fix(deps): update dependency uuid to v14 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
uuid	^3.3.2 → ^14.0.0
uuid	^9.0.0 → ^14.0.0
uuid	^3.2.1 → ^14.0.0

---

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

GHSA-w5hq-g745-h8pq

More information

Details

Summary

v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4, v1, and v7 explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code

• src/v35.ts (v3/v5 path) writes buf[offset + i] without bounds validation.
• src/v6.ts writes buf[offset + i] without bounds validation.

Reproducible PoC

cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4',()=>v4({},new Uint8Array(8),4)],
  ['v5',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Observed:

• v4 THREW RangeError
• v5 NO_THROW
• v6 NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]

Security impact

• Primary: integrity/robustness issue (silent partial output).
• If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
• In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.

Suggested fix

Add the same guard used by v4/v1/v7:

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

• src/v35.ts (covers v3 and v5)
• src/v6.ts

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq
• https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34
• https://github.com/uuidjs/uuid
• https://github.com/uuidjs/uuid/releases/tag/v14.0.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

uuidjs/uuid (uuid)

v14.0.0

Compare Source

Security

• Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

• crypto is now expected to be globally defined (requires node@​20+) (#​935)
• drop node@​18 support (#​934)
• upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

v13.0.0

Compare Source

⚠ BREAKING CHANGES

• make browser exports the default (#​901)

Bug Fixes

• make browser exports the default (#​901) (bce9d72)

v12.0.0

Compare Source

⚠ BREAKING CHANGES

• update to typescript@​5.2 (#​887)
• remove CommonJS support (#​886)
• drop node@​16 support (#​883)

Features

• add node@​24 to ci matrix (#​879) (42b6178)
• drop node@​16 support (#​883) (0f38cf1)
• remove CommonJS support (#​886) (ae786e2)
• update to typescript@​5.2 (#​887) (c7ee405)

Bug Fixes

• improve v4() performance (#​894) (5fd974c)
• restore node: prefix (#​889) (e1f42a3)

v11.1.0

Compare Source

Features

• update TS types to allowUint8Array subtypes for buffer option (#​865) (a5231e7)

v11.0.5

Compare Source

Bug Fixes

• add TS unit test, pin to typescript@​5.0.4 (#​860) (24ac2fd)

v11.0.4

Compare Source

Bug Fixes

• docs: insure -> ensure (#​843) (d2a61e1)
• exclude tests from published package (#​840) (f992ff4)
• Test for invalid byte array sizes and ranges in v1(), v4(), and v7() (#​845) (e0ee900)

v11.0.3

Compare Source

Bug Fixes

• apply stricter typing to the v* signatures (#​831) (c2d3fed)
• export internal uuid types (#​833) (341edf4)
• remove sourcemaps (#​827) (b93ea10)
• revert "simplify type for v3 and v5" (#​835) (e2dee69)

v11.0.2

Compare Source

Bug Fixes

• remove wrapper.mjs (#​822) (6683ad3)

v11.0.1

Compare Source

Bug Fixes

• restore package.json#browser field (#​817) (ae8f386)

v11.0.0

Compare Source

⚠ BREAKING CHANGES

• refactor v1 internal state and options logic (#​780)
• refactor v7 internal state and options logic, fixes #​764 (#​779)
• Port to TypeScript, closes #​762 (#​763)
• update node support matrix (only support node 16-20) (#​750)

Features

• Port to TypeScript, closes #​762 (#​763) (1e0f987)
• update node support matrix (only support node 16-20) (#​750) (883b163)

Bug Fixes

• missing v7 expectations in browser spec (#​751) (f54a866)
• refactor v1 internal state and options logic (#​780) (031b3d3)
• refactor v7 internal state and options logic, fixes #​764 (#​779) (9dbd1cd)
• remove v4 options default assignment preventing native.randomUUID from being used (#​786) (afe6232), closes #​763
• seq_hi shift for byte 6 (#​775) (1d532ca)
• tsconfig module type (#​778) (7eff835)

v10.0.0

Compare Source

⚠ BREAKING CHANGES

• update node support (drop node@​12, node@​14, add node@​20) (#​750)

Features

• support support rfc9562 MAX uuid (new in RFC9562) (#​714) (0385cd3)
• support rfc9562 v6 uuids (#​754) (c4ed13e)
• support rfc9562 v7 uuids (#​681) (db76a12)
• update node support matrix (only support node 16-20) (#​750) (883b163)
• support rfc9562 v8 uuids (#​759) (35a5342)

Bug Fixes

• revert "perf: remove superfluous call to toLowerCase (#​677)" (#​738) (e267b90)

v9.0.1

Compare Source

build

• Fix CI to work with Node.js 20.x

v9.0.0

Compare Source

⚠ BREAKING CHANGES

• Drop Node.js 10.x support. This library always aims at supporting one EOLed LTS release which by this time now is 12.x which has reached EOL 30 Apr 2022.

• Remove the minified UMD build from the package.

  Minified code is hard to audit and since this is a widely used library it seems more appropriate nowadays to optimize for auditability than to ship a legacy module format that, at best, serves educational purposes nowadays.

  For production browser use cases, users should be using a bundler. For educational purposes, today's online sandboxes like replit.com offer convenient ways to load npm modules, so the use case for UMD through repos like UNPKG or jsDelivr has largely vanished.

• Drop IE 11 and Safari 10 support. Drop support for browsers that don't correctly implement const/let and default arguments, and no longer transpile the browser build to ES2015.

  This also removes the fallback on msCrypto instead of the crypto API.

  Browser tests are run in the first supported version of each supported browser and in the latest (as of this commit) version available on Browserstack.

Features

• optimize uuid.v1 by 1.3x uuid.v4 by 4.3x (430%) (#​597) (3a033f6)
• remove UMD build (#​645) (e948a0f), closes #​620
• use native crypto.randomUUID when available (#​600) (c9e076c)

Bug Fixes

• add Jest/jsdom compatibility (#​642) (16f9c46)
• change default export to named function (#​545) (c57bc5a)
• handle error when parameter is not set in v3 and v5 (#​622) (fcd7388)
• run npm audit fix (#​644) (04686f5)
• upgrading from uuid3 broken link (#​568) (1c849da)

build

• drop Node.js 8.x from babel transpile target (#​603) (aa11485)

• drop support for legacy browsers (IE11, Safari 10) (#​604) (0f433e5)

• drop node 10.x to upgrade dev dependencies (#​653) (28a5712), closes #​643

8.3.2 (2020-12-08)

Bug Fixes

• lazy load getRandomValues (#​537) (16c8f6d), closes #​536

8.3.1 (2020-10-04)

Bug Fixes

• support expo>=39.0.0 (#​515) (c65a0f3), closes #​375

v8.3.2

Compare Source

⚠ BREAKING CHANGES

• Drop Node.js 10.x support. This library always aims at supporting one EOLed LTS release which by this time now is 12.x which has reached EOL 30 Apr 2022.

• Remove the minified UMD build from the package.

  Minified code is hard to audit and since this is a widely used library it seems more appropriate nowadays to optimize for auditability than to ship a legacy module format that, at best, serves educational purposes nowadays.

  For production browser use cases, users should be using a bundler. For educational purposes, today's online sandboxes like replit.com offer convenient ways to load npm modules, so the use case for UMD through repos like UNPKG or jsDelivr has largely vanished.

• Drop IE 11 and Safari 10 support. Drop support for browsers that don't correctly implement const/let and default arguments, and no longer transpile the browser build to ES2015.

  This also removes the fallback on msCrypto instead of the crypto API.

  Browser tests are run in the first supported version of each supported browser and in the latest (as of this commit) version available on Browserstack.

Features

• optimize uuid.v1 by 1.3x uuid.v4 by 4.3x (430%) (#​597) (3a033f6)
• remove UMD build (#​645) (e948a0f), closes #​620
• use native crypto.randomUUID when available (#​600) (c9e076c)

Bug Fixes

• add Jest/jsdom compatibility (#​642) (16f9c46)
• change default export to named function (#​545) (c57bc5a)
• handle error when parameter is not set in v3 and v5 (#​622) (fcd7388)
• run npm audit fix (#​644) (04686f5)
• upgrading from uuid3 broken link (#​568) (1c849da)

build

• drop Node.js 8.x from babel transpile target (#​603) (aa11485)

• drop support for legacy browsers (IE11, Safari 10) (#​604) (0f433e5)

• drop node 10.x to upgrade dev dependencies (#​653) (28a5712), closes #​643

8.3.2 (2020-12-08)

Bug Fixes

• lazy load getRandomValues (#​537) (16c8f6d), closes #​536

8.3.1 (2020-10-04)

Bug Fixes

• support expo>=39.0.0 (#​515) (c65a0f3), closes #​375

v8.3.1

Compare Source

⚠ BREAKING CHANGES

• Drop Node.js 10.x support. This library always aims at supporting one EOLed LTS release which by this time now is 12.x which has reached EOL 30 Apr 2022.

• Remove the minified UMD build from the package.

  Minified code is hard to audit and since this is a widely used library it seems more appropriate nowadays to optimize for auditability than to ship a legacy module format that, at best, serves educational purposes nowadays.

  For production browser use cases, users should be using a bundler. For educational purposes, today's online sandboxes like replit.com offer convenient ways to load npm modules, so the use case for UMD through repos like UNPKG or jsDelivr has largely vanished.

• Drop IE 11 and Safari 10 support. Drop support for browsers that don't correctly implement const/let and default arguments, and no longer transpile the browser build to ES2015.

  This also removes the fallback on msCrypto instead of the crypto API.

  Browser tests are run in the first supported version of each supported browser and in the latest (as of this commit) version available on Browserstack.

Features

• optimize uuid.v1 by 1.3x uuid.v4 by 4.3x (430%) (#​597) (3a033f6)
• remove UMD build (#​645) (e948a0f), closes #​620
• use native crypto.randomUUID when available (#​600) (c9e076c)

Bug Fixes

• add Jest/jsdom compatibility (#​642) (16f9c46)
• change default export to named function (#​545) (c57bc5a)
• handle error when parameter is not set in v3 and v5 (#​622) (fcd7388)
• run npm audit fix (#​644) (04686f5)
• upgrading from uuid3 broken link (#​568) (1c849da)

build

• drop Node.js 8.x from babel transpile target (#​603) (aa11485)

• drop support for legacy browsers (IE11, Safari 10) (#​604) (0f433e5)

• drop node 10.x to upgrade dev dependencies (#​653) (28a5712), closes #​643

8.3.2 (2020-12-08)

Bug Fixes

• lazy load getRandomValues (#​537) (16c8f6d), closes #​536

8.3.1 (2020-10-04)

Bug Fixes

• support expo>=39.0.0 (#​515) (c65a0f3), closes #​375

v8.3.0

Compare Source

⚠ BREAKING CHANGES

• Drop Node.js 10.x support. This library always aims at supporting one EOLed LTS release which by this time now is 12.x which has reached EOL 30 Apr 2022.

• Remove the minified UMD build from the package.

  Minified code is hard to audit and since this is a widely used library it seems more appropriate nowadays to optimize for auditability than to ship a legacy module format that, at best, serves educational purposes nowadays.

  For production browser use cases, users should be using a bundler. For educational purposes, today's online sandboxes like replit.com offer convenient ways to load npm modules, so the use case for UMD through repos like UNPKG or jsDelivr has largely vanished.

• Drop IE 11 and Safari 10 support. Drop support for browsers that don't correctly implement const/let and default arguments, and no longer transpile the browser build to ES2015.

  This also removes the fallback on msCrypto instead of the crypto API.

  Browser tests are run in the first supported version of each supported browser and in the latest (as of this commit) version available on Browserstack.

Features

• optimize uuid.v1 by 1.3x uuid.v4 by 4.3x (430%) (#​597) (3a033f6)
• remove UMD build (#​645) (e948a0f), closes #​620
• use native crypto.randomUUID when available (#​600) (c9e076c)

Bug Fixes

• add Jest/jsdom compatibility (#​642) (16f9c46)
• change default export to named function (#​545) (c57bc5a)
• handle error when parameter is not set in v3 and v5 (#​622) (fcd7388)
• run npm audit fix (#​644) (04686f5)
• upgrading from uuid3 broken link (#​568) (1c849da)

build

• drop Node.js 8.x from babel transpile target (#​603) (aa11485)

• drop support for legacy browsers (IE11, Safari 10) (#​604) (0f433e5)

• drop node 10.x to upgrade dev dependencies (#​653) (28a5712), closes #​643

8.3.2 (2020-12-08)

Bug Fixes

• lazy load getRandomValues (#​537) (16c8f6d), closes #​536

8.3.1 (2020-10-04)

Bug Fixes

• support expo>=39.0.0 (#​515) (c65a0f3), closes #​375

v8.2.0

Compare Source

Features

• improve performance of v1 string representation (#​453) (0ee0b67)
• remove deprecated v4 string parameter (#​454) (88ce3ca), closes #​437
• support jspm (#​473) (e9f2587)

Bug Fixes

• prepare package exports for webpack 5 (#​468) (8d6e6a5)

v8.1.0

Compare Source

Features

• improve v4 performance by reusing random number array (#​435) (bf4af0d)
• optimize V8 performance of bytesToUuid (#​434) (e156415)

Bug Fixes

• export package.json required by react-native and bundlers (#​449) (be1c8fe), closes ai/nanoevents#44 #​444

v8.0.0

Compare Source

⚠ BREAKING CHANGES

• For native ECMAScript Module (ESM) usage in Node.js only named exports are exposed, there is no more default export.

  -import uuid from 'uuid';
  -console.log(uuid.v4()); // -> 'cd6c3b08-0adc-4f4b-a6ef-36087a1c9869'
  +import { v4 as uuidv4 } from 'uuid';
  +uuidv4(); // ⇨ '9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d'

• Deep requiring specific algorithms of this library like require('uuid/v4'), which has been deprecated in uuid@7, is no longer supported.

  Instead use the named exports that this module exports.

  For ECMAScript Modules (ESM):

  -import uuidv4 from 'uuid/v4';
  +import { v4 as uuidv4 } from 'uuid';
  uuidv4();

  For CommonJS:

  -const uuidv4 = require('uuid/v4');
  +const { v4: uuidv4 } = require('uuid');
  uuidv4();

Features

• native Node.js ES Modules (wrapper approach) (#​423) (2d9f590), closes #​245 #​419 #​342
• remove deep requires (#​426) (daf72b8)

Bug Fixes

• add CommonJS syntax example to README quickstart section (#​417) (e0ec840)

7.0.3 (2020-03-31)

Bug Fixes

• make deep require deprecation warning work in browsers (#​409) (4b71107), closes #​408

7.0.2 (2020-03-04)

Bug Fixes

• make access to msCrypto consistent (#​393) (8bf2a20)
• simplify link in deprecation warning (#​391) (bb2c8e4)
• update links to match content in readme (#​386) (44f2f86)

7.0.1 (2020-02-25)

Bug Fixes

• clean up esm builds for node and browser (#​383) (59e6a49)
• provide browser versions independent from module system (#​380) (4344a22), closes #​378

v7.0.3

Compare Source

⚠ BREAKING CHANGES

• For native ECMAScript Module (ESM) usage in Node.js only named exports are exposed, there is no more default export.

  -import uuid from 'uuid';
  -console.log(uuid.v4()); // -> 'cd6c3b08-0adc-4f4b-a6ef-36087a1c9869'
  +import { v4 as uuidv4 } from 'uuid';
  +uuidv4(); // ⇨ '9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d'

• Deep requiring specific algorithms of this library like require('uuid/v4'), which has been deprecated in uuid@7, is no longer supported.

  Instead use the named exports that this module exports.

  For ECMAScript Modules (ESM):

  -import uuidv4 from 'uuid/v4';
  +import { v4 as uuidv4 } from 'uuid';
  uuidv4();

  For CommonJS:

  -const uuidv4 = require('uuid/v4');
  +const { v4: uuidv4 } = require('uuid');
  uuidv4();

Features

• native Node.js ES Modules (wrapper approach) (#​423) (2d9f590), closes #​245 #​419 #​342
• remove deep requires (#​426) (daf72b8)

Bug Fixes

• add CommonJS syntax example to README quickstart section (#​417) (e0ec840)

7.0.3 (2020-03-31)

Bug Fixes

• make deep require deprecation warning work in browsers (#​409) (4b71107), closes #​408

7.0.2 (2020-03-04)

Bug Fixes

• make access to msCrypto consistent (#​393) (8bf2a20)
• simplify link in deprecation warning (#​391) (bb2c8e4)
• update links to match content in readme (#​386) (44f2f86)

7.0.1 (2020-02-25)

Bug Fixes

• clean up esm builds for node and browser (#​383) (59e6a49)
• provide browser versions independent from module system (#​380) (4344a22), closes #​378

v7.0.2

Compare Source

⚠ BREAKING CHANGES

• For native ECMAScript Module (ESM) usage in Node.js only named exports are exposed, there is no more default export.

  -import uuid from 'uuid';
  -console.log(uuid.v4()); // -> 'cd6c3b08-0adc-4f4b-a6ef-36087a1c9869'
  +import { v4 as uuidv4 } from 'uuid';
  +uuidv4(); // ⇨ '9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d'

• Deep requiring specific algorithms of this library like require('uuid/v4'), which has been deprecated in uuid@7, is no longer supported.

  Instead use the named exports that this module exports.

  For ECMAScript Modules (ESM):

  -import uuidv4 from 'uuid/v4';
  +import { v4 as uuidv4 } from 'uuid';
  uuidv4();

  For CommonJS:

  -const uuidv4 = require('uuid/v4');
  +const { v4: uuidv4 } = require('uuid');
  uuidv4();

Features

• native Node.js ES Modules (wrapper approach) (#​423) (2d9f590), closes #​245 #​419 #​342
• remove deep requires (#​426) (daf72b8)

Bug Fixes

• add CommonJS syntax example to README quickstart section (#​417) (e0ec840)

7.0.3 (2020-03-31)

Bug Fixes

• make deep require deprecation warning work in browsers (#​409) (4b71107), closes #​408

7.0.2 (2020-03-04)

Bug Fixes

• make access to msCrypto consistent (#​393) (8bf2a20)
• simplify link in deprecation warning (#​391) (bb2c8e4)
• update links to match content in readme (#​386) (44f2f86)

7.0.1 (2020-02-25)

Bug Fixes

• clean up esm builds for node and browser (#​383) (59e6a49)
• provide browser versions independent from module system (#​380) (4344a22), closes #​378

v7.0.1

Compare Source

⚠ BREAKING CHANGES

• For native ECMAScript Module (ESM) usage in Node.js only named exports are exposed, there is no more default export.

  -import uuid from 'uuid';
  -console.log(uuid.v4()); // -> 'cd6c3b08-0adc-4f4b-a6ef-36087a1c9869'
  +import { v4 as uuidv4 } from 'uuid';
  +uuidv4(); // ⇨ '9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d'

• Deep requiring specific algorithms of this library like require('uuid/v4'), which has been deprecated in uuid@7, is no longer supported.

