Skip to content

Fix uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided#3656

Open
ilan7empest wants to merge 1 commit intomlrun:developmentfrom
ilan7empest:ML-12483
Open

Fix uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided#3656
ilan7empest wants to merge 1 commit intomlrun:developmentfrom
ilan7empest:ML-12483

Conversation

@ilan7empest
Copy link
Copy Markdown
Member

@ilan7empest ilan7empest commented Apr 27, 2026
edited
Loading

📝 Description

🛠️ Changes Made

Situation
The app already depended on uuid@^14.0.0, which includes the GHSA-w5hq-g745-h8pq fix (buffer bounds for v3/v5/v6).
Transitive copies were still older: Storybook on 9.x, Cucumber on 11.x, and cucumber-html-reporter on the legacy 3.x line.

Change

  1. overrides.uuid: "^14.0.0" so every consumer of the modern uuid package resolves to ≥ 14.0.0 (aligned with the patched release).

  2. overrides.cucumber-html-reporter.uuid: "^3.4.0" so that package keeps npm uuid@3.x. A flat override to 14 breaks it: it loads uuid/v4, which is not in the exports of uuid@14 (ERR_PACKAGE_PATH_NOT_EXPORTED). That old major is a different implementation than the one in the advisory (src/v35.ts / v6.ts on the current package).

Checks

  • npm ls uuid: app + Storybook + Cucumber → 14.0.0; cucumber-html-reporter → 3.4.0 nested.
  • require('cucumber-html-reporter') succeeds.
  • On 14.0.0, v4 / v5 / v6 with an 8-byte buffer and offset 4 all throw RangeError (matches the intended fix).
package.json
Lines 58-62
  "overrides": {
    "uuid": "^14.0.0",
    "cucumber-html-reporter": {
      "uuid": "^3.4.0"
    },

Note: scanners may still report uuid@3.4.0 under cucumber-html-reporter. If you need a clean audit there too, the durable approach is to move off cucumber-html-reporter or use a fork/release that depends on modern uuid and updated imports.

✅ Checklist

  • I have given the PR a well-structured title describing the domain and the specific change that was made
  • I tested the changes in the browser (locally or via preview build)
  • I confirmed that existing tests pass
  • I added or updated unit / integration tests (if needed)
  • I checked that this change doesn’t introduce new console warnings or lint / formatting errors
  • I updated the relevant Jira ticket with the appropriate details and status

🔗 References

  • Related ticket / issue: ML-12483
  • Figma / design spec:
  • Documentation:

🚨 Potentially Breaking Changes

  • Yes
  • No

Includes DRC change

  • Yes
  • No

If yes -> requires bump NPM version

🔍 Additional Notes

📸 Screenshots / Demos

@ilan7empest ilan7empest self-assigned this Apr 27, 2026
@ilan7empest ilan7empest added the dependencies Pull requests that update a dependency file label Apr 27, 2026
@ilan7empest ilan7empest requested a review from muli-cohen April 27, 2026 07:54
muli-cohen
muli-cohen requested changes Apr 27, 2026
View reviewed changes
Comment thread package.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@muli-cohen muli-cohen muli-cohen requested changes

+1 more reviewer

@EZheln EZheln EZheln left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@ilan7empest ilan7empest

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ilan7empest @muli-cohen @EZheln