Skip to content

fix(deps): CVE-2026-41907#6978

Open
octavian-snyk wants to merge 1 commit into
mainfrom
fix/CLI-1504-bump-uuid
Open

fix(deps): CVE-2026-41907#6978
octavian-snyk wants to merge 1 commit into
mainfrom
fix/CLI-1504-bump-uuid

Conversation

@octavian-snyk

@octavian-snyk octavian-snyk commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Pull Request Submission Checklist

  • Follows CONTRIBUTING guidelines
  • Commit messages
    are release-note ready, emphasizing
    what was changed, not how.
  • Includes detailed description of changes
  • Contains risk assessment (Low | Medium | High)
  • Highlights breaking API changes (if applicable)
  • Links to automated tests covering new functionality
  • Includes manual testing instructions (if necessary)
  • Updates relevant GitBook documentation (PR link: ___)
  • Includes product update to be announced in the next stable release notes

What does this PR do?

Where should the reviewer start?

How should this be manually tested?

npm ci
make build succeed

What's the product update that needs to be communicated to CLI users?

Fix for CVE-2026-41907 (medium vulnerability)

What are the relevant tickets?

CLI-1504

@snyk-io

snyk-io Bot commented Jul 8, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@octavian-snyk octavian-snyk force-pushed the fix/CLI-1504-bump-uuid branch from 684458f to 7b28706 Compare July 9, 2026 07:31
$npmCmd = "C:\Program Files\nodejs\npm.cmd"
Write-Host "Upgrading npm to npm@^11.10 ..."
& $npmCmd install -g "npm@^11.10"
Write-Host "Upgrading npm to npm@^11.12.1 ..."

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

context: minimum requirement for the new @snyk/code-client@4.26.2

@octavian-snyk octavian-snyk marked this pull request as ready for review July 9, 2026 08:22
@octavian-snyk octavian-snyk requested a review from a team as a code owner July 9, 2026 08:22
@snyk-pr-review-bot

This comment has been minimized.

Comment thread package.json
},
"@tapjs/processinfo": {
"uuid": "^11.1.1"
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"@snyk/error-catalog-nodejs-public": {
  "uuid@<11.1.1": "^11.1.1"
},
"snyk-nodejs-lockfile-parser": {
  "uuid@<11.1.1": "^11.1.1"
},
"jest-junit": {
  "uuid@<11.1.1": "^11.1.1"
},
"@tapjs/processinfo": {
  "uuid@<11.1.1": "^11.1.1"
}

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Nice catch!

@octavian-snyk octavian-snyk force-pushed the fix/CLI-1504-bump-uuid branch from 7b28706 to 465fd77 Compare July 10, 2026 07:34
Comment thread package.json
"snyk-nodejs-lockfile-parser": {
"uuid@<11.1.1": "^11.1.1"
},
"jest-junit": {

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

context: devDep to be upgraded in a separate PR; same with tap; (lockfile changes would be big ([+2,415; -1,818 i)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But isn't this a dev dependecy? 😅

Image

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tapjs should also be a dev dependency.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They (tapjs, jest-junit) are. Sorry, what I mean is that in order to have them use a patched UUID, I have to upgrade these devDeps to a newer major version, which will in turn do big changes to the lockfile.
So what I did instead was to override their transitive UUID package version. 😅

@snyk-pr-review-bot

Copy link
Copy Markdown

PR Reviewer Guide 🔍

🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

High-risk Dependency Override 🟠 [major]

Forcing uuid@^11.1.1 via overrides on snyk-nodejs-lockfile-parser and jest-junit is highly likely to cause runtime errors. uuid version 9 and above introduced significant breaking changes, including the removal of the default export and changes to the CLI path. If these packages depend on uuid v3, v7, or v8 (which their original lockfile entries suggest), they will likely fail with 'TypeError: uuid.v4 is not a function' or similar errors when trying to import the module.

"@snyk/error-catalog-nodejs-public@4.0.4": {
  "uuid@<11.1.1": "^11.1.1"
},
"snyk-nodejs-lockfile-parser": {
  "uuid@<11.1.1": "^11.1.1"
},
"jest-junit": {
  "uuid@<11.1.1": "^11.1.1"
},
"@tapjs/processinfo": {
  "uuid@<11.1.1": "^11.1.1"
}
📚 Repository Context Analyzed

This review considered 11 relevant code sections from 3 files (average relevance: 0.59)

🤖 Repository instructions applied (from AGENTS.md)

Comment thread package.json
"strip-ansi": "^6.0.1",
"tar": "^7.5.8",
"uuid": "^8.3.2",
"uuid": "^11.1.1",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: is this a direct or transitive dependency? asking because it is a quite big bump. I find the current approach in devDependencies more reasonable.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also use uuid directly (example) (it can't be fixed by upgrading devDeps alone).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants