From f0ec1ca2957926fbaf7a72a64adbfa994dae6362 Mon Sep 17 00:00:00 2001
From: Hideyuki MORITA <hideyuki.morita@things-inc.com>
Date: Thu, 30 Apr 2026 17:30:29 +0900
Subject: [PATCH] bump uuid to v14 to fix GHSA-9p95-fxvg-qgq2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

uuid <14.0.0 is affected by GHSA-9p95-fxvg-qgq2 (Missing buffer bounds
check in v3/v5/v6 when buf is provided). Bumping uuid to ^14.0.0 closes
this transitive vulnerability for downstream consumers.

uuid v14 ships its own type definitions, so @types/uuid is no longer
required. uuid v14 also exposes types only via the package "exports"
field, which the legacy "classic" moduleResolution does not honor —
adding explicit moduleResolution to each tsconfig:

- tsconfig.esm.json: moduleResolution = "bundler"
  (bundler-style resolution, fits module: "esnext")
- tsconfig.cjs.json: moduleResolution = "node10"
  (legacy node, picks up uuid's top-level "types" field)

Verified with tsc --noEmit on both configs and biome check.
---
 package.json      | 3 +--
 tsconfig.cjs.json | 1 +
 tsconfig.esm.json | 1 +
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 3d495bf..a781e3c 100644
--- a/package.json
+++ b/package.json
@@ -38,12 +38,11 @@
     "typecheck:esm": "tsc --pretty --noEmit -p tsconfig.esm.json"
   },
   "dependencies": {
-    "uuid": "^9.0.1"
+    "uuid": "^14.0.0"
   },
   "devDependencies": {
     "@biomejs/biome": "^1.6.4",
     "@types/bun": "^1.0.12",
-    "@types/uuid": "^9.0.8",
     "lefthook": "^1.6.8",
     "np": "^10.0.2",
     "sort-package-json": "^2.10.0",
diff --git a/tsconfig.cjs.json b/tsconfig.cjs.json
index 44b9028..7e5236a 100644
--- a/tsconfig.cjs.json
+++ b/tsconfig.cjs.json
@@ -2,6 +2,7 @@
   "extends": "./tsconfig.json",
   "compilerOptions": {
     "module": "commonjs",
+    "moduleResolution": "node10",
     "outDir": "./dist/cjs"
   }
 }
diff --git a/tsconfig.esm.json b/tsconfig.esm.json
index 0ebcdc1..05de454 100644
--- a/tsconfig.esm.json
+++ b/tsconfig.esm.json
@@ -2,6 +2,7 @@
   "extends": "./tsconfig.json",
   "compilerOptions": {
     "module": "esnext",
+    "moduleResolution": "bundler",
     "outDir": "./dist/esm"
   }
 }