chore(deps): update dependency uuid to v11 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
uuid	^9.0.0 → ^11.1.1

---

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

CVE-2026-41907 / GHSA-w5hq-g745-h8pq

More information

Details

Summary

The v3(), v5(), and v6() API methods (not uuid release versions) accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4(), v1(), and v7() API methods explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code

• src/v35.ts (v3()/v5() path) writes buf[offset + i] without bounds validation.
• src/v6.ts writes buf[offset + i] without bounds validation.

Reproducible PoC

cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4()',()=>v4({},new Uint8Array(8),4)],
  ['v5()',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6()',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Observed:

• v4() THREW RangeError
• v5() NO_THROW
• v6() NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]

Security impact

• Primary: integrity/robustness issue (silent partial output).
• If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
• In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.

Suggested fix

Add the same guard used by v4()/v1()/v7():

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

• src/v35.ts (covers v3() and v5())
• src/v6.ts

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq
• https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34
• https://github.com/uuidjs/uuid/releases/tag/v14.0.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-41907
• https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e
• https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d
• https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a
• https://github.com/uuidjs/uuid/releases/tag/v11.1.1
• https://github.com/uuidjs/uuid/releases/tag/v12.0.1
• https://github.com/uuidjs/uuid/releases/tag/v13.0.1
• https://github.com/advisories/GHSA-w5hq-g745-h8pq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

uuidjs/uuid (uuid)

v11.1.1

Compare Source

v11.1.0

Compare Source

Features

• update TS types to allowUint8Array subtypes for buffer option (#​865) (a5231e7)

v11.0.5

Compare Source

Bug Fixes

• add TS unit test, pin to typescript@​5.0.4 (#​860) (24ac2fd)

v11.0.4

Compare Source

Bug Fixes

• docs: insure -> ensure (#​843) (d2a61e1)
• exclude tests from published package (#​840) (f992ff4)
• Test for invalid byte array sizes and ranges in v1(), v4(), and v7() (#​845) (e0ee900)

v11.0.3

Compare Source

Bug Fixes

• apply stricter typing to the v* signatures (#​831) (c2d3fed)
• export internal uuid types (#​833) (341edf4)
• remove sourcemaps (#​827) (b93ea10)
• revert "simplify type for v3 and v5" (#​835) (e2dee69)

v11.0.2

Compare Source

Bug Fixes

• remove wrapper.mjs (#​822) (6683ad3)

v11.0.1

Compare Source

Bug Fixes

• restore package.json#browser field (#​817) (ae8f386)

v11.0.0

Compare Source

⚠ BREAKING CHANGES

• refactor v1 internal state and options logic (#​780)
• refactor v7 internal state and options logic, fixes #​764 (#​779)
• Port to TypeScript, closes #​762 (#​763)
• update node support matrix (only support node 16-20) (#​750)

Features

• Port to TypeScript, closes #​762 (#​763) (1e0f987)
• update node support matrix (only support node 16-20) (#​750) (883b163)

Bug Fixes

• missing v7 expectations in browser spec (#​751) (f54a866)
• refactor v1 internal state and options logic (#​780) (031b3d3)
• refactor v7 internal state and options logic, fixes #​764 (#​779) (9dbd1cd)
• remove v4 options default assignment preventing native.randomUUID from being used (#​786) (afe6232), closes #​763
• seq_hi shift for byte 6 (#​775) (1d532ca)
• tsconfig module type (#​778) (7eff835)

v10.0.0

Compare Source

⚠ BREAKING CHANGES

• update node support (drop node@​12, node@​14, add node@​20) (#​750)

Features

• support support rfc9562 MAX uuid (new in RFC9562) (#​714) (0385cd3)
• support rfc9562 v6 uuids (#​754) (c4ed13e)
• support rfc9562 v7 uuids (#​681) (db76a12)
• update node support matrix (only support node 16-20) (#​750) (883b163)
• support rfc9562 v8 uuids (#​759) (35a5342)

Bug Fixes

• revert "perf: remove superfluous call to toLowerCase (#​677)" (#​738) (e267b90)

v9.0.1

Compare Source

build

• Fix CI to work with Node.js 20.x

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[gemini-code-assist]

Code Review

This pull request updates the uuid dependency from version 9 to version 11 in the background and gce modules. Feedback highlights that this update introduces a breaking change by requiring Node.js 16 or higher, which conflicts with the project's current support for Node.js 12 and 14, leading to potential compatibility issues and test failures.

[gemini-code-assist]

Updating uuid to v11 drops support for Node.js versions earlier than 16. This conflicts with the engines requirement of node: >=12.0.0 specified in other modules of this repository (e.g., authenticating-users/package.json and bookshelf/package.json). This update will break compatibility for users on Node.js 12 or 14. Additionally, v11 introduces breaking changes to the v1 API. To resolve this, the repository's minimum Node.js version should be bumped to 16, or a compatible fix should be identified.

[gemini-code-assist]

Updating uuid to v11 in devDependencies requires Node.js 16+, which conflicts with the Node.js 12 support indicated in other parts of this repository. This will cause test failures in environments running older Node.js versions.