Skip to content

Upgrade uuid to resolve CVE-2026-41907#357

Merged
cigamit merged 1 commit into
mainfrom
CVE-2026-41907
May 23, 2026
Merged

Upgrade uuid to resolve CVE-2026-41907#357
cigamit merged 1 commit into
mainfrom
CVE-2026-41907

Conversation

@cigamit
Copy link
Copy Markdown
Contributor

@cigamit cigamit commented May 22, 2026

It is brought in via webpack-dev-server > sockjs but we don't use the portion of the app that uses the code, so its safe to override the package until next major version of webpack-dev-server which drops sockjs completely.

@cigamit
Upgrade uuid to resolve CVE-2026-41907
fa9db15 
It is brought in via webpack-dev-server > sockjs but we don't use the portion of the app that uses the code, so its safe to override the package until next major version of webpack-dev-server which drops sockjs completely.
@cigamit cigamit requested a review from TheWitness May 22, 2026 17:16
@cigamit cigamit self-assigned this May 22, 2026
Copilot AI review requested due to automatic review settings May 22, 2026 17:16
@cigamit cigamit added dependencies Pull requests that update a dependency file SECURITY A security related issue like a CVE specifically javascript Pull requests that update javascript code labels May 22, 2026
Copilot AI reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR mitigates CVE-2026-41907 in the AWX UI toolchain by forcing an updated uuid version for the transitive dependency chain webpack-dev-server -> sockjs -> uuid, without upgrading webpack-dev-server itself.

Changes:

  • Add an npm overrides rule to force sockjs to use uuid@11.1.1.
  • Update package-lock.json so installs resolve uuid to 11.1.1.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File Description
awx/ui/package.json Adds an overrides rule to pin sockjs’s transitive uuid dependency to 11.1.1.
awx/ui/package-lock.json Updates the resolved uuid package entry to 11.1.1 to reflect the override during installation.
Files not reviewed (1)
  • awx/ui/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread awx/ui/package.json
Comment thread awx/ui/package.json
TheWitness
TheWitness approved these changes May 23, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@TheWitness TheWitness left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some copilot comments.

@cigamit cigamit merged commit 32fc18e into main May 23, 2026
1 check passed
@cigamit cigamit deleted the CVE-2026-41907 branch May 23, 2026 02:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@TheWitness TheWitness TheWitness approved these changes

Assignees

@cigamit cigamit

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code SECURITY A security related issue like a CVE specifically

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cigamit @TheWitness