From e2aa8e5ed620d74890304d96ea89fb38a5d2dfad Mon Sep 17 00:00:00 2001
From: Matt Raible <matt.raible@crowdstrike.com>
Date: Mon, 26 Jan 2026 09:35:13 -0700
Subject: [PATCH 1/3] Downgrade peter-evans/create-pull-request to approved
 v7.0.11

---
 .github/workflows/rebuild.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/rebuild.yml b/.github/workflows/rebuild.yml
index 00850f3..840dafc 100644
--- a/.github/workflows/rebuild.yml
+++ b/.github/workflows/rebuild.yml
@@ -32,7 +32,7 @@ jobs:
           git add .
           git commit -a -m "Rebuild UI with latest dependencies" || true
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725  # v8.0.0
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676  # v7.0.11
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: 'Rebuild with latest dependencies'

From e9d359ccd0f2f53baef711cb8f4e7b29d36ba203 Mon Sep 17 00:00:00 2001
From: Matt Raible <matt.raible@crowdstrike.com>
Date: Mon, 26 Jan 2026 09:43:32 -0700
Subject: [PATCH 2/3] Ignore unapproved GitHub Actions versions in dependabot

---
 .github/dependabot.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 87fd80e..32e4bfb 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -21,7 +21,11 @@ updates:
       time: "14:00"
       timezone: "UTC"
     ignore:
+      - dependency-name: "actions/checkout"
+        versions: [">=6.0.2"]
       - dependency-name: "actions/setup-node"
         versions: [">=6.2.0"]
       - dependency-name: "actions/setup-python"
         versions: [">=6.1.0"]
+      - dependency-name: "peter-evans/create-pull-request"
+        versions: [">=8.0.0"]

From d9de27b4560a73abe49149493a8205df1a326101 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 26 Jan 2026 10:03:07 -0700
Subject: [PATCH 3/3] Rebuild with latest dependencies (#96)

Co-authored-by: mraible <17892+mraible@users.noreply.github.com>
---
 ui/extensions/hello/src/dist/app.js | 36 +++++++++++++++++++++++------
 1 file changed, 29 insertions(+), 7 deletions(-)

diff --git a/ui/extensions/hello/src/dist/app.js b/ui/extensions/hello/src/dist/app.js
index a2586fd..42bd0d1 100644
--- a/ui/extensions/hello/src/dist/app.js
+++ b/ui/extensions/hello/src/dist/app.js
@@ -590,6 +590,12 @@ var React$1 = /*#__PURE__*/_mergeNamespaces({
 	default: React
 }, [reactExports]);
 
+var REGEX = /^(?:[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}|00000000-0000-0000-0000-000000000000|ffffffff-ffff-ffff-ffff-ffffffffffff)$/i;
+
+function validate(uuid) {
+    return typeof uuid === 'string' && REGEX.test(uuid);
+}
+
 const byteToHex = [];
 for (let i = 0; i < 256; ++i) {
     byteToHex.push((i + 0x100).toString(16).slice(1));
@@ -632,10 +638,7 @@ function rng() {
 const randomUUID = typeof crypto !== 'undefined' && crypto.randomUUID && crypto.randomUUID.bind(crypto);
 var native = { randomUUID };
 
-function v4(options, buf, offset) {
-    if (native.randomUUID && true && !options) {
-        return native.randomUUID();
-    }
+function _v4(options, buf, offset) {
     options = options || {};
     const rnds = options.random ?? options.rng?.() ?? rng();
     if (rnds.length < 16) {
@@ -645,6 +648,12 @@ function v4(options, buf, offset) {
     rnds[8] = (rnds[8] & 0x3f) | 0x80;
     return unsafeStringify(rnds);
 }
+function v4(options, buf, offset) {
+    if (native.randomUUID && true && !options) {
+        return native.randomUUID();
+    }
+    return _v4(options);
+}
 
 const VERSION = 'current';
 
@@ -662,6 +671,13 @@ event) {
 const CONNECTION_TIMEOUT = 5_000;
 const API_TIMEOUT = 30_000;
 const NAVIGATION_TIMEOUT = 5_000;
+function sanitizeMessageId(messageId) {
+    // Only allow valid UUID strings
+    if (typeof messageId !== 'string' || !validate(messageId)) {
+        return null;
+    }
+    return messageId;
+}
 function timeoutForMessage(message) {
     const timeout = message.type === 'connect'
         ? CONNECTION_TIMEOUT
@@ -753,12 +769,18 @@ class Bridge {
             return;
         }
         const { messageId } = event.data.meta;
-        const callback = this.pendingMessages.get(messageId);
-        if (!callback) {
+        // Sanitize messageId to prevent unvalidated dynamic method calls
+        const sanitizedMessageId = sanitizeMessageId(messageId);
+        if (!sanitizedMessageId) {
+            this.throwError(`Received message with invalid messageId format`);
+            return;
+        }
+        const callback = this.pendingMessages.get(sanitizedMessageId);
+        if (!callback || typeof callback !== 'function') {
             this.throwError(`Received unexpected message`);
             return;
         }
-        this.pendingMessages.delete(messageId);
+        this.pendingMessages.delete(sanitizedMessageId);
         callback(message.payload);
     };
     throwError(message) {