  Instead use the named exports that this module exports.

  For ECMAScript Modules (ESM):

  -import uuidv4 from 'uuid/v4';
  +import { v4 as uuidv4 } from 'uuid';
  uuidv4();

  For CommonJS:

  -const uuidv4 = require('uuid/v4');
  +const { v4: uuidv4 } = require('uuid');
  uuidv4();

Features

• native Node.js ES Modules (wrapper approach) (#​423) (2d9f590), closes #​245 #​419 #​342
• remove deep requires (#​426) (daf72b8)

Bug Fixes

• add CommonJS syntax example to README quickstart section (#​417) (e0ec840)

7.0.3 (2020-03-31)

Bug Fixes

• make deep require deprecation warning work in browsers (#​409) (4b71107), closes #​408

7.0.2 (2020-03-04)

Bug Fixes

• make access to msCrypto consistent (#​393) (8bf2a20)
• simplify link in deprecation warning (#​391) (bb2c8e4)
• update links to match content in readme (#​386) (44f2f86)

7.0.1 (2020-02-25)

Bug Fixes

• clean up esm builds for node and browser (#​383) (59e6a49)
• provide browser versions independent from module system (#​380) (4344a22), closes #​378

v7.0.0

Compare Source

⚠ BREAKING CHANGES

• For native ECMAScript Module (ESM) usage in Node.js only named exports are exposed, there is no more default export.

  -import uuid from 'uuid';
  -console.log(uuid.v4()); // -> 'cd6c3b08-0adc-4f4b-a6ef-36087a1c9869'
  +import { v4 as uuidv4 } from 'uuid';
  +uuidv4(); // ⇨ '9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d'

• Deep requiring specific algorithms of this library like require('uuid/v4'), which has been deprecated in uuid@7, is no longer supported.

  Instead use the named exports that this module exports.

  For ECMAScript Modules (ESM):

  -import uuidv4 from 'uuid/v4';
  +import { v4 as uuidv4 } from 'uuid';
  uuidv4();

  For CommonJS:

  -const uuidv4 = require('uuid/v4');
  +const { v4: uuidv4 } = require('uuid');
  uuidv4();

Features

• native Node.js ES Modules (wrapper approach) (#​423) (2d9f590), closes #​245 #​419 #​342
• remove deep requires (#​426) (daf72b8)

Bug Fixes

• add CommonJS syntax example to README quickstart section (#​417) (e0ec840)

7.0.3 (2020-03-31)

Bug Fixes

• make deep require deprecation warning work in browsers (#​409) (4b71107), closes #​408

7.0.2 (2020-03-04)

Bug Fixes

• make access to msCrypto consistent (#​393) (8bf2a20)
• simplify link in deprecation warning (#​391) (bb2c8e4)
• update links to match content in readme (#​386) (44f2f86)

7.0.1 (2020-02-25)

Bug Fixes

• clean up esm builds for node and browser (#​383) (59e6a49)
• provide browser versions independent from module system (#​380) (4344a22), closes #​378

---

Configuration

📅 Schedule: (in timezone Europe/London)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Oops! Looks like you forgot to update the changelog. When updating CHANGELOG.md, please consider the following:

• Changelog is read by country implementors who might not always be familiar with all technical details of OpenCRVS. Keep language high-level, user friendly and avoid technical references to internals.
• Answer "What's new?", "Why was the change made?" and "Why should I care?" for each change.
• If it's a breaking change, include a migration guide answering "What do I need to do to upgrade?".

[github-actions]

ℹ️ Coverage metrics explained:
• Statements — Executed code statements (basic logic lines)
• Branches — Tested decision paths (if/else, switch, ternaries)
• Functions — Functions invoked during tests
• Lines — Source lines executed

[github-actions]

📊 events test coverage

Statements: 85.5%
Branches:   83.93%
Functions:  90.78%
Lines:      85.5%
Updated at: Mon, 27 Apr 2026 07:02:05 GMT

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.