Skip to content

Bump uuid and npm#101

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-62d31e1f9e
Closed

Bump uuid and npm#101
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-62d31e1f9e

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 4, 2026

Removes uuid. It's no longer used after updating ancestor dependency npm. These dependencies need to be updated together.

Removes uuid

Updates npm from 6.14.9 to 11.13.0

Release notes

Sourced from npm's releases.

v11.13.0

11.13.0 (2026-04-22)

Features

Bug Fixes

Dependencies

Chores

v11.12.1

11.12.1 (2026-03-24)

Bug Fixes

Documentation

Dependencies

v11.12.0

11.12.0 (2026-03-18)

Features

Bug Fixes

Dependencies

... (truncated)

Changelog

Sourced from npm's changelog.

11.13.0 (2026-04-22)

Features

Bug Fixes

Dependencies

Chores

11.12.1 (2026-03-24)

Bug Fixes

Documentation

Dependencies

11.12.0 (2026-03-18)

Features

Bug Fixes

Dependencies

... (truncated)

Commits
  • 524590f chore: release 11.13.0
  • e0724ac chore: dev dependency updates
  • 8d2fdcd deps: lru-cache@11.3.5
  • e603d36 deps: node-gyp@12.3.0
  • d48b7da deps: is-cidr@6.0.4
  • ecd161b fix: ignore intended error code
  • e200696 fix(libnpmexec): skip redundant reify for cached directory specs (#9256)
  • 7cd45c6 fix(arborist): handle npm link with install-strategy=linked
  • 8e8dadb feat: add u as alias for update command (#9246)
  • 032a5ca deps: @​sigstore/protobuf-specs@​0.5.1
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by owlstronaut, a new releaser for npm since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump uuid and npm
e16c768 
Removes [uuid](https://github.com/uuidjs/uuid). It's no longer used after updating ancestor dependency [npm](https://github.com/npm/cli). These dependencies need to be updated together.


Removes `uuid`

Updates `npm` from 6.14.9 to 11.13.0
- [Release notes](https://github.com/npm/cli/releases)
- [Changelog](https://github.com/npm/cli/blob/v11.13.0/CHANGELOG.md)
- [Commits](npm/cli@v6.14.9...v11.13.0)

---
updated-dependencies:
- dependency-name: uuid
  dependency-version: 
  dependency-type: indirect
- dependency-name: npm
  dependency-version: 11.13.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 4, 2026
@dg-appsec-cxone
Copy link
Copy Markdown

