🚨 [security] Update uuid 10.0.0 → 14.0.0 (major)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ uuid (10.0.0 → 14.0.0) · Repo · Changelog

Security Advisories 🚨

🚨 uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

Summary

v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4, v1, and v7 explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code

• src/v35.ts (v3/v5 path) writes buf[offset + i] without bounds validation.
• src/v6.ts writes buf[offset + i] without bounds validation.

Reproducible PoC

cd /home/StrawHat/uuid
npm ci
npm run build
node --input-type=module -e "

import {v4,v5,v6} from './dist-node/index.js';

const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';

for (const [name,fn] of [

  ['v4',()=>v4({},new Uint8Array(8),4)],

  ['v5',()=>v5('x',ns,new Uint8Array(8),4)],

  ['v6',()=>v6({},new Uint8Array(8),4)],

]) {

  try { fn(); console.log(name,'NO_THROW'); }

  catch(e){ console.log(name,'THREW',e.name); }

}"

Observed:

• v4 THREW RangeError
• v5 NO_THROW
• v6 NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]

Security impact

• Primary: integrity/robustness issue (silent partial output).
• If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
• In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.

Suggested fix

Add the same guard used by v4/v1/v7:

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

• src/v35.ts (covers v3 and v5)
• src/v6.ts

Release Notes

14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

• expect crypto to be global everywhere (requires node@20+) (#935)
• drop node@18 support (#934)

Features

• drop node@18 support (#934) (dc4ddb8)

Bug Fixes

• expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)
• Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

13.0.0

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

• make browser exports the default (#901)

Bug Fixes

• make browser exports the default (#901) (bce9d72)

12.0.0

12.0.0 (2025-09-05)

⚠ BREAKING CHANGES

• update to typescript@5.2 (#887)
• remove CommonJS support (#886)
• drop node@16 support (#883)

Features

• add node@24 to ci matrix (#879) (42b6178)
• drop node@16 support (#883) (0f38cf1)
• remove CommonJS support (#886) (ae786e2)
• update to typescript@5.2 (#887) (c7ee405)

Bug Fixes

• improve v4() performance (#894) (5fd974c)
• restore node: prefix (#889) (e1f42a3)

11.1.0

11.1.0 (2025-02-19)

Features

• update TS types to allowUint8Array subtypes for buffer option (#865) (a5231e7)

11.0.5

11.0.5 (2025-01-09)

Bug Fixes

• add TS unit test, pin to typescript@5.0.4 (#860) (24ac2fd)

11.0.4

11.0.4 (2025-01-05)

Bug Fixes

• docs: insure -> ensure (#843) (d2a61e1)
• exclude tests from published package (#840) (f992ff4)
• Test for invalid byte array sizes and ranges in v1(), v4(), and v7() (#845) (e0ee900)

11.0.3

11.0.3 (2024-11-04)

Bug Fixes

• apply stricter typing to the v* signatures (#831) (c2d3fed)
• export internal uuid types (#833) (341edf4)
• remove sourcemaps (#827) (b93ea10)
• revert "simplify type for v3 and v5" (#835) (e2dee69)

11.0.2

11.0.2 (2024-10-28)

Bug Fixes

• remove wrapper.mjs (2a18871)
• remove wrapper.mjs (#822) (6683ad3)

11.0.1

11.0.1 (2024-10-27)

Bug Fixes

• restore package.json#browser field (#817) (ae8f386)

11.0.0

11.0.0 (2024-10-27)

⚠ BREAKING CHANGES

• refactor v1 internal state and options logic (#780)
• refactor v7 internal state and options logic, fixes #764 (#779)
• Port to TypeScript, closes #762 (#763)
• update node support matrix (only support node 16-20) (#750)
• This library always aims at supporting one EOLed LTS release which by this time now is 12.x which has reached EOL 30 Apr 2022.
• Remove the minified UMD build from the package.
• Drop support for browsers that don't correctly implement const/let and default arguments, and no longer transpile the browser build to ES2015.
• Although in practice this is currently a noop since the resulting build does not change, the build will no longer transpiles future changes for Node.js 8.x targets, so semantically this is still a breaking change.
• Deep requiring specific algorithms of this library like require('uuid/v4'), which has been deprecated in uuid@7, is no longer supported.
• The default export, which used to be the v4() method but which was already discouraged in v3.x of this library, has been removed.
• Explicitly note that deep imports of the different uuid version functions are deprecated and no longer encouraged and that ECMAScript module named imports should be used instead. Emit a deprecation warning for people who deep-require the different algorithm variants.
• Remove builtin support for insecure random number generators in the browser. Users who want that will have to supply their own random number generator function.
• Remove support for generating v3 and v5 UUIDs in Node.js<4.x
• Convert code base to ECMAScript Modules (ESM) and release CommonJS build for node and ESM build for browser bundlers.

