Skip to content

fix(deps): CVE-2026-41907#6978

Open
octavian-snyk wants to merge 1 commit into
mainfrom
fix/CLI-1504-bump-uuid
Open

fix(deps): CVE-2026-41907#6978
octavian-snyk wants to merge 1 commit into
mainfrom
fix/CLI-1504-bump-uuid

Conversation

@octavian-snyk

@octavian-snyk octavian-snyk commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Pull Request Submission Checklist

  • Follows CONTRIBUTING guidelines
  • Commit messages
    are release-note ready, emphasizing
    what was changed, not how.
  • Includes detailed description of changes
  • Contains risk assessment (Low | Medium | High)
  • Highlights breaking API changes (if applicable)
  • Links to automated tests covering new functionality
  • Includes manual testing instructions (if necessary)
  • Updates relevant GitBook documentation (PR link: ___)
  • Includes product update to be announced in the next stable release notes

What does this PR do?

Where should the reviewer start?

How should this be manually tested?

npm ci
make build succeed

What's the product update that needs to be communicated to CLI users?

Fix for CVE-2026-41907 (medium vulnerability)

What are the relevant tickets?

CLI-1504

@snyk-io

snyk-io Bot commented Jul 8, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@octavian-snyk octavian-snyk force-pushed the fix/CLI-1504-bump-uuid branch from 684458f to 7b28706 Compare July 9, 2026 07:31
$npmCmd = "C:\Program Files\nodejs\npm.cmd"
Write-Host "Upgrading npm to npm@^11.10 ..."
& $npmCmd install -g "npm@^11.10"
Write-Host "Upgrading npm to npm@^11.12.1 ..."

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

context: minimum requirement for the new @snyk/code-client@4.26.2

@octavian-snyk octavian-snyk marked this pull request as ready for review July 9, 2026 08:22
@octavian-snyk octavian-snyk requested a review from a team as a code owner July 9, 2026 08:22
@snyk-pr-review-bot

Copy link
Copy Markdown

PR Reviewer Guide 🔍

🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

Runtime Compatibility Risk 🟠 [major]

The uuid package has been bumped from v8 to v11. uuid v11 introduced significant changes in how the package is exported (shifting towards ESM) and changed the binary path from dist/bin/uuid to dist/esm/bin/uuid. If the legacy TypeScript CLI (src/) or any build scripts rely on the CLI binary path of uuid or expect CJS defaults without proper interop, this will cause runtime failures or build breakages.

"version": "11.1.1",
"resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.1.tgz",
"integrity": "sha512-vIYxrBCC/N/K+Js3qSN88go7kIfNPssr/hHCesKCQNAjmgvYS2oqr69kIufEG+O4+PfezOH4EbIeHCfFov8ZgQ==",
"funding": [
  "https://github.com/sponsors/broofa",
  "https://github.com/sponsors/ctavan"
],
"license": "MIT",
"bin": {
  "uuid": "dist/esm/bin/uuid"
Stricter Engine Requirement 🟠 [major]

The update to @snyk/code-client introduces a strict engine requirement for Node.js node: >=20.17.0 and npm: ^11.12.1. While the root package.json allows node: ^22 || ^24, this change effectively drops support for earlier sub-versions of Node 20 (e.g., 20.10.0) which are still commonly used in enterprise CI environments. This will cause installation failures with --engine-strict (which the ps1 script implies is used via .npmrc).

"engines": {
  "node": ">=20.17.0",
  "npm": "^11.12.1"
}
📚 Repository Context Analyzed

This review considered 11 relevant code sections from 3 files (average relevance: 0.59)

🤖 Repository instructions applied (from AGENTS.md)

Comment thread package.json
},
"@tapjs/processinfo": {
"uuid": "^11.1.1"
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"@snyk/error-catalog-nodejs-public": {
  "uuid@<11.1.1": "^11.1.1"
},
"snyk-nodejs-lockfile-parser": {
  "uuid@<11.1.1": "^11.1.1"
},
"jest-junit": {
  "uuid@<11.1.1": "^11.1.1"
},
"@tapjs/processinfo": {
  "uuid@<11.1.1": "^11.1.1"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants