chore(deps): bump uuid from 9.0.1 to 14.0.0#4050
Conversation
dependabot
Bot
added
dependencies
|
|
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
2 similar comments
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| "tsconfig-paths": "^4.2.0", | ||
| "utf-8-validate": "^5.0.10", | ||
| "uuid": "^9.0.0", | ||
| "uuid": "^14.0.0", |
There was a problem hiding this comment.
ESM-only uuid v14 breaks CommonJS project at runtime
High Severity
uuid v14 is ESM-only (CommonJS removed in v12), but the backend's tsconfig.json uses "module": "commonjs" and "moduleResolution": "node", and the services use "module": "Node16" without "type": "module" in package.json. TypeScript will compile import { v4 } from 'uuid' into require('uuid'), which fails at runtime with ERR_REQUIRE_ESM on Node 20 (used in CI). All code paths using uuid will crash.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit 8ff3836. Configure here.
| needle@https://codeload.github.com/clearbit/needle/tar.gz/84d28b5f2c3916db1e7eb84aeaa9d976cc40054b: | ||
| resolution: {tarball: https://codeload.github.com/clearbit/needle/tar.gz/84d28b5f2c3916db1e7eb84aeaa9d976cc40054b} | ||
| needle@git+https://git@github.com:clearbit/needle.git#84d28b5f2c3916db1e7eb84aeaa9d976cc40054b: | ||
| resolution: {commit: 84d28b5f2c3916db1e7eb84aeaa9d976cc40054b, repo: git@github.com:clearbit/needle.git, type: git} |
There was a problem hiding this comment.
Needle resolution changed from HTTPS tarball to SSH git
Medium Severity
The lockfile regeneration silently changed the clearbit/needle dependency resolution from an HTTPS tarball download (https://codeload.github.com/...) to an SSH-based git clone (git@github.com:clearbit/needle.git). CI/CD pipelines and Docker builds that previously worked without SSH keys configured for GitHub will now fail during pnpm install when attempting to clone this dependency.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 8ff3836. Configure here.
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/uuid-14.0.0
branch
2 times, most recently
from
8c9ec20 to
c739b57
Compare
Bumps [uuid](https://github.com/uuidjs/uuid) from 9.0.1 to 14.0.0. - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](uuidjs/uuid@v9.0.1...v14.0.0) --- updated-dependencies: - dependency-name: uuid dependency-version: 14.0.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/uuid-14.0.0
branch
from
c739b57 to
8a14c31
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 3 total unresolved issues (including 2 from previous reviews).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 8a14c31. Configure here.
| "tsconfig-paths": "^4.2.0", | ||
| "utf-8-validate": "^5.0.10", | ||
| "uuid": "^9.0.0", | ||
| "uuid": "^14.0.0", |
There was a problem hiding this comment.
Stale @types/uuid v9 remains after uuid v14 upgrade
Low Severity
The uuid package is bumped to v14 which bundles its own TypeScript types, but @types/uuid@^9.0.2 remains in devDependencies (line 150). With "moduleResolution": "node", if TypeScript cannot resolve types from the ESM-only uuid package directly (due to missing top-level types field), it falls back to @types/uuid@9 which describes uuid v9's API — potentially masking type errors for any API differences between v9 and v14.
Reviewed by Cursor Bugbot for commit 8a14c31. Configure here.
1 participant
Bumps uuid from 9.0.1 to 14.0.0.
Release notes
Sourced from uuid's releases.
... (truncated)
Changelog
Sourced from uuid's changelog.
... (truncated)
Commits
7c1ea08chore(main): release 14.0.0 (#926)3d2c5b0Merge commit from forkf2c235ffix!: expectcryptoto be global everywhere (requires node@20+) (#935)529ef08chore: upgrade TypeScript and fixup types (#927)086fd79chore: update dependencies (#933)dc4ddb8feat!: drop node@18 support (#934)0f1f9c9chore: switch to Biome for parsing and linting (#932)e2879e6chore: use maintained version of npm-run-all (#930)ffa3138fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)0423d49docs: remove obsolete v1 option notes (#915)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.
Install script changes
This version adds
preparescript that runs during installation. Review the package contents before updating.Note
Medium Risk
Upgrading
uuidto v14 is potentially breaking because it drops Node 18 support and expects globalcrypto, which could cause runtime failures if services still run on older Node versions.Overview
Updates the
uuiddependency to^14.0.0across the backend and shared libraries (@crowd/common,@crowd/data-access-layer) and refreshespnpm-lock.yamlaccordingly.The lockfile update also changes the resolved source for
clearbit’sneedledependency (tarball URL togit+ssh) and records new deprecation metadata for some packages.Reviewed by Cursor Bugbot for commit 8a14c31. Bugbot is set up for automated code reviews on this repo. Configure here.