[Aikido] Fix security issue in uuid via major version upgrade from 8.3.2 to 11.1.1#4
Open
aikido-autofix[bot] wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upgrade uuid to fix buffer overflow vulnerabilities in v3, v5, and v6 functions that could write past buffer boundaries.
✅ Code not affected by breaking changes.
✅ The uuid npm package is not used in this codebase. After thorough analysis:
No direct dependency: The
package.jsondoes not listuuidas a dependencyNo transitive dependency: The current
package-lock.jsondoes not containuuidat all. While@actions/coreis a dependency, the version used (1.11.1) does not depend on uuidNo code usage: No imports or usage of uuid functions (v1, v3, v4, v5, v6, v7) were found in the source code
Context clarification: The only references to "uuid" in the codebase are in
src/scripts/tools/add_tools.shandsrc/extensions.ts, where they refer to the PHP uuid extension, not the npm packageSince the uuid npm package is not used in this codebase, none of the breaking changes in versions 9.0.0, 10.0.0, or 11.0.0 affect this project.
All breaking changes by upgrading uuid from version 8.3.2 to 11.1.1 (CHANGELOG)
✅ 2 CVEs resolved by this upgrade
This PR will resolve the following CVEs:
🔗 Related Tasks
🤖 Remediation details
Fix transitive
uuidvulnerability by bumping@actions/coreShort summary
This PR remediates a vulnerability in the transitive dependency
uuid(CVE-2026-41907, AIKIDO-2026-10892).uuidwas pulled into the project as a dependency of@actions/coreand resolved to the vulnerable version8.3.2. The fix updates the declared spec for@actions/corein the rootpackage.jsonand refreshespackage-lock.jsonso thatuuidis no longer present in the dependency tree.uuid
[email protected]was a transitive dependency introduced by@actions/[email protected]and is vulnerable across the[0.0.1, 10.0.0]range (AIKIDO-2026-10892) as well as requiring a patch to>=11.1.1(CVE-2026-41907). Rather than overridinguuiddirectly, the fix bumps@actions/coreto^1.11.0in the rootpackage.json, because@actions/[email protected]is the first release that drops theuuiddependency entirely. After runningnpm install --package-lock-only,@actions/coreresolved to1.11.1anduuidhas zero remaining instances in the lockfile.Version changes
@actions/core^1.10.1(resolved1.10.1)^1.11.0(resolved1.11.1)uuidvulnerabilityuuid8.3.2@actions/core