Library Name: @google-cloud/logging
Summary
@google-cloud/logging depends on eventid@^2.0.0, which depends on uuid@^8.0.0. The uuid package has a security advisory (GHSA-w5hq-g745-h8pq) affecting versions <= 10.1.0 — the fix requires uuid >= 11.1.1, which is outside eventid's ^8.0.0 range.
The upstream repo google/eventid-js is archived, so there will be no update to widen the uuid range.
Impact
Any project using @google-cloud/logging gets a Dependabot security alert for uuid that cannot be resolved without either:
- Removing the
eventid dependency from @google-cloud/logging
- Inlining the eventid functionality (it's a small module)
- Forking
eventid with an updated uuid range
Current state
Suggestion
Consider dropping the eventid dependency and replacing it with an inline implementation or an alternative that doesn't depend on a vulnerable uuid version.
Library Name:
@google-cloud/loggingSummary
@google-cloud/loggingdepends oneventid@^2.0.0, which depends onuuid@^8.0.0. Theuuidpackage has a security advisory (GHSA-w5hq-g745-h8pq) affecting versions <= 10.1.0 — the fix requires uuid >= 11.1.1, which is outsideeventid's^8.0.0range.The upstream repo
google/eventid-jsis archived, so there will be no update to widen the uuid range.Impact
Any project using
@google-cloud/logginggets a Dependabot security alert foruuidthat cannot be resolved without either:eventiddependency from@google-cloud/loggingeventidwith an updated uuid rangeCurrent state
@google-cloud/logging@11.2.3(latest) still depends oneventid@^2.0.0eventid@2.0.1(last published 2022) depends onuuid@^8.0.0google/eventid-jsis archived — no further releases expectedSuggestion
Consider dropping the
eventiddependency and replacing it with an inline implementation or an alternative that doesn't depend on a vulnerable uuid version.