V17.4.11 — override uuid to ^14.0.0
Fourth in the series of transitive-dep security overrides (V17.3.1 tough-cookie, V17.4.9 qs, V17.4.10 serialize-javascript). No runtime code changes — but verifying this one was safe took more care than the others.
What was wrong
GitHub Dependabot couldn't reconcile uuid versions for the latest security advisory (run 26342003808):
The latest possible version that can be installed is 8.3.2
The earliest fixed version is 14.0.0.
@cypress/request@3.0.1 requires uuid@^8.3.2
request@2.88.2 requires uuid@^3.3.2
Two transitive paths, two different majors, neither can reach 14.x without a forced override.
Why the override needed more thought than the others
The request@2.88.2 legacy package uses the deep-path import style:
// node_modules/request/lib/auth.js — and oauth.js, multipart.js
var uuid = require('uuid/v4')That import path was removed in uuid 9.0.0. Only named exports work in uuid ≥ 9. So forcing uuid: ^14 would make request@2.88.2's require('uuid/v4') throw MODULE_NOT_FOUND if those modules ever load.
Looking at the actual runtime path:
node-telegram-bot-api/src/telegram.js:10→require('@cypress/request-promise')@cypress/request-promise/lib/rp.js:11→return require('@cypress/request');
The Cypress promise wrapper deliberately redirects every call into @cypress/request (their modern fork), bypassing the legacy request@2.88.2 entirely. request@2.88.2 is only installed because npm's peer-dep resolver insists on satisfying request-promise-core@1.1.3's request@^2.34 peer dependency. It's installed and never loaded.
@cypress/request's own uuid usage is the modern named-export form, which works across uuid 7-14+:
// node_modules/@cypress/request/lib/auth.js
var { v4: uuid } = require('uuid')So the override:
"overrides": {
"tough-cookie": "^4.1.3",
"qs": "^6.15.2",
"serialize-javascript": "^7.0.5",
+ "uuid": "^14.0.0"
}is safe — the broken legacy require('uuid/v4') calls in request@2.88.2 are dead code in our process. Verified by running the full test suite including the integration tests that stand up a mock Telegram API and exercise the live polling/sending/webhook transports: 232 passing.
Verification, more explicitly
$ npm ls uuid
node-red-contrib-telegrambot@17.4.11
└── node-telegram-bot-api@0.66.0
├── @cypress/request-promise@5.0.0
│ └── request-promise-core@1.1.3
│ └── request@2.88.2
│ └── uuid@14.0.0 deduped ← installed, never loaded
└── @cypress/request@3.0.1
└── uuid@14.0.0 ← actually used
What this does NOT do
- No runtime code changes. V17.4.8's polling-teardown fix remains the most important upgrade for users hitting 409 Conflict / wedged-polling shapes.
- Doesn't remove the legacy
request@2.88.2from the tree (we can't — it's a peer-dep node-telegram-bot-api would need to drop upstream to remove).