chore(deps): bump uuid to ^14.0.0 (GHSA-w5hq-g745-h8pq)#3680
Conversation
Addresses GHSA-w5hq-g745-h8pq (Dependabot #29): uuid < 14.0.0 is missing buffer bounds checks in v3/v5/v6 when a caller-provided buffer is passed, allowing silent partial writes. Our usage is limited to v4()/validate/version with no caller buffers, so there's no direct exposure, but bumping to 14.0.0 clears the alert.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThe Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Greptile SummaryThis PR bumps
Confidence Score: 5/5Safe to merge — minimal, targeted dependency bump with verified lockfile resolution and no API-breaking concerns for the project's actual uuid usage. The change is a one-line version range update in two package.json files plus the corresponding lockfile update. The security advisory only affects v3/v5/v6 with caller-provided buffers, and the project uses only v4(), validate, and version. Typechecks were verified per the test plan. The only note is two transitive uuid@13.0.0 entries remaining in the lockfile from upstream dependencies, which is informational and not a regression introduced by this PR. No files require special attention beyond the informational note on the two residual uuid@13.0.0 transitive entries in bun.lock.
|
| Filename | Overview |
|---|---|
| apps/desktop/package.json | Bumps uuid dependency from ^13.0.0 to ^14.0.0 to address GHSA-w5hq-g745-h8pq. |
| packages/local-db/package.json | Bumps uuid dependency from ^13.0.0 to ^14.0.0 to address GHSA-w5hq-g745-h8pq. |
| bun.lock | Lockfile resolved to uuid@14.0.0 for top-level packages; new nested entries @mastra/mcp/uuid and @types/uuid/uuid are pinned at uuid@13.0.0 (transitive deps outside this repo's control). |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[bun.lock top-level] -->|resolves to| B["uuid@14.0.0 (patched)"]
C[apps/desktop/package.json] -->|"^14.0.0"| B
D[packages/local-db/package.json] -->|"^14.0.0"| B
E["@mastra/mcp nested dep"] -->|still pins| F["uuid@13.0.0 (transitive)"]
G["@types/uuid nested dep"] -->|still pins| F
Prompt To Fix All With AI
This is a comment left during a code review.
Path: bun.lock
Line: 6313
Comment:
**Transitive `uuid@13.0.0` still present in lockfile**
The upgrade to `uuid@14.0.0` at the top level is correct, but Bun has now created two new nested dependency entries that still pin `uuid@13.0.0`:
- `@mastra/mcp/uuid` → `uuid@13.0.0`
- `@types/uuid/uuid` → `uuid@13.0.0`
These entries mean that `@mastra/mcp` (a transitive dependency) and the `@types/uuid` package still resolve to the vulnerable version internally. This PR can't directly fix them since they're controlled by upstream packages, but it's worth being aware that Dependabot or other scanners may still flag `uuid@13.0.0` in the lockfile even after this bump. You may want to open an issue upstream for `@mastra/mcp` to update its peer dependency range, or apply an overrides/resolutions entry if you want to force the entire tree to `uuid@14.0.0`.
