Files
AFFiNE-Mirror/packages/frontend/apps/electron/package.json
T
renovate[bot] df482c9cf2 chore: bump up uuid version to v14 [SECURITY] (#14870)
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [uuid](https://redirect.github.com/uuidjs/uuid) | [`^13.0.0` →
`^14.0.0`](https://renovatebot.com/diffs/npm/uuid/13.0.0/14.0.0) |
![age](https://developer.mend.io/api/mc/badges/age/npm/uuid/14.0.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/uuid/13.0.0/14.0.0?slim=true)
|

---

### uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

[GHSA-w5hq-g745-h8pq](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq)

<details>
<summary>More information</summary>

#### Details
##### Summary

`v3`, `v5`, and `v6` accept external output buffers but do not reject
out-of-range writes (small `buf` or large `offset`).
By contrast, `v4`, `v1`, and `v7` explicitly throw `RangeError` on
invalid bounds.

This inconsistency allows **silent partial writes** into caller-provided
buffers.

##### Affected code

- `src/v35.ts` (`v3`/`v5` path) writes `buf[offset + i]` without bounds
validation.
- `src/v6.ts` writes `buf[offset + i]` without bounds validation.

##### Reproducible PoC

```bash
cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4',()=>v4({},new Uint8Array(8),4)],
  ['v5',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"
```

Observed:

- `v4 THREW RangeError`
- `v5 NO_THROW`
- `v6 NO_THROW`

Example partial overwrite evidence captured during audit:

```text
same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]
```

##### Security impact

- **Primary**: integrity/robustness issue (silent partial output).
- If an application assumes full UUID writes into preallocated buffers,
this can produce malformed/truncated/partially stale identifiers without
error.
- In systems where caller-controlled offsets/buffer sizes are exposed
indirectly, this may become a security-relevant logic flaw.

##### Suggested fix

Add the same guard used by `v4`/`v1`/`v7`:

```ts
if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}
```

Apply to:

- `src/v35.ts` (covers `v3` and `v5`)
- `src/v6.ts`

#### Severity
- CVSS Score: 6.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N`

#### References
-
[https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq](https://redirect.github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq)
-
[https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34](https://redirect.github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34)
-
[https://github.com/uuidjs/uuid/releases/tag/v14.0.0](https://redirect.github.com/uuidjs/uuid/releases/tag/v14.0.0)
-
[https://github.com/advisories/GHSA-w5hq-g745-h8pq](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-w5hq-g745-h8pq)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>uuidjs/uuid (uuid)</summary>

###
[`v14.0.0`](https://redirect.github.com/uuidjs/uuid/blob/HEAD/CHANGELOG.md#1400-2026-04-19)

[Compare
Source](https://redirect.github.com/uuidjs/uuid/compare/v13.0.0...v14.0.0)

##### Security

- Fixes
[GHSA-w5hq-g745-h8pq](https://redirect.github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq):
`v3()`, `v5()`, and `v6()` did not validate that writes would remain
within the bounds of a caller-supplied buffer, allowing out-of-bounds
writes when an invalid `offset` was provided. A `RangeError` is now
thrown if `offset < 0` or `offset + 16 > buf.length`.

##### ⚠ BREAKING CHANGES

- `crypto` is now expected to be globally defined (requires
node\@&#8203;20+)
([#&#8203;935](https://redirect.github.com/uuidjs/uuid/issues/935))
- drop node\@&#8203;18 support
([#&#8203;934](https://redirect.github.com/uuidjs/uuid/issues/934))
- upgrade minimum supported TypeScript version to 5.4.3, in keeping with
the project's policy of supporting TypeScript versions released within
the last two years

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjEzOS40IiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-04-26 00:48:53 +08:00

95 lines
3.0 KiB
JSON

{
"name": "@affine/electron",
"private": true,
"version": "0.26.3",
"main": "./dist/main.js",
"author": "toeverything",
"repository": {
"url": "https://github.com/toeverything/AFFiNE",
"type": "git"
},
"description": "AFFiNE Desktop App",
"homepage": "https://github.com/toeverything/AFFiNE",
"exports": {
"./helper/exposed": "./src/helper/exposed.ts",
"./main/exposed": "./src/main/exposed.ts",
"./preload/electron-api": "./src/preload/electron-api.ts",
"./preload/shared-storage": "./src/preload/shared-storage.ts",
"./main/shared-state-schema": "./src/main/shared-state-schema.ts",
"./main/updater/event": "./src/main/updater/event.ts",
"./main/windows-manager": "./src/main/windows-manager/index.ts"
},
"scripts": {
"start": "electron .",
"dev": "cross-env DEV_SERVER_URL=http://localhost:8080 node ./scripts/dev.ts",
"dev:prod": "node ./scripts/dev.ts",
"build": "cross-env NODE_ENV=production node ./scripts/build-layers.ts",
"build:dev": "node ./scripts/build-layers.ts",
"generate-assets": "node ./scripts/generate-assets.ts",
"package": "electron-forge package",
"make": "electron-forge make",
"make-squirrel": "node ./scripts/make-squirrel.ts",
"make-nsis": "node ./scripts/make-nsis.ts"
},
"devDependencies": {
"@affine-tools/utils": "workspace:*",
"@affine/i18n": "workspace:*",
"@affine/native": "workspace:*",
"@affine/nbstore": "workspace:*",
"@electron-forge/cli": "^7.11.1",
"@electron-forge/core": "^7.11.1",
"@electron-forge/maker-deb": "^7.11.1",
"@electron-forge/maker-dmg": "^7.11.1",
"@electron-forge/maker-flatpak": "^7.11.1",
"@electron-forge/maker-squirrel": "^7.11.1",
"@electron-forge/maker-zip": "^7.11.1",
"@electron-forge/plugin-auto-unpack-natives": "^7.11.1",
"@electron-forge/plugin-fuses": "^7.11.1",
"@electron-forge/shared-types": "^7.11.1",
"@reforged/maker-appimage": "^5.2.0",
"@sentry/electron": "^7.10.0",
"@sentry/esbuild-plugin": "^5.1.1",
"@toeverything/infra": "workspace:*",
"@types/set-cookie-parser": "^2.4.10",
"@vitejs/plugin-react": "^5.2.0",
"app-builder-lib": "^26.8.1",
"builder-util-runtime": "^9.5.1",
"cross-env": "^10.1.0",
"debug": "^4.4.0",
"electron": "^39.0.0",
"electron-log": "^5.4.3",
"electron-squirrel-startup": "1.0.1",
"electron-window-state": "^5.0.3",
"esbuild": "^0.25.0",
"fs-extra": "^11.2.0",
"glob": "^11.0.0",
"lodash-es": "^4.17.23",
"msw": "^2.13.2",
"nanoid": "^5.1.6",
"rxjs": "^7.8.2",
"semver": "^7.7.3",
"tree-kill": "^1.2.2",
"typescript": "^5.9.3",
"uuid": "^14.0.0",
"vitest": "^4.0.18",
"zod": "^3.25.76"
},
"dependencies": {
"async-call-rpc": "^6.4.2",
"electron-updater": "^6.8.3",
"link-preview-js": "^4.0.0",
"set-cookie-parser": "^2.7.1",
"yjs": "^13.6.27"
},
"build": {
"protocols": [
{
"name": "affine",
"schemes": [
"affine"
]
}
]
}
}