dg-appsec-cxone commented May 4, 2026

Logo
Checkmarx One – Scan Summary & Details8a0c135e-f970-4089-9685-060e97511275

New Issues (20) Checkmarx found the following issues in this Pull Request
# Severity Issue Source File / Package Checkmarx Insight
1 CRITICAL CVE-2026-4800 Npm-lodash-4.17.19
detailsRecommended version: 4.18.0
Description: The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to "options.imports" key na...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
2 HIGH CVE-2025-66418 Python-urllib3-1.26.20
detailsRecommended version: 2.6.3
Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression ch...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
3 HIGH CVE-2025-66471 Python-urllib3-1.26.20
detailsRecommended version: 2.6.3
Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
4 HIGH CVE-2026-21441 Python-urllib3-1.26.20
detailsRecommended version: 2.6.3
Description: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
5 HIGH CVE-2026-26996 Npm-minimatch-3.0.4
detailsRecommended version: 3.1.4
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
6 HIGH CVE-2026-27903 Npm-minimatch-3.0.4
detailsRecommended version: 3.1.4
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
7 HIGH CVE-2026-27904 Npm-minimatch-3.0.4
detailsRecommended version: 3.1.4
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
8 HIGH CVE-2026-27959 Npm-koa-2.13.0
detailsRecommended version: 2.16.4
Description: Koa is middleware for Node.js using ES2017 async functions. Prior to versions 2.16.4 and 3.x prior to 3.1.2, Koa's `ctx.hostname` API performs naiv...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
9 HIGH CVE-2026-32141 Npm-flatted-2.0.2
detailsRecommended version: 3.4.2
Description: flatted is a circular JSON parser. Prior to 3.4.0, flatted's "parse()" function uses a recursive "revive()" phase to resolve circular references in...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
10 HIGH CVE-2026-33228 Npm-flatted-2.0.2
detailsRecommended version: 3.4.2
Description: The "parse()" function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating t...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
11 HIGH CVE-2026-33671 Npm-picomatch-2.2.2
detailsRecommended version: 2.3.2
Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
12 HIGH CVE-2026-34043 Npm-serialize-javascript-3.1.0
detailsRecommended version: 7.0.5
Description: Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial-of-Service (D...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
13 HIGH Cxf5fb15b0-6576 Npm-serialize-javascript-3.1.0
detailsRecommended version: 7.0.5
Description: serialize-javascript through 7.0.2 contains a code injection vulnerability due to improper escaping of "RegExp.flags" during serialization. Althoug...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
14 MEDIUM CVE-2025-13465 Npm-lodash-4.17.19
detailsRecommended version: 4.18.0
Description: Lodash versions from 4.0.0 through 4.17.22 are vulnerable to Prototype Pollution in the "_.unset" and "_.omit" functions. An attacker can pass craf...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
15 MEDIUM CVE-2025-14505 Npm-elliptic-6.5.4
detailsDescription: The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
16 MEDIUM CVE-2025-64718 Npm-js-yaml-3.14.0
detailsRecommended version: 3.14.2
Description: js-yaml is a JavaScript YAML parser and dumper. In js-yaml versions through 3.14.1 and 4.x through 4.1.0, it's possible for an attacker to modify t...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
17 MEDIUM CVE-2026-2739 Npm-bn.js-5.1.2
detailsRecommended version: 5.2.3
Description: This affects versions of the package bn.js prior to 4.12.3 and 5.x prior to 5.2.3. Calling "maskn(0)" on any BN instance corrupts the internal stat...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
18 MEDIUM CVE-2026-2739 Npm-bn.js-4.11.9
detailsRecommended version: 4.12.3
Description: This affects versions of the package bn.js prior to 4.12.3 and 5.x prior to 5.2.3. Calling "maskn(0)" on any BN instance corrupts the internal stat...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
19 MEDIUM CVE-2026-2739 Npm-bn.js-4.12.0
detailsRecommended version: 4.12.3
Description: This affects versions of the package bn.js prior to 4.12.3 and 5.x prior to 5.2.3. Calling "maskn(0)" on any BN instance corrupts the internal stat...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
20 LOW CVE-2025-69873 Npm-ajv-6.12.2
detailsRecommended version: 6.14.0
Description: ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the "$data" option is...
Attack Vector: LOCAL
Attack Complexity: HIGH
Vulnerable Package
Fixed Issues (18) Great job! The following issues were fixed in this Pull Request
Severity Issue Source File / Package
CRITICAL CVE-2020-7788 Npm-ini-1.3.5
CRITICAL CVE-2021-3918 Npm-json-schema-0.2.3
CRITICAL CVE-2023-26136 Npm-tough-cookie-2.4.3
CRITICAL CVE-2023-42282 Npm-ip-1.1.5
CRITICAL CVE-2025-7783 Npm-form-data-2.3.2
HIGH CVE-2021-32803 Npm-tar-4.4.13
HIGH CVE-2021-32804 Npm-tar-4.4.13
HIGH CVE-2021-37701 Npm-tar-4.4.13
HIGH CVE-2021-37712 Npm-tar-4.4.13
HIGH CVE-2021-37713 Npm-tar-4.4.13
HIGH CVE-2022-24999 Npm-qs-6.5.2
HIGH CVE-2022-25881 Npm-http-cache-semantics-3.8.1
HIGH CVE-2024-29415 Npm-ip-1.1.5
MEDIUM CVE-2022-33987 Npm-got-6.7.1
MEDIUM CVE-2023-28155 Npm-request-2.88.0
MEDIUM CVE-2024-28863 Npm-tar-4.4.13
LOW CVE-2025-59436 Npm-ip-1.1.5
LOW CVE-2025-59437 Npm-ip-1.1.5

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 25, 2026

Superseded by #103.

@dependabot dependabot Bot closed this May 25, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/multi-62d31e1f9e branch May 25, 2026 05:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dg-appsec-cxone