vavsab opened a new pull request, #3459: URL: https://github.com/apache/tinkerpop/pull/3459
## What Bumps the `uuid` dependency in `gremlin-javascript` from `^9.0.1` to `^11.1.1`. ## Why `uuid < 11.1.1` is affected by [GHSA-w5hq-g745-h8pq](https://github.com/advisories/GHSA-w5hq-g745-h8pq) — a missing buffer bounds check in `v3`/`v5`/`v6` UUID generation when a user-supplied `buf` argument is provided. The advisory is rated **moderate** severity. Downstream consumers of `gremlin` who run `npm audit` receive this warning and cannot resolve it without a patch from this package. ## Change ```diff - "uuid": "^9.0.1" + "uuid": "^11.1.1" ``` `package-lock.json` updated accordingly. No other changes. ## API compatibility `uuid` v11 is a drop-in replacement for the `v1`, `v3`, `v4`, `v5`, `v6`, `v7` functions used by gremlin-javascript. The major version bump is semver-breaking only for obscure edge cases (removed CJS default export, removed `v1ToV6`/`v6ToV1` helpers) that gremlin-javascript does not use. ## Testing - `npm install` succeeds with `[email protected]` - `npm audit` no longer reports GHSA-w5hq-g745-h8pq for the production dependency tree -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
