Summary
Dependabot alert #242 reports that uuid versions < 14.0.0 have a buffer out-of-bounds write vulnerability (GHSA-w5hq-g745-h8pq, CWE-787, CWE-1285). The fix is to upgrade to uuid@14.0.0.
Severity: Medium (CVSS 4.0 score: 6.3)
Dependency chains
uuid is a transitive dependency — it is not declared directly in any workspace package.json. It is pulled in via two chains:
packages/dl-center → aws-sdk@^2.1441.0 → uuid@8.0.0 (pinned exactly)- Many packages →
nyc@^15.1.0 → istanbul-lib-processinfo@2.0.3 → uuid@^8.3.2
Why an automated fix was not applied
The patched version requires uuid@14.0.0, which is a 6 major-version jump from the currently installed v8.x. There is no direct uuid entry in any workspace package.json to bump.
The only in-repo lever available without upgrading the direct dependencies is an npm overrides entry in the root package.json. However, applying overrides: { "uuid": "^14.0.0" } carries risk:
aws-sdk (v2) pins uuid to exactly 8.0.0 internally. AWS SDK v2 is in long-term maintenance and is unlikely to release an update that migrates to uuid v14.istanbul-lib-processinfo@2.0.3 requires uuid@^8.3.2. Forcing v14 may break its internal logic if the API changed across major versions.
Applying a blind override without testing could break dl-center S3 operations and code-coverage tooling across all workspace packages.
Recommended remediation paths
-
Migrate packages/dl-center from aws-sdk (v2) to @aws-sdk/* (v3). The v3 SDK uses uuid v9+ in its own scoped dependencies and does not pin the old v8. This is the most correct long-term fix.
-
Replace nyc with c8 (or upgrade to a newer coverage tool that does not transitively pull in uuid@^8.x). c8 uses V8's built-in coverage and has no uuid dependency.
-
Add a targeted overrides entry after validating compatibility. If manual testing confirms aws-sdk v2 and istanbul-lib-processinfo still function correctly with uuid@14, add:
"overrides": {
"uuid": "^14.0.0"
}to the root package.json and regenerate the lockfile. This approach should only be taken after explicit testing.
Alert references
Generated by Dependabot remediation agent · ● 511.1K · ◷
Summary
Dependabot alert #242 reports that
uuidversions< 14.0.0have a buffer out-of-bounds write vulnerability (GHSA-w5hq-g745-h8pq, CWE-787, CWE-1285). The fix is to upgrade touuid@14.0.0.Severity: Medium (CVSS 4.0 score: 6.3)
Dependency chains
uuidis a transitive dependency — it is not declared directly in any workspacepackage.json. It is pulled in via two chains:packages/dl-center→aws-sdk@^2.1441.0→uuid@8.0.0(pinned exactly)nyc@^15.1.0→istanbul-lib-processinfo@2.0.3→uuid@^8.3.2Why an automated fix was not applied
The patched version requires
uuid@14.0.0, which is a 6 major-version jump from the currently installed v8.x. There is no directuuidentry in any workspacepackage.jsonto bump.The only in-repo lever available without upgrading the direct dependencies is an npm
overridesentry in the rootpackage.json. However, applyingoverrides: { "uuid": "^14.0.0" }carries risk:aws-sdk(v2) pinsuuidto exactly8.0.0internally. AWS SDK v2 is in long-term maintenance and is unlikely to release an update that migrates to uuid v14.istanbul-lib-processinfo@2.0.3requiresuuid@^8.3.2. Forcing v14 may break its internal logic if the API changed across major versions.Applying a blind override without testing could break
dl-centerS3 operations and code-coverage tooling across all workspace packages.Recommended remediation paths
Migrate
packages/dl-centerfromaws-sdk(v2) to@aws-sdk/*(v3). The v3 SDK usesuuidv9+ in its own scoped dependencies and does not pin the old v8. This is the most correct long-term fix.Replace
nycwithc8(or upgrade to a newer coverage tool that does not transitively pull inuuid@^8.x).c8uses V8's built-in coverage and has nouuiddependency.Add a targeted
overridesentry after validating compatibility. If manual testing confirmsaws-sdkv2 andistanbul-lib-processinfostill function correctly withuuid@14, add:to the root
package.jsonand regenerate the lockfile. This approach should only be taken after explicit testing.Alert references