From bf337d6802484ef12a2103446e07b04694e2222f Mon Sep 17 00:00:00 2001 From: Claude Code Date: Thu, 28 May 2026 16:04:59 +0000 Subject: [PATCH] fix(deps): patch uuid bounds-check and postcss XSS advisories via overrides - Add npm overrides forcing uuid >= 11.1.1 (GHSA-w5hq-g745-h8pq, missing buffer bounds check in v3/v5/v6 when buf is provided). - Bump direct postcss dep to ^8.5.10 and add matching override to clear next's transitive 8.4.31 pin (GHSA-qx2v-qp2m-jg93, XSS via unescaped in CSS stringify output). Drops npm audit from 21 vulnerabilities to 9; the 9 remaining all chain to the OpenTelemetry Prometheus exporter advisory (GHSA-q7rr-3cgh-j5r3), which requires a 0.52 -> 0.217 major bump on @opentelemetry/sdk-node and would break Genkit at runtime, so it's deferred. --- package-lock.json | 76 ++++------------------------------------------- package.json | 6 ++-- 2 files changed, 9 insertions(+), 73 deletions(-) diff --git a/package-lock.json b/package-lock.json index 1772d20..febc5c0 100644 --- a/package-lock.json +++ b/package-lock.json @@ -81,7 +81,7 @@ "eslint": "^10.4.0", "eslint-config-next": "^16.2.6", "genkit-cli": "1.36.0", - "postcss": "^8.5.6", + "postcss": "^8.5.10", "tailwindcss": "^4.1.18", "typescript": "5.9.3", "vitest": "^4.1.7" @@ -1765,20 +1765,6 @@ "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==", "license": "MIT" }, - "node_modules/@genkit-ai/ai/node_modules/uuid": { - "version": "10.0.0", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-10.0.0.tgz", - "integrity": "sha512-8XkAphELsDnEGrDxUOHB3RGvXz6TeuYSGEZBOjtTtPm2lwhGBjLgOzLHB63IUWfBpNucQjND6d3AOudO+H3RWQ==", - "deprecated": "uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).", - "funding": [ - "https://github.com/sponsors/broofa", - "https://github.com/sponsors/ctavan" - ], - "license": "MIT", - "bin": { - "uuid": "dist/bin/uuid" - } - }, "node_modules/@genkit-ai/compat-oai": { "version": "1.36.0", "resolved": "https://registry.npmjs.org/@genkit-ai/compat-oai/-/compat-oai-1.36.0.tgz", @@ -11999,16 +11985,6 @@ "node": ">=10" } }, - "node_modules/eventid/node_modules/uuid": { - "version": "8.3.2", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", - "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", - "deprecated": "uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).", - "license": "MIT", - "bin": { - "uuid": "dist/bin/uuid" - } - }, "node_modules/events": { "version": "3.3.0", "resolved": "https://registry.npmjs.org/events/-/events-3.3.0.tgz", @@ -12792,19 +12768,6 @@ "genkit": "dist/bin/genkit.js" } }, - "node_modules/genkit/node_modules/uuid": { - "version": "10.0.0", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-10.0.0.tgz", - "integrity": "sha512-8XkAphELsDnEGrDxUOHB3RGvXz6TeuYSGEZBOjtTtPm2lwhGBjLgOzLHB63IUWfBpNucQjND6d3AOudO+H3RWQ==", - "funding": [ - "https://github.com/sponsors/broofa", - "https://github.com/sponsors/ctavan" - ], - "license": "MIT", - "bin": { - "uuid": "dist/bin/uuid" - } - }, "node_modules/gensync": { "version": "1.0.0-beta.2", "resolved": "https://registry.npmjs.org/gensync/-/gensync-1.0.0-beta.2.tgz", @@ -15874,34 +15837,6 @@ "react-dom": "^16.8 || ^17 || ^18 || ^19 || ^19.0.0-rc" } }, - "node_modules/next/node_modules/postcss": { - "version": "8.4.31", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.31.tgz", - "integrity": "sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==", - "funding": [ - { - "type": "opencollective", - "url": "https://opencollective.com/postcss/" - }, - { - "type": "tidelift", - "url": "https://tidelift.com/funding/github/npm/postcss" - }, - { - "type": "github", - "url": "https://github.com/sponsors/ai" - } - ], - "license": "MIT", - "dependencies": { - "nanoid": "^3.3.6", - "picocolors": "^1.0.0", - "source-map-js": "^1.0.2" - }, - "engines": { - "node": "^10 || ^12 || >=14" - } - }, "node_modules/node-domexception": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/node-domexception/-/node-domexception-1.0.0.tgz", @@ -19712,17 +19647,16 @@ } }, "node_modules/uuid": { - "version": "9.0.1", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz", - "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==", - "deprecated": "uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).", + "version": "11.1.1", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.1.tgz", + "integrity": "sha512-vIYxrBCC/N/K+Js3qSN88go7kIfNPssr/hHCesKCQNAjmgvYS2oqr69kIufEG+O4+PfezOH4EbIeHCfFov8ZgQ==", "funding": [ "https://github.com/sponsors/broofa", "https://github.com/sponsors/ctavan" ], "license": "MIT", "bin": { - "uuid": "dist/bin/uuid" + "uuid": "dist/esm/bin/uuid" } }, "node_modules/valibot": { diff --git a/package.json b/package.json index deb0693..90ef55f 100644 --- a/package.json +++ b/package.json @@ -105,7 +105,7 @@ "eslint": "^10.4.0", "eslint-config-next": "^16.2.6", "genkit-cli": "1.36.0", - "postcss": "^8.5.6", + "postcss": "^8.5.10", "tailwindcss": "^4.1.18", "typescript": "5.9.3", "vitest": "^4.1.7" @@ -114,6 +114,8 @@ "tiny-secp256k1": "npm:@bitcoinerlab/secp256k1@^1.1.1", "google-auth-library": "^10.2.0", "zod": "^3.25.76", - "valibot": "^1.4.1" + "valibot": "^1.4.1", + "uuid": "^11.1.1", + "postcss": "^8.5.10" } }