Skip to content

bump ado dependencies#90

Open
dterrybd wants to merge 6 commits into
masterfrom
dev/dterry/IDETECT-5083-bump-ado-dependencies
Open

bump ado dependencies#90
dterrybd wants to merge 6 commits into
masterfrom
dev/dterry/IDETECT-5083-bump-ado-dependencies

Conversation

@dterrybd

@dterrybd dterrybd commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

This PR raises the versions on several vulnerable libraries (package.json changes). This all builds cleanly (sourcing the lock files but those can be ignored for review purposes).

The interesting piece is that the vulnerabilities in the transitive uuid library cannot be patched. There's no patched uuid 3.x, and upgrading to uuid 7+ breaks the import that azure-pipelines-task-lib/vault.js uses. The uuid usage was replaced with a local shim (shims/uuid-3.4.1.tgz) which is a 3-line wrapper around Node's built-in crypto.randomUUID() that exposes the same API.

@dterrybd dterrybd self-assigned this Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant