[Aikido] Fix 15 security issues in @turbo/darwin-64, @turbo/windows-64, ws and 5 more

[aikido-autofix]

Upgrade dependencies to fix memory disclosure, buffer overflow, and DoS vulnerabilities in WebSocket, UUID, and brace-expansion libraries.

⚠️ Incomplete breaking changes analysis (7/8 analyzed)

⚠️ Breaking changes analysis not available for: nuxt

✅ No breaking changes from the uuid (7.0.3 => 11.1.1) or undici (6.25.0 => 7.24.1) upgrades affect this codebase.

uuid: Neither uuid nor any of its methods are directly imported or used in the codebase. The package appears only as a transitive dependency through xcode@3.0.1 (used by @expo/config-plugins), which is itself a transitive dependency. No code in this project directly calls uuid functions or uses deep imports like require('uuid/v4').

undici: The package is not directly imported or used in the codebase. While undici is a transitive dependency through @expo/cli and Node.js v24.14.0 uses undici internally for the global fetch API, the breaking changes (dropped interceptors, throwOnError, Node.js version requirements, and deduplicate behavior) only affect direct usage of undici's API. The codebase uses the standard fetch() API in several files (scripts/issue-token.mjs, packages/react-native/src/components/QuilttConnector.tsx, packages/capacitor/src/components/QuilttConnector.tsx), which remains unchanged and unaffected by undici's breaking changes.

All breaking changes by upgrading uuid from version 7.0.3 to 11.1.1 (CHANGELOG)

Version	Description
8.0.0	For native ECMAScript Module (ESM) usage in Node.js only named exports are exposed, there is no more default export.
8.0.0	Deep requiring specific algorithms like require('uuid/v4') is no longer supported.
8.2.0	Removed deprecated v4 string parameter.
9.0.0	Drop Node.js 10.x support.
9.0.0	Remove the minified UMD build from the package.
9.0.0	Drop IE 11 and Safari 10 support, no longer transpile browser build to ES2015, and remove msCrypto fallback.
10.0.0	Drop Node.js 12 and 14 support, only support Node.js 16-20.
11.0.0	Refactor v1 internal state and options logic.
11.0.0	Refactor v7 internal state and options logic.

All breaking changes by upgrading undici from version 6.25.0 to 7.24.1 (CHANGELOG)

Version	Description
7.0.0	Upgraded llhttp to 9.2.0
7.0.0	Dropped interceptors
7.0.0	Dropped throwOnError
7.0.0	Bumped concurrently from 8.2.2 to 9.0.0 in /benchmarks (node < 18 unsupported)
7.0.0	Dropped Node.js v18 support
7.22.0	fix(deduplicate): do not deduplicate non-safe methods by default - This changes the default behavior of the deduplicate interceptor to no longer deduplicate non-safe HTTP methods, which could cause previously deduplicated requests to now be sent multiple times.

✅ 15 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-45736	HIGH	[ws] is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.
CVE-2026-41907	HIGH	[uuid] A buffer overflow vulnerability allows v3, v5, and v6 UUID functions to write beyond caller-provided buffer boundaries when given small buffers or large offsets, causing silent data corruption. This can lead to memory corruption and potential code execution or information disclosure.
AIKIDO-2026-10892	MEDIUM	[uuid] UUID functions v3(), v5(), and v6() can write past the end of a caller-provided buffer due to missing offset validation, enabling buffer overflow attacks. The fix adds bounds checks to prevent out-of-range writes.
CVE-2026-45149	HIGH	[brace-expansion] A Denial of Service vulnerability where the max option is applied after generating large numeric ranges, causing excessive memory allocation (~505 MB) and CPU usage (~800ms) even when output is limited to 10 items.
CVE-2026-33750	MEDIUM	[brace-expansion] A brace pattern with zero step value causes an infinite loop, leading to denial of service through process hangs and excessive memory allocation. The vulnerability affects string expansion operations when malicious or malformed patterns are processed.
AIKIDO-2026-10477	LOW	[brace-expansion] A denial-of-service vulnerability allows attackers to craft malicious brace patterns with repeated numeric ranges that cause exponential expansion, consuming excessive CPU and memory until process failure. The fix introduces an optional maximum limit parameter to bound expansion work.
CVE-2025-5889	LOW	[brace-expansion] A regular expression complexity vulnerability in the expand function allows remote attackers to cause denial of service through inefficient regex processing, though exploitation is difficult and requires high attack complexity.
AIKIDO-2026-10956	MEDIUM	[@turbo/darwin-64] Symlink following vulnerability in cache archive/restore logic allows local attackers to redirect file reads/writes outside intended directories via time-of-check/time-of-use races. OpenTelemetry export also accepted unsafe HTTPS endpoints targeting private networks.
AIKIDO-2026-10957	MEDIUM	[@turbo/windows-64] Symlink following vulnerability in cache archive/restore logic allows local attackers to redirect file reads/writes outside intended directories via time-of-check/time-of-use races. Additionally, OpenTelemetry export accepted unsafe HTTPS endpoints targeting private networks.
AIKIDO-2026-10948	MEDIUM	[nuxt] Component islands feature allows direct access to protected .server.vue pages via /__nuxt_island/page_* URLs, bypassing route middleware-based authentication and enabling unauthorized access to server-rendered protected content.
CVE-2026-45669	MEDIUM	[nuxt] navigateTo() with external: true insufficiently sanitizes URLs in server-side HTML redirect responses, allowing attackers to inject arbitrary HTML/JavaScript via unencoded characters like < and >. This enables reflected XSS attacks when user-controlled URLs are passed to the function, typically through redirect parameters.
CVE-2026-46342	LOW	[nuxt] Island components render without validating server-side that the URL hash matches the provided props, allowing attackers to prime caches with malicious props. This enables stored XSS if island props flow into unsafe HTML sinks and a CDN caches by path only.
AIKIDO-2026-10385	LOW	[undici] A prototype pollution vulnerability allows attackers to inject special keys like __proto__, constructor, or prototype into internal objects, potentially modifying the prototype chain and influencing application behavior or enabling further attacks.
AIKIDO-2026-10369	LOW	[undici] Prototype pollution vulnerability allows attackers to modify object prototypes through specially crafted input with keys like __proto__ or constructor, potentially influencing application behavior or enabling further attacks.
AIKIDO-2026-10944	LOW	[@expo/spawn-async] Unbounded buffering of child process stdout/stderr can exhaust memory or crash the parent Node application when a subprocess produces large continuous output. The vulnerability allows denial of service through memory exhaustion or V8 string length limits.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 23608a5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[aikido-autofix]

Closed by Aikido: a new AutoFix has been created → #491