Bump uuid and npm

[dependabot]

Removes uuid. It's no longer used after updating ancestor dependency npm. These dependencies need to be updated together.

Removes uuid

Updates npm from 6.14.9 to 11.15.0

Release notes

Sourced from npm's releases.

v11.15.0

11.15.0 (2026-05-20)

Features

• 0d5d899 #9379 npm stage (@​reggi, @​Copilot)
• 1433740 #9376 add permissions support to trust commands (#9376) (@​github-actions[bot], @​reggi, @​Copilot)
• 8df10f5 #9339 add allow-git/allow-file/allow-directory/allow-remote configs (@​owlstronaut)

Bug Fixes

• 39b625e #9381 key stage download --json output by package name (#9381) (@​reggi, @​Copilot)
• 6aa332d #9339 allow min-release-age in npmrc to coexist with --before (@​raazkhnl)
• 468550f #9339 refactor #failureNode, adjust tests and safety (@​owlstronaut)
• cabe249 #9339 allow-remote=none does not block registry tarballs (@​owlstronaut)

Dependencies

• 8416a60 #9383 socks@2.8.9
• 5e5a25b #9383 lru-cache@11.5.0
• a6f9ad2 #9383 ip-address@10.2.0
• 63f8114 #9383 brace-expansion@5.0.6
• 6918b4c #9383 bin-links@6.0.2
• bf84079 #9383 tar@7.5.15
• bdef82c #9383 semver@7.8.0
• 3f38a67 #9383 hosted-git-info@9.0.3

Chores

• 816f3bf #9383 dev dependency updates (@​owlstronaut)
• workspace: @npmcli/arborist@9.6.0
• workspace: @npmcli/config@10.9.1
• workspace: libnpmdiff@8.1.8
• workspace: libnpmexec@10.2.8
• workspace: libnpmfund@7.0.22
• workspace: libnpmpack@9.1.8
• workspace: libnpmpublish@11.2.0

v11.14.1

11.14.1 (2026-05-08)

Bug Fixes

• dca12cb #9328 remove settings (#9328) (@​github-actions[bot], @​owlstronaut)

v11.14.0

11.14.0 (2026-05-06)

Features

• 45fc5e0 #9288 add allow-directory, allow-file, and allow-remote (#9288) (@​github-actions[bot], @​wraithgar)

Bug Fixes

• 6c17544 #9318 sbom: dedupe per-node dependsOn / relationships (#9318) (@​github-actions[bot], @​mikaelkristiansson)

Dependencies

• 840fe18 #9322 socks@10.1.1
• b771289 #9322 ip-address@10.1.1
• addffcb #9322 cidr-regex@5.0.5

Chores

• 041fd58 #9322 dev dependency updates (@​owlstronaut)
• 89c505a #9320 add cli-triage team as codeowner (#9320) (@​github-actions[bot], @​owlstronaut)
• workspace: @npmcli/arborist@9.5.0
• workspace: @npmcli/config@10.9.0

... (truncated)

Changelog

Sourced from npm's changelog.

11.15.0 (2026-05-20)

Features

• 0d5d899 #9379 npm stage (@​reggi, @​Copilot)
• 1433740 #9376 add permissions support to trust commands (#9376) (@​github-actions[bot], @​reggi, @​Copilot)
• 8df10f5 #9339 add allow-git/allow-file/allow-directory/allow-remote configs (@​owlstronaut)

Bug Fixes

• 39b625e #9381 key stage download --json output by package name (#9381) (@​reggi, @​Copilot)
• 6aa332d #9339 allow min-release-age in npmrc to coexist with --before (@​raazkhnl)
• 468550f #9339 refactor #failureNode, adjust tests and safety (@​owlstronaut)
• cabe249 #9339 allow-remote=none does not block registry tarballs (@​owlstronaut)

Dependencies

• 8416a60 #9383 socks@2.8.9
• 5e5a25b #9383 lru-cache@11.5.0
• a6f9ad2 #9383 ip-address@10.2.0
• 63f8114 #9383 brace-expansion@5.0.6
• 6918b4c #9383 bin-links@6.0.2
• bf84079 #9383 tar@7.5.15
• bdef82c #9383 semver@7.8.0
• 3f38a67 #9383 hosted-git-info@9.0.3

