfc9562 v8 uuids (#​759) (35a5342)

Bug Fixes

• revert "perf: remove superfluous call to toLowerCase (#​677)" (#​738) (e267b90)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.