Skip to content

[lexical] Chore: Fix uuid dependency vulnerability #8399

Merged
etrepum merged 1 commit into
mainfrom
fix/uuid-security-vulnerability
Apr 27, 2026
Merged

[lexical] Chore: Fix uuid dependency vulnerability #8399
etrepum merged 1 commit into
mainfrom
fix/uuid-security-vulnerability

Conversation

@vishisht31

@vishisht31 vishisht31 commented Apr 27, 2026

Copy link
Copy Markdown
Contributor

Description

Updated package.json to manually override the version of the dependency uuid to >=14.0.0 to address the security vulnerability.
Package Dependency
Repository: facebook/lexical
Manifest file: pnpm-lock.yaml
Package name: uuid
Affected versions: < 14.0.0
Fixed in version: 14.0.0

Test plan

Before

N/A

After

N/A

@vercel

vercel Bot commented Apr 27, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
lexical Ready Ready Preview, Comment Apr 27, 2026 1:57pm
lexical-playground Ready Ready Preview, Comment Apr 27, 2026 1:57pm

Request Review

@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Apr 27, 2026
@vishisht31 vishisht31 marked this pull request as ready for review April 27, 2026 14:08
@vishisht31 vishisht31 self-assigned this Apr 27, 2026
@etrepum etrepum added this pull request to the merge queue Apr 27, 2026
Merged via the queue into main with commit d372e9e Apr 27, 2026
20 checks passed
@etrepum etrepum mentioned this pull request Apr 27, 2026
etrepum pushed a commit to etrepum/lexical that referenced this pull request May 2, 2026
Audited every override against the current dep tree by removing it and
re-resolving. The CVE-style overrides that survived the last few audit
PRs (facebook#8380, facebook#8399, facebook#8401, facebook#8404-facebook#8409, facebook#8415) are no longer doing any
work — every consumer either pins or ranges its way to a patched release
without help:

  qs                  6.15.0    -> 6.14.2     (override threshold met)
  simple-git          3.36.0    -> 3.36.0     (no change)
  follow-redirects    1.16.0    -> 1.16.0     (no change)
  protobufjs          8.0.1     -> 7.5.6      (>=7.5.5 patched)
  dompurify           3.4.1     -> 3.4.1      (no change)
  postcss             8.5.13    -> 8.5.13     (no change)
  eslint              10.2+10.3 -> 10.3.0     (override was forcing dup)
  immutable           4.3.8     -> 4.3.8      (no change)
  path-to-regexp 1.x  1.9.0     -> 1.9.0      (no change; ^1.7.0 only
                                               matches 1.9.0 anyway)

  form-data, @isaacs/brace-expansion, astro: not in tree at all.

uuid drops from 14.0.0 to 11.1.1 + a transitive 8.3.2; the 8.3.2 path
predates the GHSA-pwhh-q4h6-w599 fix but the consumer doesn't use the
v3/v5 entrypoints, and forcing 14.0.0 on consumers ranged at ^8 was the
same kind of major-jumping mistake that just broke react-router with
path-to-regexp 8.x.

Kept the deduplicating pins (react, react-dom, @types/node, prettier)
and the version-scoped yaml@^1 override, which is also defensive but
correctly range-bounded.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed.

2 participants