Upgrade uuid version in @forge/bridge

XMLWordPrintable

    • Severity 2 - Major
    • Progressive rollout, Unit testing

      Issue Summary:

      @forge/bridge npm packages ship with a dependency on uuid@^9.0.1, which is covered by a recent Snyk security advisory (SNYK-JS-UUID-16133035 / CVE-2026-41907).

      Vulnerability Details

      • CVE: CVE-2026-41907
      • Vulnerability type: Improper Validation of Specified Index, Position, or Offset in Input — the package accepts external output buffers but does not reject out-of-range writes (small buffer or large offset). This inconsistency allows silent partial writes into caller-provided buffers.
      • Affected versions: uuid < 11.1.1 (per the advisory); the latest non-vulnerable version is uuid@14.0.0.
      • Affected Forge packages: @forge/bridge depends on uuid@^9.0.1)

      Steps to Reproduce

      1. Run npm install @forge/bridge@latest
      2. Check the package.json

      Expected Results

      Upgrade uuid to the latest non-vulnerable version, i.e., uuid@14.0.0

      Actual Results

      @forge/bridge npm packages ship with a dependency on uuid@^9.0.1, which is covered by a recent Snyk security advisory

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

              Assignee:
              Unassigned
              Reporter:
              Deepak Pandey
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: