@azure/functions-old referring to deprecated version of uuid causing CG alerts

[v-sharmachir]

We create a npm package that consume applicationinsights, and the users consuming our package are getting CG alerts as @azure/functions-old is referring to deprecated version of uuid package through the @azure/functions@3.5.1 version.
Overriding or adding this package as a direct dependency does not resolve the issue as it still install a nested vulnerable uuid package under node_modules/@azure/functions-old/node_modules/uuid to satisfy its declaration.
Is there any plan to remove the reference of this deprecated version?

[dougmorato]

Transitive uuid vulnerability via applicationinsights — cannot override without breaking CJS consumers

Environment:

• applicationinsights@3.15.0 (latest)
• Runtime: Bun 1.3.14 (same issue applies to Node.js)
• OS: Windows 11 / Linux (Container Apps)

Advisory: GHSA-w5hq-g745-h8pq — uuid <11.1.1: Missing buffer bounds check in v3/v5/v6 when buf is provided.

Dependency chain through applicationinsights:

applicationinsights@3.15.0
→ @azure/monitor-opentelemetry@1.18.0
→ @azure/monitor-opentelemetry-exporter@1.0.0-preview.6
→ @azure/core-http@1.2.6
→ uuid@^8.3.0 ← resolves to 8.3.2 (vulnerable)

Why this can't be fixed with an npm/bun override:

The patched versions (>=11.1.1, >=12.0.1, >=14.0.0) are all ESM-only. Multiple packages in the Azure SDK ecosystem still use CJS require('uuid'):

Overriding uuid to >=11.1.1 causes runtime crashes:

TypeError: require() async module ".../uuid/dist-node/index.js" is unsupported

This affects any CJS consumer that does var uuid = require('uuid') — which includes @azure/msal-node (bundled inside @azure/identity, the standard Azureauth library).

Root cause in applicationinsights:

The chain applicationinsights → @azure/monitor-opentelemetry → @azure/monitor-opentelemetry-exporter → @azure/core-http pulls in the deprecated@azure/core-http@1.2.6 which depends on uuid@^8.3.0. The modern replacement @azure/core-rest-pipeline does not depend on uuid.

Suggested fix:

Update @azure/monitor-opentelemetry-exporter to drop the @azure/core-http dependency in favor of @azure/core-rest-pipeline, which would eliminate the uuid transitive dependency from the applicationinsights tree entirely. Note that @azure/msal-node@5.2.2 has already dropped its uuid dependency — the AzureSDK team is clearly moving in this direction.

[JacksonWeber]

Both of these issues will be resolved by the next release of this package after the fix provided: #1498