fix!: replace uuid dependency with crypto.randomUUID()#153
fix!: replace uuid dependency with crypto.randomUUID()#153escoberik wants to merge 1 commit intoapache:masterfrom
Conversation
breautek
left a comment
breautek
left a comment
There was a problem hiding this comment.
Thanks for the PR. I'm always in favour of replacing third-party dependencies with core nodejs libraries whenever possible and this does just that.
Just a few notes, in addition to review lines.
- I think a separate PR should be made for the engine bump. This PR can then reference the other PR as a dependency. This is purely to facilitate reverts, if we for some reason require to, though I doubt it will happen.
- I think this PR should be marked as a breaking change. The commit message should be
fix!: ..., the!indicating a breaking change. The PR message should provide a small blurb how the PR is a breaking change, which I think you already have.
| "bugs": "https://github.com/apache/cordova-node-xcode/issues", | ||
| "engines": { | ||
| "node": ">=10.0.0" | ||
| "node": ">=14.17.0" |
There was a problem hiding this comment.
Can you revert this change back to >=10.0.0
I know this change requires 14.17.0 but that change should be in it's own PR so that the engine bump can be independent of the UUID change -- should we find a reason to revert the UUID change.
|
|
||
| pbxProject.prototype.generateUuid = function() { | ||
| var id = uuid.v4() | ||
| var id = require('crypto').randomUUID() |
There was a problem hiding this comment.
can you hoist the crypto require up with the other requires?
generateUuid is something that I believe is triggered often and while modules are cached and executed once for the first require, hoisting an access variable just allows it to skip the cache-lookup each time this function is invoked.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #153 +/- ##
==========================================
- Coverage 96.91% 96.91% -0.01%
==========================================
Files 51 51
Lines 11125 11124 -1
==========================================
- Hits 10782 10781 -1
Misses 343 343 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
uuid <14.0.0 is flagged by GHSA-w5hq-g745-h8pq (missing buffer bounds check in v3/v5/v6 when buf is provided). The only upstream fix is uuid v14, but v14 dropped CommonJS support, which would break this package. Since only uuid.v4() is used here (in generateUuid()), replace it with Node's built-in crypto.randomUUID() — available since Node 14.17.0, produces the same RFC 4122 v4 UUID format, and requires no external dependency. The uuid package is removed from dependencies entirely. BREAKING CHANGE: Node >=14.17.0 is now required at runtime (crypto.randomUUID was introduced in that release). The engines field remains >=10.0.0; a separate PR will bump it to reflect the new minimum. All 426 existing tests pass.
escoberik
force-pushed
the
fix/replace-uuid-with-crypto-randomuuid
branch
from
b9f82b7 to
a6d9e3b
Compare
escoberik
changed the title
3 participants
Problem
uuid ^7.0.3is flagged by GHSA-w5hq-g745-h8pq — a missing buffer bounds check inuuid.v3/v5/v6()when an explicitbufargument is provided. The advisory marks all versions belowuuid@14.0.0as vulnerable, so downstream consumers (notably the Expo SDK and any project using@expo/config-plugins) see security audit failures they cannot resolve.The "fix" suggested by
npm audit— upgrading touuid@14— isn't viable here because uuid v14 dropped CommonJS support, and this package usesrequire('uuid').Solution
This PR replaces the single
uuid.v4()call ingenerateUuid()with Node's built-incrypto.randomUUID(), which:The
uuidpackage is removed fromdependenciesentirely. Theenginesfield is updated from>=10.0.0to>=14.17.0to reflect the new minimum.Testing
All 426 existing tests pass with no changes to the test suite.