fix!: replace uuid dependency with crypto.randomUUID() (#153)

* fix!: replace uuid dependency with crypto.randomUUID()

uuid <14.0.0 is flagged by GHSA-w5hq-g745-h8pq (missing buffer bounds
check in v3/v5/v6 when buf is provided). The only upstream fix is uuid
v14, but v14 dropped CommonJS support, which would break this package.

Since only uuid.v4() is used here (in generateUuid()), replace it with
Node's built-in crypto.randomUUID() — available since Node 14.17.0,
produces the same RFC 4122 v4 UUID format, and requires no external
dependency. The uuid package is removed from dependencies entirely.

BREAKING CHANGE: Node >=14.17.0 is now required at runtime (crypto.randomUUID
was introduced in that release). The engines field remains >=10.0.0; a
separate PR will bump it to reflect the new minimum.

All 426 existing tests pass.

* chore(npm): update package-lock.json

---------

Co-authored-by: Manuel Beck <manuelbeck87@outlook.de>

Author: escoberik

lib/pbxProject.js

@@ -21,7 +21,7 @@ const util = require('util');
 const f = util.format;
 const EventEmitter = require('events').EventEmitter;
 const path = require('path');
-const uuid = require('uuid');
+const crypto = require('crypto');
 const fork = require('child_process').fork;
 const PBXWriter = require('./pbxWriter');
 const PBXFile = require('./pbxFile');
@@ -88,7 +88,7 @@ PBXProject.prototype.allUuids = function () {
 };
 
 PBXProject.prototype.generateUuid = function () {
-    const id = uuid.v4()
+    const id = crypto.randomUUID()
         .replace(/-/g, '')
         .substr(0, 24)
         .toUpperCase();

package-lock.json

@@ -10,8 +10,7 @@
     "node": ">=14.17.0"
   },
   "dependencies": {
-    "simple-plist": "^1.1.0",
-    "uuid": "^7.0.3"
+    "simple-plist": "^1.1.0"
   },
   "devDependencies": {
     "@cordova/eslint-config": "^6.0.1",