Skip to content

fix(deps): update uuid [security] + pin esbuild/rollup/vite#205

Merged
edelauna merged 2 commits into
mainfrom
renovate/npm-uuid-vulnerability
May 26, 2026
Merged

fix(deps): update uuid [security] + pin esbuild/rollup/vite#205
edelauna merged 2 commits into
mainfrom
renovate/npm-uuid-vulnerability

Conversation

@renovate

@renovate renovate Bot commented May 19, 2026

Copy link
Copy Markdown
Contributor

Changes

  • Security: Update uuid 11.1.011.1.1 (CVE-2026-41907 / GHSA-w5hq-g745-h8pq) — missing buffer bounds check in v3/v5/v6 when buf is provided
  • Chore: Pin esbuild, rollup, and vite to exact versions via pnpm.overrides to prevent transitive dep churn in unrelated Renovate PRs

Why the pins

Every Renovate security PR was bundling noisy esbuild/rollup/vite@7 churn in the lock file because:

  • vite@8 requires esbuild ^0.28.0 but the root had ^0.25.0, causing dual resolution
  • rollup had no override, so it floated freely as a vite transitive dep
  • vitest@4 (pulled in by @copilotkit/aimock) requires vite ^6||^7, which was spinning up a separate vite@7 instance instead of reusing vite@8

Pinning all three in pnpm.overrides collapses the tree to single versions and stops the churn.

@codecov

codecov Bot commented May 19, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 2 times, most recently from d760da3 to 6b5f461 Compare May 20, 2026 12:48
@renovate renovate Bot changed the title Update dependency uuid to v11.1.1 [SECURITY] Update dependency uuid to v11.1.1 [SECURITY] - autoclosed May 21, 2026
@renovate renovate Bot closed this May 21, 2026
@renovate renovate Bot deleted the renovate/npm-uuid-vulnerability branch May 21, 2026 18:38
@renovate renovate Bot changed the title Update dependency uuid to v11.1.1 [SECURITY] - autoclosed chore(deps): update dependency uuid to v11.1.1 [security] May 21, 2026
@renovate renovate Bot reopened this May 21, 2026
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 2 times, most recently from 6b5f461 to 45044a4 Compare May 21, 2026 22:47
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v11.1.1 [security] Update dependency uuid to v11.1.1 [SECURITY] May 22, 2026
@renovate renovate Bot changed the title Update dependency uuid to v11.1.1 [SECURITY] chore(deps): update dependency uuid to v11.1.1 [security] May 23, 2026
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 45044a4 to f49835d Compare May 24, 2026 03:41
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from f49835d to fb8e032 Compare May 26, 2026 17:46
@renovate

renovate Bot commented May 26, 2026

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@edelauna edelauna force-pushed the renovate/npm-uuid-vulnerability branch from 2302b1d to 53c5284 Compare May 26, 2026 18:01
@edelauna edelauna changed the title chore(deps): update dependency uuid to v11.1.1 [security] fix(deps): update uuid [security] + pin esbuild/rollup/vite May 26, 2026
@edelauna edelauna added this pull request to the merge queue May 26, 2026
Merged via the queue into main with commit 7c58206 May 26, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant