fix: override uuid to ^14.0.0 to patch GHSA-w5hq-g745-h8pq

brendan-kellam · claude · brendan-kellam · commit bdf32f0ddbf5 · 2026-04-23T12:30:11.000-07:00
Fixes SOU-981 Adds a yarn resolution forcing `uuid@^14.0.0` across the workspace, consolidating the five vulnerable copies (9.0.1, 10.0.0, 11.1.0, 13.0.0) pulled transitively via bullmq, @sentry/webpack-plugin, @posthog/ai, @langchain/core, langchain, langsmith, @langchain/langgraph, and @langchain/langgraph-sdk into a single non-vulnerable version. GHSA-w5hq-g745-h8pq describes missing buffer bounds checks in uuid's v3/v5/v6 APIs when a caller-provided `buf` is passed. A call-site audit showed the vulnerable code path is not reachable in this tree (no consumer passes a `buf` argument), so the override is a cleanup to silence SCA alerts rather than a fix for a live runtime issue. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/package.json b/package.json
@@ -57,6 +57,7 @@
         "yaml@npm:^2.8.0": "^2.8.3",
         "ajv@npm:^6.12.4": "^6.14.0",
         "smol-toml@npm:^1.6.0": "^1.6.1",
-        "teeny-request@npm:^10.0.0": "^10.1.2"
+        "teeny-request@npm:^10.0.0": "^10.1.2",
+        "uuid": "^14.0.0"
     }
 }
diff --git a/yarn.lock b/yarn.lock
@@ -21831,39 +21831,12 @@ __metadata:
   languageName: node
   linkType: hard
 
-"uuid@npm:10.0.0, uuid@npm:^10.0.0":
-  version: 10.0.0
-  resolution: "uuid@npm:10.0.0"
-  bin:
-    uuid: dist/bin/uuid
-  checksum: 10c0/eab18c27fe4ab9fb9709a5d5f40119b45f2ec8314f8d4cf12ce27e4c6f4ffa4a6321dc7db6c515068fa373c075b49691ba969f0010bf37f44c37ca40cd6bf7fe
-  languageName: node
-  linkType: hard
-
-"uuid@npm:^11.1.0":
-  version: 11.1.0
-  resolution: "uuid@npm:11.1.0"
-  bin:
-    uuid: dist/esm/bin/uuid
-  checksum: 10c0/34aa51b9874ae398c2b799c88a127701408cd581ee89ec3baa53509dd8728cbb25826f2a038f9465f8b7be446f0fbf11558862965b18d21c993684297628d4d3
-  languageName: node
-  linkType: hard
-
-"uuid@npm:^13.0.0":
-  version: 13.0.0
-  resolution: "uuid@npm:13.0.0"
+"uuid@npm:^14.0.0":
+  version: 14.0.0
+  resolution: "uuid@npm:14.0.0"
   bin:
     uuid: dist-node/bin/uuid
-  checksum: 10c0/950e4c18d57fef6c69675344f5700a08af21e26b9eff2bf2180427564297368c538ea11ac9fb2e6528b17fc3966a9fd2c5049361b0b63c7d654f3c550c9b3d67
-  languageName: node
-  linkType: hard
-
-"uuid@npm:^9.0.0":
-  version: 9.0.1
-  resolution: "uuid@npm:9.0.1"
-  bin:
-    uuid: dist/bin/uuid
-  checksum: 10c0/1607dd32ac7fc22f2d8f77051e6a64845c9bce5cd3dd8aa0070c074ec73e666a1f63c7b4e0f4bf2bc8b9d59dc85a15e17807446d9d2b17c8485fbc2147b27f9b
+  checksum: 10c0/a57ae7794c45005c1a9208989196c5baf79a7679c30f43c1bee9033a2c4d113a2cea216fa6fcc9663b08b0d55635df1a7c6eb7e7f3d21c3e50688c698fa39a50
   languageName: node
   linkType: hard
 

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,7 @@`
`57`	`57`	`"yaml@npm:^2.8.0": "^2.8.3",`
`58`	`58`	`"ajv@npm:^6.12.4": "^6.14.0",`
`59`	`59`	`"smol-toml@npm:^1.6.0": "^1.6.1",`
`60`		`- "teeny-request@npm:^10.0.0": "^10.1.2"`
	`60`	`+ "teeny-request@npm:^10.0.0": "^10.1.2",`
	`61`	`+ "uuid": "^14.0.0"`
`61`	`62`	`}`
`62`	`63`	`}`