Summary
The uuid package is currently at ^9.0.1 in package.json. A buffer overflow vulnerability (GHSA-w5hq-g745-h8pq) affects v3, v5, and v6 generation when a caller-supplied buf argument is too small.
Severity: MODERATE
Impact
If any code path passes a custom buf argument to uuid.v3(), uuid.v5(), or uuid.v6(), an undersized buffer can be written beyond its bounds. Current usage appears to call uuid.v4() without a custom buffer (low direct risk), but the package should be updated to eliminate the vulnerability.
Remediation
Update uuid to >=11.1.1 in package.json:
Note: This is a major version bump (v9 → v11). Confirm that all uuid.v4() / uuid.v1() call sites remain API-compatible before merging.
References
Summary
The
uuidpackage is currently at^9.0.1inpackage.json. A buffer overflow vulnerability (GHSA-w5hq-g745-h8pq) affects v3, v5, and v6 generation when a caller-suppliedbufargument is too small.Severity: MODERATE
Impact
If any code path passes a custom
bufargument touuid.v3(),uuid.v5(), oruuid.v6(), an undersized buffer can be written beyond its bounds. Current usage appears to calluuid.v4()without a custom buffer (low direct risk), but the package should be updated to eliminate the vulnerability.Remediation
Update
uuidto>=11.1.1inpackage.json:Note: This is a major version bump (v9 → v11). Confirm that all
uuid.v4()/uuid.v1()call sites remain API-compatible before merging.References