Jens-G opened a new pull request, #3516: URL: https://github.com/apache/thrift/pull/3516
## Summary - Dependabot alert #236: `uuid` < 11.1.1 (CVE-2026-41907, GHSA-w5hq-g745-h8pq, CVSS 7.5) flagged in root `package-lock.json` - Vulnerability enters as a dev-only transitive dep: `nyc@15` → `istanbul-lib-processinfo@2` → `[email protected]` - Fix: bump `nyc` to `^18.0.0` (which uses `istanbul-lib-processinfo@^3` with the new uuid named-export API) and add a nested npm override to force `uuid >= 11.1.1` for `istanbul-lib-processinfo` ## Test plan - [ ] `npm audit` reports 0 vulnerabilities in root `package-lock.json` - [ ] CI: `lib-nodejs` and cross-language JS/Node tests pass 🤖 Generated with [Claude Code](https://claude.ai/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
