escoberik opened a new pull request, #153: URL: https://github.com/apache/cordova-node-xcode/pull/153
## Problem `uuid ^7.0.3` is flagged by [GHSA-w5hq-g745-h8pq](https://github.com/advisories/GHSA-w5hq-g745-h8pq) — a missing buffer bounds check in `uuid.v3/v5/v6()` when an explicit `buf` argument is provided. The advisory marks all versions below `[email protected]` as vulnerable, so downstream consumers (notably the Expo SDK and any project using `@expo/config-plugins`) see security audit failures they cannot resolve. The "fix" suggested by `npm audit` — upgrading to `uuid@14` — isn't viable here because uuid v14 dropped CommonJS support, and this package uses `require('uuid')`. ## Solution This PR replaces the single `uuid.v4()` call in `generateUuid()` with Node's built-in [`crypto.randomUUID()`](https://nodejs.org/api/crypto.html#cryptorandomuuidoptions), which: - Produces the same RFC 4122 v4 UUID format - Has been available since Node.js 14.17.0 (LTS) - Requires no external dependency The `uuid` package is removed from `dependencies` entirely. The `engines` field is updated from `>=10.0.0` to `>=14.17.0` to reflect the new minimum. ## Testing All 426 existing tests pass with no changes to the test suite. ``` ℹ pass 426 ℹ fail 0 ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
