Skip to content

build(deps): bump uuid from 11.1.0 to 14.0.1#129

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/uuid-14.0.1
Open

build(deps): bump uuid from 11.1.0 to 14.0.1#129
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/uuid-14.0.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown
Contributor

Bumps uuid from 11.1.0 to 14.0.1.

Release notes

Sourced from uuid's releases.

v14.0.1

14.0.1 (2026-06-20)

Bug Fixes

  • add types condition to node export for moduleResolution bundler (#961) (27ffae5)

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

  • expect crypto to be global everywhere (requires node@20+) (#935)
  • drop node@18 support (#934)

Features

Bug Fixes

  • expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)
  • Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

v13.0.2

13.0.2 (2026-05-04)

Bug Fixes

  • rerelease to fix provenance. (49ccb35)

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

v13.0.0

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

  • make browser exports the default (#901)

... (truncated)

Changelog

Sourced from uuid's changelog.

14.0.1 (2026-06-20)

Bug Fixes

  • add types condition to node export for moduleResolution bundler (#961) (27ffae5)

14.0.0 (2026-04-19)

Security

  • Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

  • crypto is now expected to be globally defined (requires node@20+) (#935)
  • drop node@18 support (#934)
  • upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

  • make browser exports the default (#901)

Bug Fixes

12.0.0 (2025-09-05)

⚠ BREAKING CHANGES

  • update to typescript@5.2 (#887)
  • remove CommonJS support (#886)
  • drop node@16 support (#883)

Features

Bug Fixes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [uuid](https://github.com/uuidjs/uuid) from 11.1.0 to 14.0.1.
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](uuidjs/uuid@v11.1.0...v14.0.1)

---
updated-dependencies:
- dependency-name: uuid
  dependency-version: 14.0.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 4, 2026
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🤖 Codex-Style Code Review by OpenCode

💡 This is an automated advisory review. It is non-blocking and does not affect merge requirements.

Code Review: uuid dependency bump (11.1.0 → 14.0.1)


Scope: The diff is a package-lock.json-only change. No package.json was modified. No source code was changed.


🔴 [blocking] No package.json entry — uuid is an orphan in the lockfile

uuid does not appear in package.json under dependencies or devDependencies. It also isn't required by any other dependency in the lockfile (verified via jq). The npm ls uuid output is empty. This means uuid is a zombie entry — it exists in package-lock.json but no package depends on it.

Impact: The bump has zero functional effect on the application. It inflates the lockfile with a dead entry and wastes CI time on install resolution.

Action: Either:

  • Remove uuid from package-lock.json entirely by running npm prune and committing the resulting lockfile, or
  • Add uuid as a proper dependency if the project actually uses it, and audit the consuming code for breaking changes.

🟡 [important] Major-version jump across 3 breaking releases (11.x12.x13.x14.x)

Skipping from 11.1.0 to 14.0.1 crosses three major versions, each with breaking changes:

Version Breaking Changes
12.0.0 Removed CommonJS support (ESM-only), dropped Node 16, bumped TS to 5.2+
13.0.0 Made browser exports the default — changed module resolution for bundlers
14.0.0 Requires global crypto (Node 20+), dropped Node 18, TS 5.4.3+, security fix for out-of-bounds buffer write in v3()/v5()/v6()

If any transitive consumer (or future code) relies on the old CommonJS entry point or older Node versions, this will break silently at runtime.

Action: Bump incrementally through each major or at minimum verify:

  1. This project only targets Node ≥20 (required by v14)
  2. The consuming code (if any) is ESM-only and compatible with the new export shape
  3. No require('uuid') or require('uuid/v4') patterns exist anywhere in the codebase

🟢 [nit] Binary path change

The CLI binary path changed from dist/esm/bin/uuid to dist-node/bin/uuid, reflecting the restructured build output in v14. This is correct for the new version and consistent with the package's bin field. No action needed unless the project invokes uuid directly via the old internal path (unlikely).


✅ What's good

  • The integrity hash (sha512-6ZxzVpzDXDa3bJWaHilVayA+BH/1zmxCJoVgvmqJnid/gPoKHxUrS/aC/T6LGQtNHT+XHG9fXPJB4d+IrU30Ew==) matches the official uuid@14.0.1 tarball.
  • Funding and license fields are unchanged.
  • Commit message follows conventional commits format.

Summary

This change is effectively a no-op because uuid is an orphan in the lockfile. The three-major-version skip would be high-risk if the package were actually consumed. Recommend removing the stale lockfile entry rather than bumping it. If the project does use uuid, first add it to package.json, then audit all consuming code for the ESM-only + Node 20+ requirements introduced across v12–v14.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants