Skip to content

fix(javascript): upgrade uuid to ^14.0.0 and TypeScript to ^5.0#2285

Closed
th3nolo wants to merge 1 commit into
svix:mainfrom
th3nolo:fix/uuid-14-typescript-5
Closed

fix(javascript): upgrade uuid to ^14.0.0 and TypeScript to ^5.0#2285
th3nolo wants to merge 1 commit into
svix:mainfrom
th3nolo:fix/uuid-14-typescript-5

Conversation

@th3nolo

@th3nolo th3nolo commented Apr 23, 2026
edited
Loading

Copy link
Copy Markdown

Motivation

uuid@14 fixes GHSA-w5hq-g745-h8pq (CWE-122, buffer bounds check in uuid v3/v5/v6). The existing Dependabot PR #2284 bumped uuid but CI failed with:

node_modules/uuid/dist/index.d.ts(5,1): error TS1383: Only named exports may use 'export type'.

uuid@14's type declarations use export type * syntax which requires TypeScript 5.0+.

Solution

Bump uuid from ^10.0.0 to ^14.0.0 and typescript from ^4.0 to ^5.0 together. svix only uses uuid.v4() (idempotency keys in request.ts), no v3/v5/v6 usage, so no API risk.

  • npm install completes without errors
  • npm run build passes
  • npm test passes (44 pass, 1 skipped, 0 fail)
  • npm audit shows 0 critical vulnerabilities for uuid

@th3nolo
fix(javascript): upgrade uuid to ^14.0.0 and TypeScript to ^5.0
a9f28eb 
uuid <14.0.0 has a buffer bounds check vulnerability (GHSA-w5hq-g745-h8pq,
CWE-122). uuid@14 type declarations use 'export type *' syntax (TS1383)
which requires TypeScript 5.0+, so both are upgraded together.

Changes:
- uuid: ^10.0.0 -> ^14.0.0 (security fix)
- typescript: ^4.0 -> ^5.0 (required for uuid@14 type compatibility)

Verified: tsc build passes, all 44 tests pass (1 skipped, 0 fail).
@th3nolo th3nolo requested a review from a team April 23, 2026 02:40
@th3nolo th3nolo requested a review from a team as a code owner April 23, 2026 02:40
@ulrichstark ulrichstark mentioned this pull request Apr 23, 2026
Merged
@svix-jplatte

svix-jplatte commented Apr 23, 2026

Copy link
Copy Markdown
Member

Thanks for the PR! I think we'll end up merging #2286 instead though.
Either way, I'll make sure we publish a new release right after.

@svix-jplatte svix-jplatte mentioned this pull request Apr 23, 2026
Closed
@svix-jplatte

svix-jplatte commented Apr 23, 2026

Copy link
Copy Markdown
Member

Decided to merge #2286 instead. Thanks again though :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@th3nolo @svix-jplatte