From 3b77ed05eab713de889aeb9e58665708232c7515 Mon Sep 17 00:00:00 2001 From: TimWheeler Date: Fri, 5 Jun 2026 13:25:02 +0800 Subject: [PATCH 1/3] Override transitive uuid to >=11.1.1 to clear GHSA-w5hq-g745-h8pq Workspace-level pnpm.overrides lifts uuid past the moderate buffer-bounds advisory. gremlin@3.8.1 (latest stable) pins uuid@^9.0.1 directly and only uses uuid.v4(), which is unchanged in v11; uuid@11 still ships CJS so gremlin's require() keeps working. Verified: pnpm audit clean, typecheck clean, all 18 turbo test tasks green across the monorepo. Co-Authored-By: Claude Opus 4.7 (1M context) --- .changeset/override-uuid-transitive.md | 8 ++++++++ package.json | 7 ++++++- pnpm-lock.yaml | 12 +++++++----- 3 files changed, 21 insertions(+), 6 deletions(-) create mode 100644 .changeset/override-uuid-transitive.md diff --git a/.changeset/override-uuid-transitive.md b/.changeset/override-uuid-transitive.md new file mode 100644 index 0000000..2e0d25b --- /dev/null +++ b/.changeset/override-uuid-transitive.md @@ -0,0 +1,8 @@ +--- +'@utaba/deep-memory-storage-cosmosdb': patch +--- + +Override transitive `uuid` dependency to `>=11.1.1` to resolve GHSA-w5hq-g745-h8pq (moderate, missing buffer bounds check in `uuid.v3/v5/v6` when a `buf` argument is supplied). + +- The vulnerable `uuid@9.0.1` was pulled in via `gremlin@3.8.1` in `@utaba/deep-memory-storage-cosmosdb`. `gremlin@3.8.1` is the latest stable and pins `uuid@^9.0.1` directly, so a workspace-level `pnpm.overrides` entry is the only way to lift the transitive without forking gremlin. +- No runtime API change. `gremlin` only calls `uuid.v4()`, which is unchanged across v9 → v11; uuid@11 still publishes a CJS build so `require('uuid')` keeps working. diff --git a/package.json b/package.json index 524c570..854c96f 100644 --- a/package.json +++ b/package.json @@ -18,5 +18,10 @@ "@changesets/cli": "^2.31.0", "turbo": "^2.9.6" }, - "packageManager": "pnpm@9.15.4" + "packageManager": "pnpm@9.15.4", + "pnpm": { + "overrides": { + "uuid@<11.1.1": "^11.1.1" + } + } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 85e9943..3d65b21 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -4,6 +4,9 @@ settings: autoInstallPeers: true excludeLinksFromLockfile: false +overrides: + uuid@<11.1.1: ^11.1.1 + importers: .: @@ -1841,9 +1844,8 @@ packages: resolution: {integrity: sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==} engines: {node: '>= 0.8'} - uuid@9.0.1: - resolution: {integrity: sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==} - deprecated: uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028). + uuid@11.1.1: + resolution: {integrity: sha512-vIYxrBCC/N/K+Js3qSN88go7kIfNPssr/hHCesKCQNAjmgvYS2oqr69kIufEG+O4+PfezOH4EbIeHCfFov8ZgQ==} hasBin: true vary@1.1.2: @@ -3001,7 +3003,7 @@ snapshots: buffer: 6.0.3 eventemitter3: 5.0.4 readable-stream: 4.7.0 - uuid: 9.0.1 + uuid: 11.1.1 ws: 8.20.1(bufferutil@4.1.0) transitivePeerDependencies: - bufferutil @@ -3645,7 +3647,7 @@ snapshots: unpipe@1.0.0: {} - uuid@9.0.1: {} + uuid@11.1.1: {} vary@1.1.2: {} From 270b22862600e1c49ac886fe2392fc615ed240e6 Mon Sep 17 00:00:00 2001 From: TimWheeler Date: Fri, 5 Jun 2026 13:27:43 +0800 Subject: [PATCH 2/3] git config --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 35009f2..e294c7c 100644 --- a/.gitignore +++ b/.gitignore @@ -13,7 +13,8 @@ models .mcp.json plans local-tests - +local-* +.claude/ # Diagnostic reports (https://nodejs.org/api/report.html) report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json .scratch From 6992019282dd7625fee68ed48555510a24dd5065 Mon Sep 17 00:00:00 2001 From: TimWheeler Date: Fri, 5 Jun 2026 13:35:28 +0800 Subject: [PATCH 3/3] Update publishing guide: document the removal of release.yml The Changesets GitHub Action was removed because pre-1.0 it repeatedly forced the fixed group from 0.x to 1.0.0. The release flow is now fully manual from main: pnpm changeset version locally, commit, then pnpm release. Note added so the action is not reintroduced without a documented fix for the 0.x to 1.0 jump. Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/publishing-guide.md | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/docs/publishing-guide.md b/docs/publishing-guide.md index 9a19a74..ed07b85 100644 --- a/docs/publishing-guide.md +++ b/docs/publishing-guide.md @@ -97,20 +97,31 @@ List any one of the five fixed-group packages in the frontmatter — the others ### 2. Merge to `main` -After merge, the `release.yml` GitHub Actions workflow runs and either: +Land the PR into `main` normally. **There is no release automation** — versioning and publishing both happen locally from `main`. -- **Opens (or updates) a "Version PR"** titled `chore: version packages`, which applies all pending changesets — bumping `package.json` versions and writing entries to each affected package's `CHANGELOG.md`. -- **Does nothing**, if there are no pending changesets. +> **No GitHub Action runs the version step.** A `release.yml` workflow existed previously but was removed: the Changesets action repeatedly forced the fixed group from `0.x` to `1.0.0`, because pre-1.0 the action treats accumulated `minor`s as a major-cut signal. Until the project is genuinely ready for `1.0`, the version step is run by hand. Do not reintroduce the action without a documented fix for that behaviour. -This Version PR is the staging point for the next release. Review the diff to confirm the version bumps and changelog text look right. +### 3. Apply pending changesets locally -### 3. Merge the Version PR +On a clean checkout of `main`: -Once you're happy, merge the Version PR into `main`. The changesets are consumed (deleted) and the new versions are committed. +```bash +pnpm changeset version +``` + +This applies every `.changeset/*.md` file: bumps `package.json` versions across the fixed group, writes entries into each affected package's `CHANGELOG.md`, and deletes the consumed `.md` files. Run `pnpm install` afterwards if `pnpm-lock.yaml` did not auto-update. + +Review the diff to confirm the version bumps and changelog text look right, then commit: + +```bash +git add -A +git commit -m "chore: version packages " +git push origin master +``` -### 4. Publish locally +### 4. Publish -From the repo root, on a clean checkout of `main` at the merged Version PR: +From the repo root, still on `main` at the version-bump commit: ```bash pnpm release --dry-run # preview what would be published @@ -175,6 +186,6 @@ For an urgent fix to an already-released version: 1. Branch from the tag of the affected release (not `development`). 2. Apply the fix. 3. Run `pnpm changeset` and pick `patch`. -4. PR back into `main`. Merge the resulting Version PR. Publish locally. +4. PR back into `main`. After merge, run `pnpm changeset version` locally, commit the bump, then `pnpm release`. The fixed-group config means all six packages bump to the same patch version even if only one was touched. This is intentional and preserves the "install any combination at the same version" guarantee.