fix(deps): update dependency uuid to v14 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
uuid	^9.0.0 → ^14.0.0
uuid	^11.1.0 → ^14.0.0
uuid	^8.0.0 → ^14.0.0
uuid	^10.0.0 → ^14.0.0
uuid	^8.3.2 → ^14.0.0
uuid	8.0.0 → 14.0.0

---

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

GHSA-w5hq-g745-h8pq

More information

Details

Summary

v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4, v1, and v7 explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code

• src/v35.ts (v3/v5 path) writes buf[offset + i] without bounds validation.
• src/v6.ts writes buf[offset + i] without bounds validation.

Reproducible PoC

cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4',()=>v4({},new Uint8Array(8),4)],
  ['v5',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Observed:

• v4 THREW RangeError
• v5 NO_THROW
• v6 NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]

Security impact

• Primary: integrity/robustness issue (silent partial output).
• If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
• In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.

Suggested fix

Add the same guard used by v4/v1/v7:

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

• src/v35.ts (covers v3 and v5)
• src/v6.ts

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq
• https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34
• https://github.com/uuidjs/uuid/releases/tag/v14.0.0
• https://github.com/advisories/GHSA-w5hq-g745-h8pq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

uuidjs/uuid (uuid)

v14.0.0

Compare Source

Security

• Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

• crypto is now expected to be globally defined (requires node@​20+) (#​935)
• drop node@​18 support (#​934)
• upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

v13.0.0

Compare Source

⚠ BREAKING CHANGES

• make browser exports the default (#​901)

Bug Fixes

• make browser exports the default (#​901) (bce9d72)

v12.0.0

Compare Source

⚠ BREAKING CHANGES

• update to typescript@​5.2 (#​887)
• remove CommonJS support (#​886)
• drop node@​16 support (#​883)

Features

• add node@​24 to ci matrix (#​879) (42b6178)
• drop node@​16 support (#​883) (0f38cf1)
• remove CommonJS support (#​886) (ae786e2)
• update to typescript@​5.2 (#​887) (c7ee405)

Bug Fixes

• improve v4() performance (#​894) (5fd974c)
• restore node: prefix (#​889) (e1f42a3)

v11.1.0

Compare Source

Features

• update TS types to allowUint8Array subtypes for buffer option (#​865) (a5231e7)

v11.0.5

Compare Source

Bug Fixes

• add TS unit test, pin to typescript@​5.0.4 (#​860) (24ac2fd)

v11.0.4

Compare Source

Bug Fixes

• docs: insure -> ensure (#​843) (d2a61e1)
• exclude tests from published package (#​840) (f992ff4)
• Test for invalid byte array sizes and ranges in v1(), v4(), and v7() (#​845) (e0ee900)

v11.0.3

Compare Source

Bug Fixes

• apply stricter typing to the v* signatures (#​831) (c2d3fed)
• export internal uuid types (#​833) (341edf4)
• remove sourcemaps (#​827) (b93ea10)
• revert "simplify type for v3 and v5" (#​835) (e2dee69)

v11.0.2

Compare Source

Bug Fixes

• remove wrapper.mjs (#​822) (6683ad3)

v11.0.1

Compare Source

Bug Fixes

• restore package.json#browser field (#​817) (ae8f386)

v11.0.0

Compare Source

⚠ BREAKING CHANGES

• refactor v1 internal state and options logic (#​780)
• refactor v7 internal state and options logic, fixes #​764 (#​779)
• Port to TypeScript, closes #​762 (#​763)
• update node support matrix (only support node 16-20) (#​750)

Features

• Port to TypeScript, closes #​762 (#​763) (1e0f987)
• update node support matrix (only support node 16-20) (#​750) (883b163)

Bug Fixes

• missing v7 expectations in browser spec (#​751) (f54a866)
• refactor v1 internal state and options logic (#​780) (031b3d3)
• refactor v7 internal state and options logic, fixes #​764 (#​779) (9dbd1cd)
• remove v4 options default assignment preventing native.randomUUID from being used (#​786) (afe6232), closes #​763
• seq_hi shift for byte 6 (#​775) (1d532ca)
• tsconfig module type (#​778) (7eff835)

v10.0.0

Compare Source

⚠ BREAKING CHANGES

• update node support (drop node@​12, node@​14, add node@​20) (#​750)

Features

• support support rfc9562 MAX uuid (new in RFC9562) (#​714) (0385cd3)
• support rfc9562 v6 uuids (#​754) (c4ed13e)
• support rfc9562 v7 uuids (#​681) (db76a12)
• update node support matrix (only support node 16-20) (#​750) (883b163)
• support rfc9562 v8 uuids (#​759) (35a5342)

Bug Fixes

• revert "perf: remove superfluous call to toLowerCase (#​677)" (#​738) (e267b90)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[gemini-code-assist]

Code Review

This pull request updates the uuid dependency to version 14.0.0 across numerous packages and samples within the repository. While the update is consistent, a compatibility issue was noted in handwritten/logging-bunyan/package.json, where the current TypeScript version (^5.1.6) does not meet the minimum requirement of 5.4.3 specified for uuid v14, potentially leading to compilation errors.

[gemini-code-assist]

The uuid v14 release notes specify a minimum TypeScript version of 5.4.3. The current version in this package is ^5.1.6 (line 83), which may lead to compilation errors when using the new type definitions.