Skip to content

chore(deps): override transitive exceljs uuid to clear npm-audit advisory#513

Open
gkriegspeedbay wants to merge 1 commit into
wonderwhy-er:mainfrom
gkriegspeedbay:chore/override-exceljs-uuid
Open

chore(deps): override transitive exceljs uuid to clear npm-audit advisory#513
gkriegspeedbay wants to merge 1 commit into
wonderwhy-er:mainfrom
gkriegspeedbay:chore/override-exceljs-uuid

Conversation

@gkriegspeedbay

@gkriegspeedbay gkriegspeedbay commented Jun 15, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown

Summary

exceljs@4.4.0 (the latest release) pins uuid: ^8.3.0, resolving uuid@8.3.2, which npm audit flags as moderate advisory GHSA-w5hq-g745-h8pq. This adds a scoped npm overrides forcing exceljs onto uuid ^14.0.0, clearing the advisory.

The change is two files only — the overrides block in package.json and the corresponding uuid entry in package-lock.json (8.3.2 → 14.0.0, single hoisted node). No other dependency and no application code is touched.

Why an override (not an exceljs bump)

exceljs is unmaintained — last release v4.4.0 (Oct 2023), and the upstream remediation PR exceljs/exceljs#3042 was closed unmerged. A consumer-side overrides is the pragmatic fix the exceljs maintainers now point users to.

Safety

exceljs imports uuid via the named CommonJS form const {v4: uuidv4} = require('uuid') and only ever calls v4() with no buffer argument (lib/xlsx/xform/sheet/cf-ext/cf-rule-ext-xform.js). That form works unchanged on uuid 14 in a Node/CommonJS consumer like this one, and uuid is dependency-free, so the override introduces no new packages.

Test plan

With this change applied in a clone:

  • npm install --package-lock-only resolves exceljs's transitive uuid to 14.0.0 (single hoisted node).
  • npm audit no longer reports GHSA-w5hq-g745-h8pq. (The other audit findings present in the tree are pre-existing and unrelated to this change.)
  • In an isolated repro, exceljs still writes a workbook with a dataBar conditional-format rule — which exercises the uuidv4() code path — producing a valid .xlsx.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated dependency resolution configuration to ensure compatibility and prevent version conflicts with external libraries.

@gkriegspeedbay @claude
chore(deps): override transitive exceljs uuid to clear npm-audit advi…
81e77ab 
…sory

exceljs@4.4.0 pins uuid ^8.3.0 -> uuid@8.3.2, which npm audit flags as
GHSA-w5hq-g745-h8pq. exceljs is unmaintained (last release Oct 2023; the
upstream remediation PR exceljs/exceljs#3042 was closed unmerged), so this
adds a scoped npm `overrides` forcing exceljs onto uuid ^14.0.0.

exceljs imports uuid as `const {v4} = require('uuid')` and only calls v4()
with no buffer, so it works unchanged on uuid 14 in a Node/CommonJS consumer.
uuid is dependency-free, so the override pulls in no new packages. Verified:
with the override applied, npm audit no longer reports the advisory and
exceljs still writes workbooks (including the conditional-formatting uuidv4
code path).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d8fb7a4b-488b-4dc0-a40a-f697379de2d8

📥 Commits

Reviewing files that changed from the base of the PR and between 7a9b2ff and 81e77ab.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json
📝 Walkthrough

Walkthrough

Adds a top-level overrides block to package.json that forces the exceljs dependency to resolve its uuid sub-dependency to version ^14.0.0, overriding whatever version exceljs would otherwise pull in.

Changes

npm overrides for exceljs uuid

Layer / File(s) Summary
Force exceljs uuid to ^14.0.0
package.json		 Adds an overrides block that pins exceljs's transitive uuid dependency to ^14.0.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A rabbit hopped in, twitching its nose,
"That uuid version? Nobody knows!"
With one little override, neat and precise,
exceljs now gets uuid that's nice.
🐇 Pinned at fourteen, problem's gone — twice! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the primary change: adding an npm overrides configuration to force exceljs's transitive uuid dependency to version 14.0.0 to resolve a security advisory.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gkriegspeedbay