Skip to content

[compliance] bump uuid dependency in typeid-js#594

Merged
loreto merged 1 commit into
jetify-com:mainfrom
kp-anatoli-belski:fix/typeid-js-uuid-bump
Jun 29, 2026
Merged

[compliance] bump uuid dependency in typeid-js#594
loreto merged 1 commit into
jetify-com:mainfrom
kp-anatoli-belski:fix/typeid-js-uuid-bump

Conversation

@kp-anatoli-belski

Copy link
Copy Markdown
Contributor

Fixes jetify-com/typeid-js#21

Summary

Bump uuid from ^10.0.0 to ^11.1.1 to resolve GHSA-w5hq-g745-h8pq (missing buffer bounds check in v3/v5/v6 when a caller-provided buf is used). Bump package version to 1.2.1.

Remove @types/uuid from devDependencies since uuid v11+ ships its own TypeScript types.

No source code changes. typeid-js only uses stringify and v7 from uuid. The vulnerable buffer APIs are not called. This is a dependency/audit fix for downstream consumers.

How was it tested?

  • pnpm test - 109 tests pass
  • pnpm run build - CJS, ESM, and DTS build succeed
  • npm audit --omit=dev - 0 vulnerabilities

Community Contribution License

All community contributions in this pull request are licensed to the project maintainers under the terms of the Apache 2 License.

By creating this pull request I represent that I have the right to license the contributions to the project maintainers under the Apache 2 License as stated in the Community Contribution License.

@LucilleH

Copy link
Copy Markdown
Contributor

@Lagoja @loreto @mikeland73 anyone of you can take a look?

@loreto

loreto commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

LGTM

@loreto loreto merged commit 4b47352 into jetify-com:main Jun 29, 2026
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants