[Snyk] Security upgrade uuid from 3.3.3 to 14.0.0

[madisonmay]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Improper Validation of Specified Index, Position, or Offset in Input SNYK-JS-UUID-16133035	708

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

---

Note

Medium Risk
Medium risk because uuid is a major-version bump (3.x → 14.x) and the codebase appears to call it as a default function import, which may break at runtime/build depending on module/export compatibility.

Overview
Updates the project’s direct uuid dependency from ^3.3.x to ^14.0.0 to address a reported security vulnerability.

Regenerates package-lock.json accordingly, including updated uuid metadata/binary path and adding locked uuid@3.4.0 entries for transitive dependencies that still require the older major.

^{Reviewed by Cursor Bugbot for commit 21f51ce. Bugbot is set up for automated code reviews on this repo. Configure here.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 21f51ceb6c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Migrate uuid call sites before bumping to v14

Upgrading uuid from 3.x to 14.x is a breaking API change, but the codebase still uses legacy entry points and call patterns (for example src/queue/handlers/MessagesHandler.ts:1 imports "uuid/v4", and src/common/Telemetry.ts:11,31 imports "uuid" then calls uuid() directly). With uuid@14, those legacy forms are no longer compatible, so requests that hit these paths will fail at runtime (module not found for uuid/v4 or TypeError when invoking the default import).

Useful? React with 👍 / 👎.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 21f51ce. Configure here.}

[cursor]

uuid v14 removes default export causing runtime crashes

High Severity

Upgrading uuid from v3 to v14 without updating source code will crash the application at runtime. In v3, require("uuid") returned a callable function (v4 generator), but since v7+ the default export was removed. The codebase calls uuid() directly in multiple production files (LeaseAvailableState.ts, LeaseBrokenState.ts, LeaseExpiredState.ts, Telemetry.ts, FSExtentStore.ts, MemoryExtentStore.ts), all of which will throw TypeError: uuid is not a function. These call sites need to be updated to use named imports like import { v4 as uuid } from 'uuid'.

Additional Locations (1)

• package-lock.json#L10183-L10194

 

^{Triggered by team rule: Ask Clarifying Questions}

^{Reviewed by Cursor Bugbot for commit 21f51ce. Configure here.}