[
https://issues.apache.org/jira/browse/THRIFT-6022?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jens Geyer resolved THRIFT-6022.
--------------------------------
Fix Version/s: 0.24.0
Assignee: Jens Geyer
Resolution: Fixed
Solved via https://github.com/apache/thrift/pull/3517
> Fix npm audit vulnerability CVE-2026-41907 in uuid transitive dependency
> ------------------------------------------------------------------------
>
> Key: THRIFT-6022
> URL: https://issues.apache.org/jira/browse/THRIFT-6022
> Project: Thrift
> Issue Type: Bug
> Components: JavaScript - Library, Node.js - Library
> Reporter: Jens Geyer
> Assignee: Jens Geyer
> Priority: Major
> Fix For: 0.24.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Dependabot alert #236 flags CVE-2026-41907 (GHSA-w5hq-g745-h8pq, CVSS 7.5) in
> the root package-lock.json.
> The vulnerability is a missing buffer bounds check in the uuid npm package
> (v3/v5/v6 UUID generation methods when an explicit output buffer is provided)
> — fixed in uuid 11.1.1.
> The vulnerable package enters as a transitive dev dependency via:
> nyc@15 → istanbul-lib-processinfo@2 → [email protected] (< 11.1.1)
> Fix:
> - Bump nyc from ^15.0.0 to ^18.0.0 in devDependencies (nyc@18 uses
> istanbul-lib-processinfo@^3.0.0 which has the new uuid named-export API,
> compatible with v11+)
> - Add npm override {{"istanbul-lib-processinfo": {"uuid": "^11.1.1"}}} to
> force the transitive uuid to a patched version
> The direct uuid dependency (^14.0.0) is unaffected. After the fix npm audit
> reports 0 vulnerabilities.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
