Skip to content

fix(gremlin-js): bump uuid ^9.0.1 → ^11.1.1 to fix GHSA-w5hq-g745-h8pq#3459

Open
vavsab wants to merge 1 commit into
apache:3.7-devfrom
vavsab:fix/uuid-cve-3.8-dev
Open

fix(gremlin-js): bump uuid ^9.0.1 → ^11.1.1 to fix GHSA-w5hq-g745-h8pq#3459
vavsab wants to merge 1 commit into
apache:3.7-devfrom
vavsab:fix/uuid-cve-3.8-dev

Conversation

@vavsab

@vavsab vavsab commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown

What

Bumps the uuid dependency in gremlin-javascript from ^9.0.1 to ^11.1.1.

Why

uuid < 11.1.1 is affected by GHSA-w5hq-g745-h8pq — a missing buffer bounds check in v3/v5/v6 UUID generation when a user-supplied buf argument is provided. The advisory is rated moderate severity.

Change

- "uuid": "^9.0.1"
+ "uuid": "^11.1.1"

package-lock.json updated accordingly. No other changes.

@vavsab

vavsab commented Jun 15, 2026

Copy link
Copy Markdown
Author

@spmallette Could you pls merge and release this PR?

@Cole-Greer

Cole-Greer commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

@vavsab Thanks for opening this PR. It would be ideal to target this PR to 3.7-dev to get the fix included in both 3.7.7 and 3.8.2. Would you be willing to retarget the PR? Otherwise, I could help with cherry-picking it back upon merging.

VOTE +1

@codecov-commenter

codecov-commenter commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.53%. Comparing base (4722890) to head (9249e02).
⚠️ Report is 3 commits behind head on 3.7-dev.

Additional details and impacted files 
@@              Coverage Diff              @@
##             3.7-dev    #3459      +/-   ##
=============================================
+ Coverage      75.49%   75.53%   +0.03%     
- Complexity     13161    13165       +4     
=============================================
  Files           1092     1092              
  Lines          67208    67208              
  Branches        7391     7391              
=============================================
+ Hits           50742    50763      +21     
+ Misses         13837    13816      -21     
  Partials        2629     2629

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@vavsab vavsab changed the base branch from 3.8-dev to 3.7-dev June 15, 2026 16:29
@vavsab vavsab force-pushed the fix/uuid-cve-3.8-dev branch from 83c3df2 to 9249e02 Compare June 15, 2026 16:33
@vavsab

vavsab commented Jun 15, 2026

Copy link
Copy Markdown
Author

@vavsab Thanks for opening this PR. It would be ideal to target this PR to 3.7-dev to get the fix included in both 3.7.7 and 3.8.2. Would you be willing to retarget the PR? Otherwise, I could help with cherry-picking it back upon merging.

VOTE +1

@Cole-Greer ✅ Done!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vavsab @Cole-Greer @codecov-commenter