Chores

• 816f3bf #9383 dev dependency updates (@​owlstronaut)
• workspace: @npmcli/arborist@9.6.0
• workspace: @npmcli/config@10.9.1
• workspace: libnpmdiff@8.1.8
• workspace: libnpmexec@10.2.8
• workspace: libnpmfund@7.0.22
• workspace: libnpmpack@9.1.8
• workspace: libnpmpublish@11.2.0

11.14.1 (2026-05-08)

Bug Fixes

• dca12cb #9328 remove settings (#9328) (@​github-actions[bot], @​owlstronaut)

11.14.0 (2026-05-06)

Features

• 45fc5e0 #9288 add allow-directory, allow-file, and allow-remote (#9288) (@​github-actions[bot], @​wraithgar)

Bug Fixes

• 6c17544 #9318 sbom: dedupe per-node dependsOn / relationships (#9318) (@​github-actions[bot], @​mikaelkristiansson)

Dependencies

• 840fe18 #9322 socks@10.1.1
• b771289 #9322 ip-address@10.1.1
• addffcb #9322 cidr-regex@5.0.5

Chores

• 041fd58 #9322 dev dependency updates (@​owlstronaut)
• 89c505a #9320 add cli-triage team as codeowner (#9320) (@​github-actions[bot], @​owlstronaut)
• workspace: @npmcli/arborist@9.5.0
• workspace: @npmcli/config@10.9.0
• workspace: libnpmdiff@8.1.7
• workspace: libnpmexec@10.2.7
• workspace: libnpmfund@7.0.21

... (truncated)

Commits

• dba4863 chore: release 11.15.0
• 816f3bf chore: dev dependency updates
• 8416a60 deps: socks@2.8.9
• 5e5a25b deps: lru-cache@11.5.0
• a6f9ad2 deps: ip-address@10.2.0
• 63f8114 deps: brace-expansion@5.0.6
• 6918b4c deps: bin-links@6.0.2
• bf84079 deps: tar@7.5.15
• bdef82c deps: semver@7.8.0
• 3f38a67 deps: hosted-git-info@9.0.3
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by owlstronaut, a new releaser for npm since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dg-appsec-cxone]

