diff --git a/.changeset/override-uuid-transitive.md b/.changeset/override-uuid-transitive.md new file mode 100644 index 0000000..2e0d25b --- /dev/null +++ b/.changeset/override-uuid-transitive.md @@ -0,0 +1,8 @@ +--- +'@utaba/deep-memory-storage-cosmosdb': patch +--- + +Override transitive `uuid` dependency to `>=11.1.1` to resolve GHSA-w5hq-g745-h8pq (moderate, missing buffer bounds check in `uuid.v3/v5/v6` when a `buf` argument is supplied). + +- The vulnerable `uuid@9.0.1` was pulled in via `gremlin@3.8.1` in `@utaba/deep-memory-storage-cosmosdb`. `gremlin@3.8.1` is the latest stable and pins `uuid@^9.0.1` directly, so a workspace-level `pnpm.overrides` entry is the only way to lift the transitive without forking gremlin. +- No runtime API change. `gremlin` only calls `uuid.v4()`, which is unchanged across v9 → v11; uuid@11 still publishes a CJS build so `require('uuid')` keeps working. diff --git a/.gitignore b/.gitignore index 35009f2..e294c7c 100644 --- a/.gitignore +++ b/.gitignore @@ -13,7 +13,8 @@ models .mcp.json plans local-tests - +local-* +.claude/ # Diagnostic reports (https://nodejs.org/api/report.html) report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json .scratch diff --git a/docs/publishing-guide.md b/docs/publishing-guide.md index 9a19a74..ed07b85 100644 --- a/docs/publishing-guide.md +++ b/docs/publishing-guide.md @@ -97,20 +97,31 @@ List any one of the five fixed-group packages in the frontmatter — the others ### 2. Merge to `main` -After merge, the `release.yml` GitHub Actions workflow runs and either: +Land the PR into `main` normally. **There is no release automation** — versioning and publishing both happen locally from `main`. -- **Opens (or updates) a "Version PR"** titled `chore: version packages`, which applies all pending changesets — bumping `package.json` versions and writing entries to each affected package's `CHANGELOG.md`. -- **Does nothing**, if there are no pending changesets. +> **No GitHub Action runs the version step.** A `release.yml` workflow existed previously but was removed: the Changesets action repeatedly forced the fixed group from `0.x` to `1.0.0`, because pre-1.0 the action treats accumulated `minor`s as a major-cut signal. Until the project is genuinely ready for `1.0`, the version step is run by hand. Do not reintroduce the action without a documented fix for that behaviour. -This Version PR is the staging point for the next release. Review the diff to confirm the version bumps and changelog text look right. +### 3. Apply pending changesets locally -### 3. Merge the Version PR +On a clean checkout of `main`: -Once you're happy, merge the Version PR into `main`. The changesets are consumed (deleted) and the new versions are committed. +```bash +pnpm changeset version +``` + +This applies every `.changeset/*.md` file: bumps `package.json` versions across the fixed group, writes entries into each affected package's `CHANGELOG.md`, and deletes the consumed `.md` files. Run `pnpm install` afterwards if `pnpm-lock.yaml` did not auto-update. + +Review the diff to confirm the version bumps and changelog text look right, then commit: + +```bash +git add -A +git commit -m "chore: version packages " +git push origin master +``` -### 4. Publish locally +### 4. Publish -From the repo root, on a clean checkout of `main` at the merged Version PR: +From the repo root, still on `main` at the version-bump commit: ```bash pnpm release --dry-run # preview what would be published @@ -175,6 +186,6 @@ For an urgent fix to an already-released version: 1. Branch from the tag of the affected release (not `development`). 2. Apply the fix. 3. Run `pnpm changeset` and pick `patch`. -4. PR back into `main`. Merge the resulting Version PR. Publish locally. +4. PR back into `main`. After merge, run `pnpm changeset version` locally, commit the bump, then `pnpm release`. The fixed-group config means all six packages bump to the same patch version even if only one was touched. This is intentional and preserves the "install any combination at the same version" guarantee. diff --git a/package.json b/package.json index 524c570..854c96f 100644 --- a/package.json +++ b/package.json @@ -18,5 +18,10 @@ "@changesets/cli": "^2.31.0", "turbo": "^2.9.6" }, - "packageManager": "pnpm@9.15.4" + "packageManager": "pnpm@9.15.4", + "pnpm": { + "overrides": { + "uuid@<11.1.1": "^11.1.1" + } + } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 85e9943..3d65b21 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -4,6 +4,9 @@ settings: autoInstallPeers: true excludeLinksFromLockfile: false +overrides: + uuid@<11.1.1: ^11.1.1 + importers: .: @@ -1841,9 +1844,8 @@ packages: resolution: {integrity: sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==} engines: {node: '>= 0.8'} - uuid@9.0.1: - resolution: {integrity: sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==} - deprecated: uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028). + uuid@11.1.1: + resolution: {integrity: sha512-vIYxrBCC/N/K+Js3qSN88go7kIfNPssr/hHCesKCQNAjmgvYS2oqr69kIufEG+O4+PfezOH4EbIeHCfFov8ZgQ==} hasBin: true vary@1.1.2: @@ -3001,7 +3003,7 @@ snapshots: buffer: 6.0.3 eventemitter3: 5.0.4 readable-stream: 4.7.0 - uuid: 9.0.1 + uuid: 11.1.1 ws: 8.20.1(bufferutil@4.1.0) transitivePeerDependencies: - bufferutil @@ -3645,7 +3647,7 @@ snapshots: unpipe@1.0.0: {} - uuid@9.0.1: {} + uuid@11.1.1: {} vary@1.1.2: {}