- [X ] I have checked that the SDK documentation doesn't solve my issue.
- [X ] I have checked that the API documentation doesn't solve my issue.
- [X ] I have searched the Box Developer Forums and my issue isn't already reported (or if it has been reported, I have attached a link to it, for reference).
- [X ] I have searched Issues in this repo and my issue isn't already reported.
Description of the Issue
package.json is still using this dependency:
"uuid": "^9.0.0"
That version is about 3 years old now and has a new security issue that is apparently only fixed in uuid 14.0.
GHSA-w5hq-g745-h8pq
Since uuid generally only does major version updates now, it's potentially code-breaking to force an indirect dependency update on my end. Probably time to update box-node-sdk package.json to require 14.0 minimally?
Steps to Reproduce
Simply run "npm audit" on any project that uses box-node-sdk.
Expected Behavior
Expecting no known vulnerabilities.
Error Message, Including Stack Trace
npm audit report
uuid <14.0.0
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - GHSA-w5hq-g745-h8pq
fix available via npm audit fix --force
Will install box-node-sdk@1.1.0, which is a breaking change
node_modules/uuid
box-node-sdk >=1.2.0
Depends on vulnerable versions of uuid
node_modules/box-node-sdk
Screenshots
Versions Used
Typescript SDK: 6.0.2
Platform: Node.js
Node.js (if applicable): v24.14.0
Description of the Issue
package.json is still using this dependency:
"uuid": "^9.0.0"
That version is about 3 years old now and has a new security issue that is apparently only fixed in uuid 14.0.
GHSA-w5hq-g745-h8pq
Since uuid generally only does major version updates now, it's potentially code-breaking to force an indirect dependency update on my end. Probably time to update box-node-sdk package.json to require 14.0 minimally?
Steps to Reproduce
Simply run "npm audit" on any project that uses box-node-sdk.
Expected Behavior
Expecting no known vulnerabilities.
Error Message, Including Stack Trace
npm audit report
uuid <14.0.0
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - GHSA-w5hq-g745-h8pq
fix available via
npm audit fix --forceWill install box-node-sdk@1.1.0, which is a breaking change
node_modules/uuid
box-node-sdk >=1.2.0
Depends on vulnerable versions of uuid
node_modules/box-node-sdk
Screenshots
Versions Used
Typescript SDK: 6.0.2
Platform: Node.js
Node.js (if applicable): v24.14.0