chore(deps): bump uuid to ^11.1.1 (CVE-2026-41907)#3615
Conversation
Addresses npm audit warning for SNYK-JS-UUID-16133035. Note: SuperDoc was not actually vulnerable - we only use the 2-param signature which returns a string directly. The vulnerability only affects the 4-param signature that writes to a caller-provided buffer. Ref: SD-3361 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
cubic analysis
No issues found across 2 files
Linked issue analysis
Linked issue: SD-3361: Bump uuid dependency to fix npm audit warning
| Status | Acceptance criteria | Notes |
|---|---|---|
| ✅ | Bump uuid specifier in pnpm-workspace.yaml from ^9.0.1 to ^11.1.1 | pnpm-workspace.yaml shows uuid: ^11.1.1 replacing ^9.0.1. |
| ✅ | Update pnpm-lock.yaml to reflect uuid v11.1.1 (lockfile entries and package resolution) | pnpm-lock.yaml contains multiple updated uuid entries and adds uuid@11.1.1 in the packages section and snapshots. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: aefcb1a657
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
The previous lockfile was generated from a dirty working tree (importer entries for untracked local directories, super-editor/superdoc entries not matching the committed manifests) and failed frozen installs. Regenerated on current main with only the uuid catalog change applied; two consecutive regens produce byte-identical output. Beyond the uuid entries, the clean regen re-keys the docs mintlify chain's optional @types/node peer back to the catalog-pinned 22.19.2 and records the registry's new deprecated flag on @microsoft/teamsapp-cli.
uuid@11 bundles type declarations for every dist flavor, and the DefinitelyTyped package is now a deprecation stub. Removes the catalog entry and the two devDependency consumers.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
3 participants
Updates SuperDoc's direct uuid dependency from ^9.0.1 to ^11.1.1 in the workspace catalog to address the npm audit warning for SNYK-JS-UUID-16133035 (CVE-2026-41907). SuperDoc was not actually vulnerable: we only use the 2-param signature, which returns a string directly. The vulnerability only affects the 4-param signature that writes to a caller-provided buffer.
Scope: this clears the advisory for consumers of the published superdoc package, effective with the next release. Transitive uuid copies elsewhere in the workspace (dev and demo tooling) are out of scope here and would need a separate cleanup.
Also drops @types/uuid: uuid@11 ships its own type definitions and the DefinitelyTyped package is now a deprecation stub. The lockfile was regenerated from a clean checkout of current main.