Skip to content

fix: address uuid missing buffer bounds check#5178

Closed
cka121 wants to merge 6 commits into
mainfrom
fix/uuid-missing-buffer-bounds-check
Closed

fix: address uuid missing buffer bounds check#5178
cka121 wants to merge 6 commits into
mainfrom
fix/uuid-missing-buffer-bounds-check

Conversation

@cka121

@cka121 cka121 commented May 26, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

  • Bumps uuid dependency in vite-plugin-top-level-await to the latest version to address a missing buffer bounds check vulnerability.
  • Adds ref parameter to actions/checkout steps in the build workflow to use the PR head SHA during pull request builds, preventing unintended merge commit checkouts.

Motivation and Context

The uuid package had a missing buffer bounds check that could cause undefined behavior. The build workflow checkouts were not pinned to the PR head SHA, which could cause CI to run against the wrong commit.

How Has This Been Tested?

Screenshots (if appropriate):

Checklist

My PR contains...

  • No code changes (src/ is unmodified: changes to documentation, CI, metadata, etc.)
  • Dependency changes (any modification to dependencies in package.json)
  • Bug fixes (non-breaking change which fixes an issue)
  • Improvements (misc. changes to existing features)
  • Features (non-breaking change which adds functionality)

My changes...

  • are breaking changes to a public API (config options, System API, major UI change, etc).
  • are breaking changes to a private API (Redux, component props, utility functions, etc.).
  • are breaking changes to a developer API (npm script behavior changes, new dev system dependencies, etc).
  • are not breaking changes.

Documentation

  • My changes do not require a change to the project documentation.
  • My changes require a change to the project documentation.
  • If yes to above: I have updated the documentation accordingly.

Automated tests

  • My changes can not or do not need to be tested.
  • My changes can and should be tested by unit and/or integration tests.
  • If yes to above: I have added tests to cover my changes.
  • If yes to above: I have taken care to cover edge cases in my tests.
  • All new and existing tests passed.

@cka121 cka121 marked this pull request as draft May 26, 2026 12:36
Copilot finished work on behalf of cka121 May 26, 2026 12:58
Copilot finished work on behalf of cka121 May 26, 2026 13:04
Copilot AI changed the title chore(deps): bump uuid in vite-plugin-top-level-await to the latest fix: address uuid missing buffer bounds check and fix lint-commit-messages CI May 27, 2026
Copilot finished work on behalf of cka121 May 27, 2026 06:59
@cka121 cka121 force-pushed the fix/uuid-missing-buffer-bounds-check branch from 4bace1b to c485e5b Compare May 27, 2026 07:13
@cka121 cka121 changed the title fix: address uuid missing buffer bounds check and fix lint-commit-messages CI fix: address uuid missing buffer bounds check May 27, 2026
@cka121 cka121 marked this pull request as ready for review May 27, 2026 08:22
robert-hebel-sb
robert-hebel-sb reviewed May 27, 2026
View reviewed changes
Comment thread package.json
"overrides": {
"serialize-javascript": "^7.0.5"
"serialize-javascript": "^7.0.5",
"vite-plugin-top-level-await": {

@robert-hebel-sb robert-hebel-sb May 27, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be fixed by migrating to vite8 and removing vite-plugin-top-level-await package
ref: Menci/vite-plugin-top-level-await#76 (comment)

robert-hebel-sb
robert-hebel-sb reviewed May 27, 2026
View reviewed changes
Comment thread .github/workflows/build.yml
with:
name: build
path: ./packages/apidom-playground/build

No newline at end of file

@robert-hebel-sb robert-hebel-sb May 27, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change

@glowcloud glowcloud mentioned this pull request Jun 1, 2026
Merged
@glowcloud glowcloud closed this Jun 2, 2026
@glowcloud glowcloud deleted the fix/uuid-missing-buffer-bounds-check branch June 2, 2026 06:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robert-hebel-sb robert-hebel-sb robert-hebel-sb left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@cka121 @robert-hebel-sb @glowcloud @ShikhaSaboo