Skip to content

bump uuid to v14 to fix GHSA-9p95-fxvg-qgq2#5

Merged
emeitch merged 1 commit intomainfrom
fix/uuid-v14
May 1, 2026
Merged

bump uuid to v14 to fix GHSA-9p95-fxvg-qgq2#5
emeitch merged 1 commit intomainfrom
fix/uuid-v14

Conversation

@emeitch
Copy link
Copy Markdown
Collaborator

@emeitch emeitch commented Apr 30, 2026

Summary

Bumps uuid from ^9.0.1 to ^14.0.0 to remediate GHSA-9p95-fxvg-qgq2 (uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided). The advisory affects all uuid versions <14.0.0, so consumers of @thingsinc/treejs get flagged by Dependabot via this transitive dependency.

Changes

  • dependencies.uuid: ^9.0.1^14.0.0
  • devDependencies.@types/uuid: removed (uuid v14 ships its own type definitions)
  • tsconfig.esm.json: added moduleResolution: "bundler"
  • tsconfig.cjs.json: added moduleResolution: "node10"

Why the tsconfig changes are needed

uuid v14 publishes its types only through the package exports field. The base tsconfig.json does not specify moduleResolution, so TypeScript falls back to "classic" resolution which doesn't honor exports and produces Cannot find module 'uuid' during typecheck.

To fix this without forcing strict ESM (which would require adding .js extensions to all relative imports), the per-build configs explicitly set:

  • ESM build: bundler — reads exports, no extension requirement, fits module: "esnext"
  • CJS build: node10 — legacy resolution that still finds uuid's top-level types field

bundler cannot be used with module: "commonjs", hence the split.

Verification

  • tsc --noEmit -p tsconfig.esm.json
  • tsc --noEmit -p tsconfig.cjs.json
  • biome check ./src
  • tsc -p tsconfig.cjs.json / tsc -p tsconfig.esm.json build both succeed
  • No source code change required (single uuid usage in src/tree.ts is import { v4 as uuid } from "uuid", identical signature in v14)

Notes

  • I did NOT bump the package version. Maintainer can run np to release 0.2.6 after merge.
  • I did NOT regenerate bun.lockb because I don't have bun installed locally. CI's bun install should pick up the new uuid version on first run; please verify.
  • I did NOT rebuild dist/. Source code is unchanged so the existing dist still matches semantically; rebuilding before publish (per the existing convention) will refresh artifacts.

🤖 Generated with Claude Code

@emeitch
bump uuid to v14 to fix GHSA-9p95-fxvg-qgq2
f0ec1ca 
uuid <14.0.0 is affected by GHSA-9p95-fxvg-qgq2 (Missing buffer bounds
check in v3/v5/v6 when buf is provided). Bumping uuid to ^14.0.0 closes
this transitive vulnerability for downstream consumers.

uuid v14 ships its own type definitions, so @types/uuid is no longer
required. uuid v14 also exposes types only via the package "exports"
field, which the legacy "classic" moduleResolution does not honor —
adding explicit moduleResolution to each tsconfig:

- tsconfig.esm.json: moduleResolution = "bundler"
  (bundler-style resolution, fits module: "esnext")
- tsconfig.cjs.json: moduleResolution = "node10"
  (legacy node, picks up uuid's top-level "types" field)

Verified with tsc --noEmit on both configs and biome check.
@emeitch emeitch requested a review from uki1014 April 30, 2026 08:31
uki1014
uki1014 approved these changes Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@uki1014 uki1014 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@emeitch emeitch merged commit c6d8ffb into main May 1, 2026
2 checks passed
@emeitch emeitch deleted the fix/uuid-v14 branch May 1, 2026 01:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@uki1014 uki1014 uki1014 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@emeitch @uki1014