From bdf32f0ddbf5ec682c0e6a76449b046eb235a642 Mon Sep 17 00:00:00 2001
From: Brendan Kellam <brendan@sourcebot.dev>
Date: Thu, 23 Apr 2026 12:30:11 -0700
Subject: [PATCH 1/3] fix: override uuid to ^14.0.0 to patch
 GHSA-w5hq-g745-h8pq

Fixes SOU-981

Adds a yarn resolution forcing `uuid@^14.0.0` across the workspace,
consolidating the five vulnerable copies (9.0.1, 10.0.0, 11.1.0, 13.0.0)
pulled transitively via bullmq, @sentry/webpack-plugin, @posthog/ai,
@langchain/core, langchain, langsmith, @langchain/langgraph, and
@langchain/langgraph-sdk into a single non-vulnerable version.

GHSA-w5hq-g745-h8pq describes missing buffer bounds checks in uuid's
v3/v5/v6 APIs when a caller-provided `buf` is passed. A call-site audit
showed the vulnerable code path is not reachable in this tree (no
consumer passes a `buf` argument), so the override is a cleanup to
silence SCA alerts rather than a fix for a live runtime issue.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 package.json |  3 ++-
 yarn.lock    | 35 ++++-------------------------------
 2 files changed, 6 insertions(+), 32 deletions(-)

diff --git a/package.json b/package.json
index 3f55e8daa..64bee556d 100644
--- a/package.json
+++ b/package.json
@@ -57,6 +57,7 @@
         "yaml@npm:^2.8.0": "^2.8.3",
         "ajv@npm:^6.12.4": "^6.14.0",
         "smol-toml@npm:^1.6.0": "^1.6.1",
-        "teeny-request@npm:^10.0.0": "^10.1.2"
+        "teeny-request@npm:^10.0.0": "^10.1.2",
+        "uuid": "^14.0.0"
     }
 }
diff --git a/yarn.lock b/yarn.lock
index e478964f1..def04dd4b 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -21831,39 +21831,12 @@ __metadata:
   languageName: node
   linkType: hard
 
-"uuid@npm:10.0.0, uuid@npm:^10.0.0":
-  version: 10.0.0
-  resolution: "uuid@npm:10.0.0"
-  bin:
-    uuid: dist/bin/uuid
-  checksum: 10c0/eab18c27fe4ab9fb9709a5d5f40119b45f2ec8314f8d4cf12ce27e4c6f4ffa4a6321dc7db6c515068fa373c075b49691ba969f0010bf37f44c37ca40cd6bf7fe
-  languageName: node
-  linkType: hard
-
-"uuid@npm:^11.1.0":
-  version: 11.1.0
-  resolution: "uuid@npm:11.1.0"
-  bin:
-    uuid: dist/esm/bin/uuid
-  checksum: 10c0/34aa51b9874ae398c2b799c88a127701408cd581ee89ec3baa53509dd8728cbb25826f2a038f9465f8b7be446f0fbf11558862965b18d21c993684297628d4d3
-  languageName: node
-  linkType: hard
-
-"uuid@npm:^13.0.0":
-  version: 13.0.0
-  resolution: "uuid@npm:13.0.0"
+"uuid@npm:^14.0.0":
+  version: 14.0.0
+  resolution: "uuid@npm:14.0.0"
   bin:
     uuid: dist-node/bin/uuid
-  checksum: 10c0/950e4c18d57fef6c69675344f5700a08af21e26b9eff2bf2180427564297368c538ea11ac9fb2e6528b17fc3966a9fd2c5049361b0b63c7d654f3c550c9b3d67
-  languageName: node
-  linkType: hard
-
-"uuid@npm:^9.0.0":
-  version: 9.0.1
-  resolution: "uuid@npm:9.0.1"
-  bin:
-    uuid: dist/bin/uuid
-  checksum: 10c0/1607dd32ac7fc22f2d8f77051e6a64845c9bce5cd3dd8aa0070c074ec73e666a1f63c7b4e0f4bf2bc8b9d59dc85a15e17807446d9d2b17c8485fbc2147b27f9b
+  checksum: 10c0/a57ae7794c45005c1a9208989196c5baf79a7679c30f43c1bee9033a2c4d113a2cea216fa6fcc9663b08b0d55635df1a7c6eb7e7f3d21c3e50688c698fa39a50
   languageName: node
   linkType: hard
 

From 851a40d2d2ce677e856f7e0a6c9c758ae13ddb2d Mon Sep 17 00:00:00 2001
From: Brendan Kellam <brendan@sourcebot.dev>
Date: Thu, 23 Apr 2026 12:30:44 -0700
Subject: [PATCH 2/3] docs: add CHANGELOG entry for uuid bump

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 72e04670c..12d28c671 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 - Fixed a missing error boundary in `getFileSourceForRepo` introduced in v4.16.14: the function was extracted outside `sew()` but still re-threw unrecognised git exceptions, causing fatal Next.js task-runner errors. All error paths now return a `ServiceError`. Also tightened the error message for unresolved git refs (e.g. an unfetched `head_sha`) to distinguish them from syntactically invalid refs. [#1145](https://github.com/sourcebot-dev/sourcebot/pull/1145)
+- Bumped transitive `uuid` dependency to `^14.0.0` via a yarn resolution to patch GHSA-w5hq-g745-h8pq. [#1147](https://github.com/sourcebot-dev/sourcebot/pull/1147)
 
 ## [4.16.14] - 2026-04-21
 

From 2cfd94297769e9ac64b74c3408b3c31a4a3e4c66 Mon Sep 17 00:00:00 2001
From: Brendan Kellam <brendan@sourcebot.dev>
Date: Thu, 23 Apr 2026 12:31:42 -0700
Subject: [PATCH 3/3] changelog edit

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 12d28c671..b3d8829ab 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,7 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 - Fixed a missing error boundary in `getFileSourceForRepo` introduced in v4.16.14: the function was extracted outside `sew()` but still re-threw unrecognised git exceptions, causing fatal Next.js task-runner errors. All error paths now return a `ServiceError`. Also tightened the error message for unresolved git refs (e.g. an unfetched `head_sha`) to distinguish them from syntactically invalid refs. [#1145](https://github.com/sourcebot-dev/sourcebot/pull/1145)
-- Bumped transitive `uuid` dependency to `^14.0.0` via a yarn resolution to patch GHSA-w5hq-g745-h8pq. [#1147](https://github.com/sourcebot-dev/sourcebot/pull/1147)
+- Bumped transitive `uuid` dependency to `^14.0.0`. [#1147](https://github.com/sourcebot-dev/sourcebot/pull/1147)
 
 ## [4.16.14] - 2026-04-21