Features

• add parse/stringify/validate/version/NIL APIs (#479) (0e6c10b)
• add support for MAX uuid (new in RFC9562) (#714) (0385cd3)
• add UMD build to npm package (#357) (4e75adf)
• add various es module and CommonJS examples (b238510)
• enforce Conventional Commit style commit messages (#282) (0705cd5)
• ensure that docs are up-to-date in CI (ee5e77d)
• hybrid CommonJS & ECMAScript modules build (a3f078f)
• improve performance of v1 string representation (#453) (0ee0b67)
• improve v4 performance by reusing random number array (#435) (bf4af0d)
• optimize uuid.v1 by 1.3x uuid.v4 by 4.3x (430%) (#597) (3a033f6)
• optimize V8 performance of bytesToUuid (#434) (e156415)
• Port to TypeScript, closes #762 (#763) (1e0f987)
• remove deep requires (#426) (daf72b8)
• remove deprecated v4 string parameter (#454) (88ce3ca)
• remove insecure fallback random number generator (3a5842b)
• remove support for pre Node.js v4 Buffer API (#356) (b59b5c5)
• remove UMD build (#645) (e948a0f), closes #620
• rename repository to github:uuidjs/uuid (#351) (c37a518), closes #338
• rename repository to github:uuidjs/uuid (#351) (e2d7314), closes #338
• support v6 uuids (#754) (c4ed13e)
• update node support matrix (only support node 16-20) (#750) (883b163)
• use native crypto.randomUUID when available (#600) (c9e076c)
• v8 support (#759) (35a5342)

Bug Fixes

• 248 (#251) (67d697c)
• 30, _rb not defined for lesser node.js versions (8a6c03f)
• add CommonJS syntax example to README quickstart section (#417) (e0ec840)
• add deep-require proxies for local testing and adjust tests (#365) (7fedc79)
• add Jest/jsdom compatibility (#642) (16f9c46)
• add missing exports and tests for new APIs (#495) (681e1da)
• assignment to readonly property to allow running in strict mode (#270) (d062fdc)
• change default export to named function (#545) (c57bc5a)
• clean up esm builds for node and browser (#383) (59e6a49)
• export package.json required by react-native and bundlers (#449) (be1c8fe), closes #444
• fix #229 (d9033cf)
• fix #284 by setting function name in try-catch (f2a60f2)
• Get correct version of IE11 crypto (#274) (205e0ed)
• handle error when parameter is not set in v3 and v5 (#622) (fcd7388)
• lazy load getRandomValues (#537) (16c8f6d), closes #536
• make access to msCrypto consistent (#393) (8bf2a20)
• make deep require deprecation warning work in browsers (#409) (4b71107)
• mem issue when generating uuid (#267) (c47702c)
• missing v7 expectations in browser spec (#751) (f54a866)
• prepare package exports for webpack 5 (#468) (8d6e6a5)
• provide browser versions independent from module system (#380) (4344a22)
• refactor v1 internal state and options logic (#780) (031b3d3)
• refactor v7 internal state and options logic, fixes #764 (#779) (9dbd1cd)
• remove v4 options default assignment preventing native.randomUUID from being used (#786) (afe6232)
• revert "perf: remove superfluous call to toLowerCase (#677)" (#738) (e267b90)
• run npm audit fix (#644) (04686f5)
• seq_hi shift for byte 6 (#775) (1d532ca)
• simplify link in deprecation warning (#391) (bb2c8e4)
• support expo>=39.0.0 (#515) (c65a0f3), closes #375
• tsconfig module type (#778) (7eff835)
• typo (305d877)
• update links to match content in readme (#386) (44f2f86)
• upgrading from uuid3 broken link (#568) (1c849da)
• use msCrypto if available. Fixes #241 (#247) (1fef18b)

Performance Improvements

• nodejs: introduce pool into default rng (#513) (7f1af04)
• remove superfluous call to toLowerCase (#677) (e53793f)

Documentation

• add note about removal of default export (#372) (12749b7), closes #370
• deprecated deep requiring of the different algorithm versions (#361) (c0bdf15)

Miscellaneous Chores

• drop node 10.x to upgrade dev dependencies (#653) (28a5712)
• release 11.0.0 (#805) (b003cde)

Build System

• drop Node.js 8.x from babel transpile target (#603) (aa11485)
• drop support for legacy browsers (IE11, Safari 10) (#604) (0f433e5)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #1364.