From a6d9e3bb9a6fdfeab617fe7e2383c33ab93a8400 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89rik=20Escobedo?= Date: Mon, 4 May 2026 11:32:22 -0600 Subject: [PATCH 1/2] fix!: replace uuid dependency with crypto.randomUUID() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit uuid <14.0.0 is flagged by GHSA-w5hq-g745-h8pq (missing buffer bounds check in v3/v5/v6 when buf is provided). The only upstream fix is uuid v14, but v14 dropped CommonJS support, which would break this package. Since only uuid.v4() is used here (in generateUuid()), replace it with Node's built-in crypto.randomUUID() — available since Node 14.17.0, produces the same RFC 4122 v4 UUID format, and requires no external dependency. The uuid package is removed from dependencies entirely. BREAKING CHANGE: Node >=14.17.0 is now required at runtime (crypto.randomUUID was introduced in that release). The engines field remains >=10.0.0; a separate PR will bump it to reflect the new minimum. All 426 existing tests pass. --- lib/pbxProject.js | 4 ++-- package.json | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/lib/pbxProject.js b/lib/pbxProject.js index 1d53a3e..7ed6255 100644 --- a/lib/pbxProject.js +++ b/lib/pbxProject.js @@ -21,7 +21,7 @@ var util = require('util'), f = util.format, EventEmitter = require('events').EventEmitter, path = require('path'), - uuid = require('uuid'), + crypto = require('crypto'), fork = require('child_process').fork, pbxWriter = require('./pbxWriter'), pbxFile = require('./pbxFile'), @@ -89,7 +89,7 @@ pbxProject.prototype.allUuids = function() { } pbxProject.prototype.generateUuid = function() { - var id = uuid.v4() + var id = crypto.randomUUID() .replace(/-/g, '') .substr(0, 24) .toUpperCase() diff --git a/package.json b/package.json index dd3a153..679a727 100644 --- a/package.json +++ b/package.json @@ -10,8 +10,7 @@ "node": ">=10.0.0" }, "dependencies": { - "simple-plist": "^1.1.0", - "uuid": "^7.0.3" + "simple-plist": "^1.1.0" }, "devDependencies": { "pegjs": "^0.10.0" From a31978c390d657f5c0a8f67b4105a13605040272 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89rik=20Escobedo?= Date: Mon, 4 May 2026 16:48:54 -0600 Subject: [PATCH 2/2] chore!: bump minimum Node.js engine to >=14.17.0 Reflects the runtime requirement introduced by apache/cordova-node-xcode#153 (crypto.randomUUID, available since Node 14.17.0). Node 10 and 12 have been EOL since 2021 and 2022 respectively. BREAKING CHANGE: Node <14.17.0 is no longer supported. --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 679a727..92c89af 100644 --- a/package.json +++ b/package.json @@ -7,7 +7,7 @@ "repository": "github:apache/cordova-node-xcode", "bugs": "https://github.com/apache/cordova-node-xcode/issues", "engines": { - "node": ">=10.0.0" + "node": ">=14.17.0" }, "dependencies": { "simple-plist": "^1.1.0"