How can I resolve this? If you propose a fix, please make it concise.Reviews (1): Last reviewed commit: "chore(deps): bump uuid from ^13.0.0 to ^..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
|
|
||
| "@mastra/mcp/@mastra/core": ["@mastra/core@1.25.0", "", { "dependencies": { "@a2a-js/sdk": "~0.2.5", "@ai-sdk/provider-utils-v5": "npm:@ai-sdk/provider-utils@3.0.23", "@ai-sdk/provider-utils-v6": "npm:@ai-sdk/provider-utils@4.0.23", "@ai-sdk/provider-v5": "npm:@ai-sdk/provider@2.0.1", "@ai-sdk/provider-v6": "npm:@ai-sdk/provider@3.0.8", "@ai-sdk/ui-utils-v5": "npm:@ai-sdk/ui-utils@1.2.11", "@isaacs/ttlcache": "^2.1.4", "@lukeed/uuid": "^2.0.1", "@mastra/schema-compat": "1.2.8", "@modelcontextprotocol/sdk": "^1.27.1", "@sindresorhus/slugify": "^2.2.1", "@standard-schema/spec": "^1.1.0", "ajv": "^8.18.0", "chat": "^4.24.0", "dotenv": "^17.3.1", "execa": "^9.6.1", "gray-matter": "^4.0.3", "hono": "^4.12.8", "hono-openapi": "^1.3.0", "ignore": "^7.0.5", "js-tiktoken": "^1.0.21", "json-schema": "^0.4.0", "lru-cache": "^11.2.7", "p-map": "^7.0.4", "p-retry": "^7.1.1", "picomatch": "^4.0.3", "radash": "^12.1.1", "tokenx": "^1.3.0", "ws": "^8.19.0", "xxhash-wasm": "^1.1.0" }, "peerDependencies": { "zod": "^3.25.0 || ^4.0.0" } }, "sha512-4dkDXtufKWRO5Y7ic2JIgHpSSty5uYhqjiS2JfbKb3uV7rNpty8Fp5vSKC1ept08UudKAd5CcZWLNeKSP5816A=="], | ||
|
|
||
| "@mastra/mcp/uuid": ["uuid@13.0.0", "", { "bin": { "uuid": "dist-node/bin/uuid" } }, "sha512-XQegIaBTVUjSHliKqcnFqYypAd4S+WCYt5NIeRs6w/UAry7z8Y9j5ZwRRL4kzq9U3sD6v+85er9FvkEaBpji2w=="], |
There was a problem hiding this comment.
uuid@13.0.0 still present in lockfile
The upgrade to uuid@14.0.0 at the top level is correct, but Bun has now created two new nested dependency entries that still pin uuid@13.0.0:
@mastra/mcp/uuid→uuid@13.0.0@types/uuid/uuid→uuid@13.0.0
These entries mean that @mastra/mcp (a transitive dependency) and the @types/uuid package still resolve to the vulnerable version internally. This PR can't directly fix them since they're controlled by upstream packages, but it's worth being aware that Dependabot or other scanners may still flag uuid@13.0.0 in the lockfile even after this bump. You may want to open an issue upstream for @mastra/mcp to update its peer dependency range, or apply an overrides/resolutions entry if you want to force the entire tree to uuid@14.0.0.
Prompt To Fix With AI
This is a comment left during a code review.
Path: bun.lock
Line: 6313
Comment:
**Transitive `uuid@13.0.0` still present in lockfile**
The upgrade to `uuid@14.0.0` at the top level is correct, but Bun has now created two new nested dependency entries that still pin `uuid@13.0.0`:
- `@mastra/mcp/uuid` → `uuid@13.0.0`
- `@types/uuid/uuid` → `uuid@13.0.0`
These entries mean that `@mastra/mcp` (a transitive dependency) and the `@types/uuid` package still resolve to the vulnerable version internally. This PR can't directly fix them since they're controlled by upstream packages, but it's worth being aware that Dependabot or other scanners may still flag `uuid@13.0.0` in the lockfile even after this bump. You may want to open an issue upstream for `@mastra/mcp` to update its peer dependency range, or apply an overrides/resolutions entry if you want to force the entire tree to `uuid@14.0.0`.
How can I resolve this? If you propose a fix, please make it concise.![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
🧹 Preview Cleanup CompleteThe following preview resources have been cleaned up:
Thank you for your contribution! 🎉 |
1 participant
Summary
uuidfrom^13.0.0to^14.0.0inapps/desktopandpackages/local-dbto clear Dependabot alert #29 (GHSA-w5hq-g745-h8pq).v3/v5/v6when a caller-provided buffer is passed. Our usage is limited tov4(),validate, andversionwith no caller buffers, so there's no direct exposure — this just clears the alert.Test plan
bun install— lockfile resolvesuuid@14.0.0bun run --filter '@superset/local-db' typecheckbun run --filter '@superset/desktop' typecheckSummary by CodeRabbit
Summary by cubic
Bump
uuidto^14.0.0inapps/desktopandpackages/local-dbto resolve GHSA-w5hq-g745-h8pq and clear Dependabot alert #29. No behavior changes; we only usev4(),validate, andversionwithout caller buffers.uuidto^14.0.0and refreshedbun.lock.v3/v5/v6when a caller-provided buffer is used.Written for commit 0609406. Summary will update on new commits.