fix: override uuid to ^14.0.0 to patch GHSA-w5hq-g745-h8pq by brendan-kellam · Pull Request #1147 · sourcebot-dev/sourcebot

brendan-kellam · 2026-04-23T19:30:28Z

Fixes SOU-981

Summary

Adds a resolutions entry forcing uuid@^14.0.0 across the workspace, consolidating five vulnerable copies (9.0.1, 10.0.0, 11.1.0, 13.0.0) into one patched version.
Vulnerable copies were pulled transitively via bullmq, @sentry/webpack-plugin, @posthog/ai, @langchain/core, langchain, langsmith, @langchain/langgraph, and @langchain/langgraph-sdk.
GHSA-w5hq-g745-h8pq describes missing buffer bounds checks in uuid's v3/v5/v6 APIs when a caller-provided buf is passed. A call-site audit showed no consumer in this tree passes a buf argument, so the vulnerable code path is not reachable — this is an SCA-alert cleanup, not a fix for a live runtime issue.

Notes on the upgrade

uuid@14 drops CommonJS support (since v12) and requires Node 20+ (v14). Sourcebot ships on Node 24 with require(esm) support, and named-export require('uuid') usage from the CJS consumers (bullmq, @sentry/webpack-plugin) works cleanly.

Test plan

yarn install succeeds and yarn.lock consolidates to a single uuid@14.0.0
yarn build passes
yarn test passes
BullMQ job enqueue works end-to-end (worker/queue/flow-producer all call require('uuid'))
@sourcebot/web production build with Sentry release upload succeeds (@sentry/webpack-plugin)
LangGraph / @posthog/ai agent run succeeds (exercises v5/v6 call sites in langgraph-checkpoint and langsmith)

🤖 Generated with Claude Code

Summary by CodeRabbit

Chores
- Updated uuid dependency to version 14.0.0.

Fixes SOU-981 Adds a yarn resolution forcing `uuid@^14.0.0` across the workspace, consolidating the five vulnerable copies (9.0.1, 10.0.0, 11.1.0, 13.0.0) pulled transitively via bullmq, @sentry/webpack-plugin, @posthog/ai, @langchain/core, langchain, langsmith, @langchain/langgraph, and @langchain/langgraph-sdk into a single non-vulnerable version. GHSA-w5hq-g745-h8pq describes missing buffer bounds checks in uuid's v3/v5/v6 APIs when a caller-provided `buf` is passed. A call-site audit showed the vulnerable code path is not reachable in this tree (no consumer passes a `buf` argument), so the override is a cleanup to silence SCA alerts rather than a fix for a live runtime issue. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

coderabbitai · 2026-04-23T19:30:42Z

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 672d5c39-985b-42f3-9eb4-6757572aa865

📥 Commits

Reviewing files that changed from the base of the PR and between 0eb791b and 2cfd942.

⛔ Files ignored due to path filters (1)

yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

CHANGELOG.md
package.json

Walkthrough

Updates the transitive uuid dependency constraint to ^14.0.0 in the package.json resolutions section and documents this change in the changelog.

Changes

Cohort / File(s)	Summary
UUID Dependency Resolution Update `CHANGELOG.md`, `package.json`	Added changelog entry documenting the UUID transitive dependency update, and updated the package.json resolutions section to pin uuid to ^14.0.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

chore(deps): bump transitive dependencies #1092: Also modifies the package.json "resolutions" map to pin transitive dependencies, demonstrating a pattern of managing transitive dependency constraints.

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch bkellam/fix-sou-981

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

github-actions · 2026-04-23T19:36:06Z

License Audit

❌ Status: FAIL

Metric	Count
Total packages	2054
Resolved (non-standard)	7
Unresolved	4
Strong copyleft	0
Weak copyleft	39

Fail Reasons

4 packages have unresolvable licenses: @react-grab/cli@0.1.23, @react-grab/cli@0.1.29, @react-grab/mcp@0.1.29, element-source@0.0.3

Unresolved Packages

Package	Version	License	Reason
@react-grab/cli	0.1.23	`UNKNOWN`	No license field on npm registry; no repository or homepage URL available for further investigation
@react-grab/cli	0.1.29	`UNKNOWN`	No license field on npm registry; no repository or homepage URL available for further investigation
@react-grab/mcp	0.1.29	`UNKNOWN`	No license field on npm registry; no repository or homepage URL available for further investigation
element-source	0.0.3	`UNKNOWN`	No license field on npm registry; no repository or homepage URL available for further investigation

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-darwin-arm64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-darwin-x64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-darwin-x64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm	1.0.5	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-arm64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-ppc64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-riscv64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-s390x	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-s390x	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-x64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linux-x64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-arm64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-arm64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-x64	1.0.4	`LGPL-3.0-or-later`
@img/sharp-libvips-linuxmusl-x64	1.2.4	`LGPL-3.0-or-later`
@img/sharp-wasm32	0.33.5	`Apache-2.0 AND LGPL-3.0-or-later AND MIT`
@img/sharp-wasm32	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later AND MIT`
@img/sharp-win32-arm64	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-ia32	0.33.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-ia32	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-x64	0.33.5	`Apache-2.0 AND LGPL-3.0-or-later`
@img/sharp-win32-x64	0.34.5	`Apache-2.0 AND LGPL-3.0-or-later`
axe-core	4.10.3	`MPL-2.0`
dompurify	3.4.0	`(MPL-2.0 OR Apache-2.0)`
lightningcss	1.32.0	`MPL-2.0`
lightningcss-android-arm64	1.32.0	`MPL-2.0`
lightningcss-darwin-arm64	1.32.0	`MPL-2.0`
lightningcss-darwin-x64	1.32.0	`MPL-2.0`
lightningcss-freebsd-x64	1.32.0	`MPL-2.0`
lightningcss-linux-arm-gnueabihf	1.32.0	`MPL-2.0`
lightningcss-linux-arm64-gnu	1.32.0	`MPL-2.0`
lightningcss-linux-arm64-musl	1.32.0	`MPL-2.0`
lightningcss-linux-x64-gnu	1.32.0	`MPL-2.0`
lightningcss-linux-x64-musl	1.32.0	`MPL-2.0`
lightningcss-win32-arm64-msvc	1.32.0	`MPL-2.0`
lightningcss-win32-x64-msvc	1.32.0	`MPL-2.0`

Resolved Packages (7)

Package	Version	Original	Resolved	Source
codemirror-lang-elixir	4.0.0	`UNKNOWN`	`Apache-2.0`	npm page / GitHub repo (https://github.com/livebook-dev/codemirror-lang-elixir)
lezer-elixir	1.1.2	`UNKNOWN`	`Apache-2.0`	npm page / GitHub repo (https://github.com/livebook-dev/lezer-elixir)
map-stream	0.1.0	`UNKNOWN`	`MIT`	npm page / GitHub repo (https://github.com/dominictarr/map-stream)
memorystream	0.3.1	`UNKNOWN`	`MIT`	npm page / GitHub repo (https://github.com/JSBizon/node-memorystream)
pause-stream	0.0.11	`["MIT","Apache2"]`	`MIT OR Apache-2.0`	GitHub repo (https://github.com/dominictarr/pause-stream) - dual licensed, users may choose either
posthog-js	1.369.0	`SEE LICENSE IN LICENSE`	`Apache-2.0`	GitHub repo (https://github.com/PostHog/posthog-js) - LICENSE file confirms Apache-2.0
valid-url	1.0.9	`UNKNOWN`	`MIT`	GitHub repo (https://github.com/ogt/valid-url) - LICENSE file confirms MIT

This comment has been minimized.

Sign in to view

brendan-kellam and others added 2 commits April 23, 2026 12:30

docs: add CHANGELOG entry for uuid bump

851a40d

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

changelog edit

2cfd942

brendan-kellam merged commit 9abe2d4 into main Apr 23, 2026
6 of 7 checks passed

brendan-kellam deleted the bkellam/fix-sou-981 branch April 23, 2026 19:32

github-actions Bot mentioned this pull request Apr 23, 2026

Sourcebot Roadmap 🚀 #459

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: override uuid to ^14.0.0 to patch GHSA-w5hq-g745-h8pq#1147

fix: override uuid to ^14.0.0 to patch GHSA-w5hq-g745-h8pq#1147
brendan-kellam merged 3 commits intomainfrom
bkellam/fix-sou-981

brendan-kellam commented Apr 23, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

This comment has been minimized.

coderabbitai Bot commented Apr 23, 2026 •

edited

Loading

Review failed

Uh oh!

Uh oh!

github-actions Bot commented Apr 23, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

brendan-kellam commented Apr 23, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Notes on the upgrade

Test plan

Summary by CodeRabbit

Uh oh!

This comment has been minimized.

coderabbitai Bot commented Apr 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review failed

Walkthrough

Changes

Estimated code review effort

Possibly related PRs

Uh oh!

Uh oh!

github-actions Bot commented Apr 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

License Audit

Fail Reasons

Unresolved Packages

Weak Copyleft Packages (informational)

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

brendan-kellam commented Apr 23, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Apr 23, 2026 •

edited

Loading

github-actions Bot commented Apr 23, 2026 •

edited

Loading