fix(deps): CVE-2026-41907#6978
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
684458f to
7b28706
Compare
| $npmCmd = "C:\Program Files\nodejs\npm.cmd" | ||
| Write-Host "Upgrading npm to npm@^11.10 ..." | ||
| & $npmCmd install -g "npm@^11.10" | ||
| Write-Host "Upgrading npm to npm@^11.12.1 ..." |
There was a problem hiding this comment.
context: minimum requirement for the new @snyk/code-client@4.26.2
This comment has been minimized.
This comment has been minimized.
| }, | ||
| "@tapjs/processinfo": { | ||
| "uuid": "^11.1.1" | ||
| } |
There was a problem hiding this comment.
"@snyk/error-catalog-nodejs-public": {
"uuid@<11.1.1": "^11.1.1"
},
"snyk-nodejs-lockfile-parser": {
"uuid@<11.1.1": "^11.1.1"
},
"jest-junit": {
"uuid@<11.1.1": "^11.1.1"
},
"@tapjs/processinfo": {
"uuid@<11.1.1": "^11.1.1"
}
There was a problem hiding this comment.
Thank you! Nice catch!
7b28706 to
465fd77
Compare
| "snyk-nodejs-lockfile-parser": { | ||
| "uuid@<11.1.1": "^11.1.1" | ||
| }, | ||
| "jest-junit": { |
There was a problem hiding this comment.
context: devDep to be upgraded in a separate PR; same with tap; (lockfile changes would be big ([+2,415; -1,818 i)
There was a problem hiding this comment.
tapjs should also be a dev dependency.
There was a problem hiding this comment.
They (tapjs, jest-junit) are. Sorry, what I mean is that in order to have them use a patched UUID, I have to upgrade these devDeps to a newer major version, which will in turn do big changes to the lockfile.
So what I did instead was to override their transitive UUID package version. 😅
PR Reviewer Guide 🔍
|
| "strip-ansi": "^6.0.1", | ||
| "tar": "^7.5.8", | ||
| "uuid": "^8.3.2", | ||
| "uuid": "^11.1.1", |
There was a problem hiding this comment.
question: is this a direct or transitive dependency? asking because it is a quite big bump. I find the current approach in devDependencies more reasonable.
There was a problem hiding this comment.
We also use uuid directly (example) (it can't be fixed by upgrading devDeps alone).

Pull Request Submission Checklist
are release-note ready, emphasizing
what was changed, not how.
What does this PR do?
Where should the reviewer start?
How should this be manually tested?
npm cimake buildsucceedWhat's the product update that needs to be communicated to CLI users?
Fix for CVE-2026-41907 (medium vulnerability)
What are the relevant tickets?
CLI-1504