fix(deps): update dependency uuid to v14 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
uuid	^9.0.1 → ^14.0.0

---

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

GHSA-w5hq-g745-h8pq

More information

Details

Summary

v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4, v1, and v7 explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code

• src/v35.ts (v3/v5 path) writes buf[offset + i] without bounds validation.
• src/v6.ts writes buf[offset + i] without bounds validation.

Reproducible PoC

cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4',()=>v4({},new Uint8Array(8),4)],
  ['v5',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Observed:

• v4 THREW RangeError
• v5 NO_THROW
• v6 NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]

Security impact

• Primary: integrity/robustness issue (silent partial output).
• If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
• In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.

Suggested fix

Add the same guard used by v4/v1/v7:

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

• src/v35.ts (covers v3 and v5)
• src/v6.ts

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq
• https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34
• https://github.com/uuidjs/uuid/releases/tag/v14.0.0
• https://github.com/advisories/GHSA-w5hq-g745-h8pq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

uuidjs/uuid (uuid)

v14.0.0

Compare Source

Security

• Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

• crypto is now expected to be globally defined (requires node@​20+) (#​935)
• drop node@​18 support (#​934)
• upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

v13.0.1

Compare Source

Bug Fixes

• backport fix for GHSA-w5hq-g745-h8pq (9d27ddf)

v13.0.0

Compare Source

⚠ BREAKING CHANGES

• make browser exports the default (#​901)

Bug Fixes

• make browser exports the default (#​901) (bce9d72)

v12.0.1

Compare Source

v12.0.0

Compare Source

⚠ BREAKING CHANGES

• update to typescript@​5.2 (#​887)
• remove CommonJS support (#​886)
• drop node@​16 support (#​883)

Features

• add node@​24 to ci matrix (#​879) (42b6178)
• drop node@​16 support (#​883) (0f38cf1)
• remove CommonJS support (#​886) (ae786e2)
• update to typescript@​5.2 (#​887) (c7ee405)

Bug Fixes

• improve v4() performance (#​894) (5fd974c)
• restore node: prefix (#​889) (e1f42a3)

v11.1.1

Compare Source

v11.1.0

Compare Source

Features

• update TS types to allowUint8Array subtypes for buffer option (#​865) (a5231e7)

v11.0.5

Compare Source

Bug Fixes

• add TS unit test, pin to typescript@​5.0.4 (#​860) (24ac2fd)

v11.0.4

Compare Source

Bug Fixes

• docs: insure -> ensure (#​843) (d2a61e1)
• exclude tests from published package (#​840) (f992ff4)
• Test for invalid byte array sizes and ranges in v1(), v4(), and v7() (#​845) (e0ee900)

v11.0.3

Compare Source

Bug Fixes

• apply stricter typing to the v* signatures (#​831) (c2d3fed)
• export internal uuid types (#​833) (341edf4)
• remove sourcemaps (#​827) (b93ea10)
• revert "simplify type for v3 and v5" (#​835) (e2dee69)

v11.0.2

Compare Source

Bug Fixes

• remove wrapper.mjs (#​822) (6683ad3)

v11.0.1

Compare Source

Bug Fixes

• restore package.json#browser field (#​817) (ae8f386)

v11.0.0

Compare Source

⚠ BREAKING CHANGES

• refactor v1 internal state and options logic (#​780)
• refactor v7 internal state and options logic, fixes #​764 (#​779)
• Port to TypeScript, closes #​762 (#​763)
• update node support matrix (only support node 16-20) (#​750)

Features

• Port to TypeScript, closes #​762 (#​763) (1e0f987)
• update node support matrix (only support node 16-20) (#​750) (883b163)

Bug Fixes

• missing v7 expectations in browser spec (#​751) (f54a866)
• refactor v1 internal state and options logic (#​780) (031b3d3)
• refactor v7 internal state and options logic, fixes #​764 (#​779) (9dbd1cd)
• remove v4 options default assignment preventing native.randomUUID from being used (#​786) (afe6232), closes #​763
• seq_hi shift for byte 6 (#​775) (1d532ca)
• tsconfig module type (#​778) (7eff835)

v10.0.0

Compare Source

⚠ BREAKING CHANGES

• update node support (drop node@​12, node@​14, add node@​20) (#​750)

Features

• support support rfc9562 MAX uuid (new in RFC9562) (#​714) (0385cd3)
• support rfc9562 v6 uuids (#​754) (c4ed13e)
• support rfc9562 v7 uuids (#​681) (db76a12)
• update node support matrix (only support node 16-20) (#​750) (883b163)
• support rfc9562 v8 uuids (#​759) (35a5342)

Bug Fixes

• revert "perf: remove superfluous call to toLowerCase (#​677)" (#​738) (e267b90)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for brilliant-pasca-3e80ec canceled.

Name	Link
🔨 Latest commit	8774449
🔍 Latest deploy log	https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/69f7a4e7d7c898000872e9ad

[github-actions]

🚀 Performance Test Results

Test Configuration:

• VUs: 4
• Duration: 1m0s

Test Metrics:

• Requests/s: 47.45
• Iterations/s: 15.82
• Failed Requests: 0.00% (0 of 2855)

📜 Logs

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test -k -q --vus 4 --duration 1m

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 1.0 MB 17 kB/s
     data_sent......................: 2.2 MB 36 kB/s
     http_req_blocked...............: avg=7.33µs   min=2.06µs   med=5.53µs   max=690.39µs p(90)=6.81µs   p(95)=7.86µs  
     http_req_connecting............: avg=356ns    min=0s       med=0s       max=365.37µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=83.61ms  min=6.46ms   med=68.71ms  max=379.48ms p(90)=145.85ms p(95)=164.87ms
       { expected_response:true }...: avg=83.61ms  min=6.46ms   med=68.71ms  max=379.48ms p(90)=145.85ms p(95)=164.87ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 2855
     http_req_receiving.............: avg=95.61µs  min=25.19µs  med=83.19µs  max=2.66ms   p(90)=122.18µs p(95)=162.13µs
     http_req_sending...............: avg=35.64µs  min=7.62µs   med=28.28µs  max=1.88ms   p(90)=41.84µs  p(95)=56.43µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=83.48ms  min=6.33ms   med=68.59ms  max=379.41ms p(90)=145.69ms p(95)=164.74ms
     http_reqs......................: 2855   47.451546/s
     iteration_duration.............: avg=252.42ms min=162.66ms med=241.43ms max=804.72ms p(90)=312ms    p(95)=355.2ms 
     iterations.....................: 952    15.822722/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4