CrowdStrike · mraible · Jan 26, 2026 · Jan 26, 2026 · Jan 26, 2026 · Jan 26, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -21,7 +21,11 @@ updates:
       time: "14:00"
       timezone: "UTC"
     ignore:
+      - dependency-name: "actions/checkout"
+        versions: [">=6.0.2"]
       - dependency-name: "actions/setup-node"
         versions: [">=6.2.0"]
       - dependency-name: "actions/setup-python"
         versions: [">=6.1.0"]
+      - dependency-name: "peter-evans/create-pull-request"
+        versions: [">=8.0.0"]
diff --git a/.github/workflows/rebuild.yml b/.github/workflows/rebuild.yml
@@ -32,7 +32,7 @@ jobs:
           git add .
           git commit -a -m "Rebuild UI with latest dependencies" || true
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725  # v8.0.0
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676  # v7.0.11
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: 'Rebuild with latest dependencies'

diff --git a/ui/extensions/hello/src/dist/app.js b/ui/extensions/hello/src/dist/app.js
@@ -590,6 +590,12 @@ var React$1 = /*#__PURE__*/_mergeNamespaces({
 	default: React
 }, [reactExports]);
 
+var REGEX = /^(?:[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}|00000000-0000-0000-0000-000000000000|ffffffff-ffff-ffff-ffff-ffffffffffff)$/i;
+
+function validate(uuid) {
+    return typeof uuid === 'string' && REGEX.test(uuid);
+}
+
 const byteToHex = [];
 for (let i = 0; i < 256; ++i) {
     byteToHex.push((i + 0x100).toString(16).slice(1));
@@ -632,10 +638,7 @@ function rng() {
 const randomUUID = typeof crypto !== 'undefined' && crypto.randomUUID && crypto.randomUUID.bind(crypto);
 var native = { randomUUID };
 
-function v4(options, buf, offset) {
-    if (native.randomUUID && true && !options) {
-        return native.randomUUID();
-    }
+function _v4(options, buf, offset) {
     options = options || {};
     const rnds = options.random ?? options.rng?.() ?? rng();
     if (rnds.length < 16) {
@@ -645,6 +648,12 @@ function v4(options, buf, offset) {
     rnds[8] = (rnds[8] & 0x3f) | 0x80;
     return unsafeStringify(rnds);
 }
+function v4(options, buf, offset) {
+    if (native.randomUUID && true && !options) {
+        return native.randomUUID();
+    }
+    return _v4(options);
+}
 
 const VERSION = 'current';
 
@@ -662,6 +671,13 @@ event) {
 const CONNECTION_TIMEOUT = 5_000;
 const API_TIMEOUT = 30_000;
 const NAVIGATION_TIMEOUT = 5_000;
+function sanitizeMessageId(messageId) {
+    // Only allow valid UUID strings
+    if (typeof messageId !== 'string' || !validate(messageId)) {
+        return null;
+    }
+    return messageId;
+}
 function timeoutForMessage(message) {
     const timeout = message.type === 'connect'
         ? CONNECTION_TIMEOUT
@@ -753,12 +769,18 @@ class Bridge {
             return;
         }
         const { messageId } = event.data.meta;
-        const callback = this.pendingMessages.get(messageId);
-        if (!callback) {
+        // Sanitize messageId to prevent unvalidated dynamic method calls
+        const sanitizedMessageId = sanitizeMessageId(messageId);
+        if (!sanitizedMessageId) {
+            this.throwError(`Received message with invalid messageId format`);
+            return;
+        }
+        const callback = this.pendingMessages.get(sanitizedMessageId);
+        if (!callback || typeof callback !== 'function') {
             this.throwError(`Received unexpected message`);
             return;
         }
-        this.pendingMessages.delete(messageId);
+        this.pendingMessages.delete(sanitizedMessageId);
         callback(message.payload);
     };
     throwError(message) {