Jens Geyer created THRIFT-6022:
----------------------------------
Summary: Fix npm audit vulnerability CVE-2026-41907 in uuid
transitive dependency
Key: THRIFT-6022
URL: https://issues.apache.org/jira/browse/THRIFT-6022
Project: Thrift
Issue Type: Bug
Components: JavaScript - Library, Node.js - Library
Reporter: Jens Geyer
Dependabot alert #236 flags CVE-2026-41907 (GHSA-w5hq-g745-h8pq, CVSS 7.5) in
the root package-lock.json.
The vulnerability is a missing buffer bounds check in the uuid npm package
(v3/v5/v6 UUID generation methods when an explicit output buffer is provided) —
fixed in uuid 11.1.1.
The vulnerable package enters as a transitive dev dependency via:
nyc@15 → istanbul-lib-processinfo@2 → [email protected] (< 11.1.1)
Fix:
- Bump nyc from ^15.0.0 to ^18.0.0 in devDependencies (nyc@18 uses
istanbul-lib-processinfo@^3.0.0 which has the new uuid named-export API,
compatible with v11+)
- Add npm override {{"istanbul-lib-processinfo": {"uuid": "^11.1.1"}}} to force
the transitive uuid to a patched version
The direct uuid dependency (^14.0.0) is unaffected. After the fix npm audit
reports 0 vulnerabilities.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