Checkmarx One – Scan Summary & Details – bc62a842-bd25-4449-afd7-1fb5ab7931e2

---

New Issues (24)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-4800	Npm-lodash-4.17.19	details Recommended version: 4.18.0 Description: The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to "options.imports" key na... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2025-66418	Python-urllib3-1.26.20	details Recommended version: 2.7.0 Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression ch... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2025-66471	Python-urllib3-1.26.20	details Recommended version: 2.7.0 Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2026-21441	Python-urllib3-1.26.20	details Recommended version: 2.7.0 Description: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2026-26996	Npm-minimatch-3.0.4	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2026-27903	Npm-minimatch-3.0.4	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2026-27904	Npm-minimatch-3.0.4	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8		CVE-2026-27959	Npm-koa-2.13.0	details Recommended version: 2.16.4 Description: Koa is middleware for Node.js using ES2017 async functions. Prior to versions 2.16.4 and 3.x prior to 3.1.2, Koa's `ctx.hostname` API performs naiv... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9		CVE-2026-32141	Npm-flatted-2.0.2	details Recommended version: 3.4.2 Description: flatted is a circular JSON parser. Prior to 3.4.0, flatted's "parse()" function uses a recursive "revive()" phase to resolve circular references in... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
10		CVE-2026-33228	Npm-flatted-2.0.2	details Recommended version: 3.4.2 Description: The "parse()" function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating t... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
11		CVE-2026-33671	Npm-picomatch-2.2.2	details Recommended version: 2.3.2 Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
12		CVE-2026-33750	Npm-brace-expansion-1.1.11	details Recommended version: 1.1.13 Description: The brace-expansion library generates arbitrary strings containing a common prefix and suffix. In versions prior to 1.1.13, 2.0.0 prior to 2.0.3, 3... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
13		CVE-2026-34043	Npm-serialize-javascript-3.1.0	details Recommended version: 7.0.5 Description: Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial-of-Service (D... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
14		CVE-2026-44431	Python-urllib3-1.26.20	details Recommended version: 2.7.0 Description: When following cross-origin redirects for requests made using urllib3's high-level APIs, such as `urllib3.request()`, `PoolManager.request()`, and ... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
15		Cxf5fb15b0-6576	Npm-serialize-javascript-3.1.0	details Recommended version: 7.0.5 Description: serialize-javascript through 7.0.2 contains a code injection vulnerability due to improper escaping of "RegExp.flags" during serialization. Althoug... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
16		CVE-2025-13465	Npm-lodash-4.17.19	details Recommended version: 4.18.0 Description: Lodash versions from 4.0.0 through 4.17.22 are vulnerable to Prototype Pollution in the "_.unset" and "_.omit" functions. An attacker can pass craf... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
17		CVE-2025-14505	Npm-elliptic-6.5.4	details Description: The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
18		CVE-2025-64718	Npm-js-yaml-3.14.0	details Recommended version: 3.14.2 Description: js-yaml is a JavaScript YAML parser and dumper. In js-yaml versions through 3.14.1 and 4.x through 4.1.0, it's possible for an attacker to modify t... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
19		CVE-2026-2739	Npm-bn.js-4.11.9	details Recommended version: 4.12.3 Description: This affects versions of the package bn.js prior to 4.12.3 and 5.x prior to 5.2.3. Calling "maskn(0)" on any BN instance corrupts the internal stat... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
20		CVE-2026-2739	Npm-bn.js-5.1.2	details Recommended version: 5.2.3 Description: This affects versions of the package bn.js prior to 4.12.3 and 5.x prior to 5.2.3. Calling "maskn(0)" on any BN instance corrupts the internal stat... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
21		CVE-2026-2739	Npm-bn.js-4.12.0	details Recommended version: 4.12.3 Description: This affects versions of the package bn.js prior to 4.12.3 and 5.x prior to 5.2.3. Calling "maskn(0)" on any BN instance corrupts the internal stat... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
22		CVE-2026-33672	Npm-picomatch-2.2.2	details Recommended version: 2.3.2 Description: Picomatch is a glob matcher written JavaScript. Versions prior to 2.3.2, 3.0.0 prior to 3.0.2 and 4.0.0 prior to 4.0.4, are vulnerable to a method ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
23		CVE-2026-40895	Npm-follow-redirects-1.12.1	details Recommended version: 1.16.0 Description: follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to versio... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
24		CVE-2025-69873	Npm-ajv-6.12.2	details Recommended version: 6.14.0 Description: ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the "$data" option is... Attack Vector: LOCAL Attack Complexity: HIGH Vulnerable Package

---

Fixed Issues (18)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2020-7788	Npm-ini-1.3.5
	CVE-2021-3918	Npm-json-schema-0.2.3
	CVE-2023-26136	Npm-tough-cookie-2.4.3
	CVE-2023-42282	Npm-ip-1.1.5
	CVE-2025-7783	Npm-form-data-2.3.2
	CVE-2021-32803	Npm-tar-4.4.13
	CVE-2021-32804	Npm-tar-4.4.13
	CVE-2021-37701	Npm-tar-4.4.13
	CVE-2021-37712	Npm-tar-4.4.13
	CVE-2021-37713	Npm-tar-4.4.13
	CVE-2022-24999	Npm-qs-6.5.2
	CVE-2022-25881	Npm-http-cache-semantics-3.8.1
	CVE-2024-29415	Npm-ip-1.1.5
	CVE-2022-33987	Npm-got-6.7.1
	CVE-2023-28155	Npm-request-2.88.0
	CVE-2024-28863	Npm-tar-4.4.13
	CVE-2025-59436	Npm-ip-1.1.5
	CVE-2025-59437	Npm-ip-1.1.5

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR