fix: map uv to correct semver definition

[thomasschafer]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages
  are release-note ready, emphasizing
  what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High) - Low
• Highlights breaking API changes (if applicable) - n/a
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___) - n/a
• Includes product update to be announced in the next stable release notes - n/a

What does this PR do?

This PR makes use of the fix here to map to the correct semver definition for uv. This resolves an issue with testing SBOMs generated directly by uv (it does not affect SBOMs of uv projects generated by snyk sbom).

I also had to update fake-server.ts. Extensions using a localhost API URL (e.g. os-flows/sbom) have it canonicalised by go-application-framework, stripping the /api prefix, so they call /hidden/orgs/.... Extensions using a non-localhost IP (e.g. aibom) skip canonicalisation and call /api/hidden/orgs/.... The fix registers the upload_revisions handlers for both prefixes, and updates response bodies to use dynamic path params rather than hardcoded UUIDs.

Finally, I also added an override for axios to address https://security.snyk.io/vuln/SNYK-JS-AXIOS-15965856.

How should this be manually tested?

Generate an SBOM for a uv project using

uv export --format=cyclonedx1.5 --preview --frozen --no-dev > sbom.json

then test it using

snyk sbom test --file=sbom.json

On main you should see an error like the following:

 ERROR   Unspecified Error (SNYK-CLI-0000)
         The encountered error only provides basic information, please take a look at
         the given details. If they do not help to resolve the issue, consider
         debugging or consulting support.

           failed to compute remediation summary: failed to resolve semver library: no
           semver library defined for ecosystem: uv

but on this branch you should see a successful run.

What's the product update that needs to be communicated to CLI users?

None

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

	Warnings
⚠️	There are multiple commits on your branch, please squash them locally before merging!

Generated by 🚫 dangerJS against 4e0f9f5

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Test Logic Change 🟡 [minor] The POST /upload_revisions handler and the PATCH handler now use req.params.orgId and req.params.uploadRevisionId to construct response links instead of the previous hardcoded UUIDs. If any existing acceptance tests (not shown in this diff) perform exact string matching against the old hardcoded UUID 'bb262a15-d798-458b-81fa-30a92cb3475c', those tests will now fail when they receive the dynamic IDs (like '55555555...' used in the new test). href: `/orgs/${req.params.orgId}/upload_revisions/bc0729a7-109f-4fe9-a048-aac410e28c9a`,

📚 Repository Context Analyzed This review considered 13 relevant code sections from 3 files (average relevance: 0.78) package-lock.json (11 segments, lines 6-275) scripts/upgrade-snyk-go-dependencies.go (lines 1-135) package.json (lines 1-224)