mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-07-03 10:40:44 +08:00
df482c9cf2
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [uuid](https://redirect.github.com/uuidjs/uuid) | [`^13.0.0` → `^14.0.0`](https://renovatebot.com/diffs/npm/uuid/13.0.0/14.0.0) |  |  | --- ### uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided [GHSA-w5hq-g745-h8pq](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq) <details> <summary>More information</summary> #### Details ##### Summary `v3`, `v5`, and `v6` accept external output buffers but do not reject out-of-range writes (small `buf` or large `offset`). By contrast, `v4`, `v1`, and `v7` explicitly throw `RangeError` on invalid bounds. This inconsistency allows **silent partial writes** into caller-provided buffers. ##### Affected code - `src/v35.ts` (`v3`/`v5` path) writes `buf[offset + i]` without bounds validation. - `src/v6.ts` writes `buf[offset + i]` without bounds validation. ##### Reproducible PoC ```bash cd /home/StrawHat/uuid npm ci npm run build node --input-type=module -e " import {v4,v5,v6} from './dist-node/index.js'; const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8'; for (const [name,fn] of [ ['v4',()=>v4({},new Uint8Array(8),4)], ['v5',()=>v5('x',ns,new Uint8Array(8),4)], ['v6',()=>v6({},new Uint8Array(8),4)], ]) { try { fn(); console.log(name,'NO_THROW'); } catch(e){ console.log(name,'THREW',e.name); } }" ``` Observed: - `v4 THREW RangeError` - `v5 NO_THROW` - `v6 NO_THROW` Example partial overwrite evidence captured during audit: ```text same true buf [ 170, 170, 170, 170, 75, 224, 100, 63 ] v6 [ 187, 187, 187, 187, 31, 19, 185, 64 ] ``` ##### Security impact - **Primary**: integrity/robustness issue (silent partial output). - If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error. - In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw. ##### Suggested fix Add the same guard used by `v4`/`v1`/`v7`: ```ts if (offset < 0 || offset + 16 > buf.length) { throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`); } ``` Apply to: - `src/v35.ts` (covers `v3` and `v5`) - `src/v6.ts` #### Severity - CVSS Score: 6.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq](https://redirect.github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq) - [https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34](https://redirect.github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34) - [https://github.com/uuidjs/uuid/releases/tag/v14.0.0](https://redirect.github.com/uuidjs/uuid/releases/tag/v14.0.0) - [https://github.com/advisories/GHSA-w5hq-g745-h8pq](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>uuidjs/uuid (uuid)</summary> ### [`v14.0.0`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1400-2026-04-19) [Compare Source](https://redirect.github.com/uuidjs/uuid/compare/v13.0.0...v14.0.0) ##### Security - Fixes [GHSA-w5hq-g745-h8pq](https://redirect.github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq): `v3()`, `v5()`, and `v6()` did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid `offset` was provided. A `RangeError` is now thrown if `offset < 0` or `offset + 16 > buf.length`. ##### ⚠ BREAKING CHANGES - `crypto` is now expected to be globally defined (requires node\@​20+) ([#​935](https://redirect.github.com/uuidjs/uuid/issues/935)) - drop node\@​18 support ([#​934](https://redirect.github.com/uuidjs/uuid/issues/934)) - upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjEzOS40IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
35 lines
928 B
JSON
35 lines
928 B
JSON
{
|
|
"name": "@affine/electron-renderer",
|
|
"private": true,
|
|
"version": "0.26.3",
|
|
"type": "module",
|
|
"scripts": {
|
|
"build": "affine bundle",
|
|
"dev": "affine bundle --dev"
|
|
},
|
|
"dependencies": {
|
|
"@affine/component": "workspace:*",
|
|
"@affine/core": "workspace:*",
|
|
"@affine/debug": "workspace:*",
|
|
"@affine/electron-api": "workspace:*",
|
|
"@affine/i18n": "workspace:*",
|
|
"@affine/nbstore": "workspace:*",
|
|
"@affine/track": "workspace:*",
|
|
"@blocksuite/affine": "workspace:*",
|
|
"@emotion/react": "^11.14.0",
|
|
"@toeverything/infra": "workspace:*",
|
|
"@toeverything/theme": "^1.1.23",
|
|
"@vanilla-extract/css": "^1.17.0",
|
|
"next-themes": "^0.4.4",
|
|
"react": "^19.2.1",
|
|
"react-dom": "^19.2.1",
|
|
"react-router-dom": "^6.30.3",
|
|
"uuid": "^14.0.0"
|
|
},
|
|
"devDependencies": {
|
|
"@types/react": "^19.0.1",
|
|
"@types/react-dom": "^19.0.2",
|
|
"typescript": "^5.9.3"
|
|
}
|
|
}
|