Skip to content

Security: Update uuid to v11+ to fix buffer overflow in v3/v5/v6 encode paths #245

Description

@LucasMaupin

Summary

The uuid package is currently at ^9.0.1 in package.json. A buffer overflow vulnerability (GHSA-w5hq-g745-h8pq) affects v3, v5, and v6 generation when a caller-supplied buf argument is too small.

Severity: MODERATE

Impact

If any code path passes a custom buf argument to uuid.v3(), uuid.v5(), or uuid.v6(), an undersized buffer can be written beyond its bounds. Current usage appears to call uuid.v4() without a custom buffer (low direct risk), but the package should be updated to eliminate the vulnerability.

Remediation

Update uuid to >=11.1.1 in package.json:

npm install uuid@latest

Note: This is a major version bump (v9 → v11). Confirm that all uuid.v4() / uuid.v1() call sites remain API-compatible before merging.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingdependenciesPull requests that update a dependency file

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions