vavsab opened a new pull request, #3459:
URL: https://github.com/apache/tinkerpop/pull/3459

   ## What
   
   Bumps the `uuid` dependency in `gremlin-javascript` from `^9.0.1` to 
`^11.1.1`.
   
   ## Why
   
   `uuid < 11.1.1` is affected by 
[GHSA-w5hq-g745-h8pq](https://github.com/advisories/GHSA-w5hq-g745-h8pq) — a 
missing buffer bounds check in `v3`/`v5`/`v6` UUID generation when a 
user-supplied `buf` argument is provided. The advisory is rated **moderate** 
severity.
   
   Downstream consumers of `gremlin` who run `npm audit` receive this warning 
and cannot resolve it without a patch from this package.
   
   ## Change
   
   ```diff
   - "uuid": "^9.0.1"
   + "uuid": "^11.1.1"
   ```
   
   `package-lock.json` updated accordingly. No other changes.
   
   ## API compatibility
   
   `uuid` v11 is a drop-in replacement for the `v1`, `v3`, `v4`, `v5`, `v6`, 
`v7` functions used by gremlin-javascript. The major version bump is 
semver-breaking only for obscure edge cases (removed CJS default export, 
removed `v1ToV6`/`v6ToV1` helpers) that gremlin-javascript does not use.
   
   ## Testing
   
   - `npm install` succeeds with `[email protected]`
   - `npm audit` no longer reports GHSA-w5hq-g745-h8pq for the production 
dependency tree


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to