chore(deps): bump uuid to ^11.1.1 (CVE-2026-41907)#3615
Conversation
Addresses npm audit warning for SNYK-JS-UUID-16133035. Note: SuperDoc was not actually vulnerable - we only use the 2-param signature which returns a string directly. The vulnerability only affects the 4-param signature that writes to a caller-provided buffer. Ref: SD-3361 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
cubic analysis
No issues found across 2 files
Linked issue analysis
Linked issue: SD-3361: Bump uuid dependency to fix npm audit warning
| Status | Acceptance criteria | Notes |
|---|---|---|
| ✅ | Bump uuid specifier in pnpm-workspace.yaml from ^9.0.1 to ^11.1.1 | pnpm-workspace.yaml shows uuid: ^11.1.1 replacing ^9.0.1. |
| ✅ | Update pnpm-lock.yaml to reflect uuid v11.1.1 (lockfile entries and package resolution) | pnpm-lock.yaml contains multiple updated uuid entries and adds uuid@11.1.1 in the packages section and snapshots. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: aefcb1a657
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| '@superdoc/pm-adapter': | ||
| specifier: workspace:* | ||
| version: link:../layout-engine/pm-adapter |
There was a problem hiding this comment.
This importer now records @superdoc/pm-adapter for packages/super-editor, but the checked-in packages/super-editor/package.json has no such dependency and still declares @superdoc/layout-engine as a devDependency. Because pnpm frozen installs compare each importer's specifiers against the package manifest, CI/package installs will reject this lockfile as out of date before the uuid bump can be used; please regenerate the lockfile from the committed manifests rather than from a workspace with different package.json contents.
Useful? React with 👍 / 👎.
1 participant
Addresses npm audit warning for SNYK-JS-UUID-16133035. Note: SuperDoc was not actually vulnerable - we only use the 2-param signature which returns a string directly. The vulnerability only affects the 4-param signature that writes to a caller-provided buffer.