refactor: replace external uuid with crypto.randomUUID()

AviVahl · AviVahl · commit 34877abd9b4f · 2026-05-04T09:11:14.000+01:00
older versions of uuid have a security vulnerability. newer version are esm-only.

replaced with node's built-in crypto.randomUUID()
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/build/package.json b/packages/build/package.json
@@ -114,7 +114,6 @@
     "terminal-link": "^4.0.0",
     "ts-node": "^10.9.1",
     "typescript": "^5.0.0",
-    "uuid": "^11.0.0",
     "yaml": "^2.8.0",
     "yargs": "^17.6.0",
     "zod": "^3.25.76"
diff --git a/packages/build/src/plugins/ipc.js b/packages/build/src/plugins/ipc.js
@@ -1,8 +1,8 @@
+import crypto from 'crypto'
 import process from 'process'
 import { promisify } from 'util'
 
 import { pEvent } from 'p-event'
-import { v4 as uuidv4 } from 'uuid'
 
 import { jsonToError, errorToJson } from '../error/build.js'
 import { addErrorInfo } from '../error/info.js'
@@ -17,7 +17,7 @@ import {
 // We need to fire them in parallel because `process.send()` can be slow
 // to await, i.e. child might send response before parent start listening for it
 export const callChild = async function ({ childProcess, eventName, payload, logs, verbose }) {
-  const callId = uuidv4()
+  const callId = crypto.randomUUID()
   const [response] = await Promise.all([
     getEventFromChild(childProcess, callId),
     sendEventToChild({ childProcess, callId, eventName, payload, logs, verbose }),
diff --git a/packages/edge-bundler/node/bundler.ts b/packages/edge-bundler/node/bundler.ts
@@ -1,8 +1,8 @@
+import crypto from 'crypto'
 import { promises as fs } from 'fs'
 import { join } from 'path'
 
 import commonPathPrefix from 'common-path-prefix'
-import { v4 as uuidv4 } from 'uuid'
 
 import { importMapSpecifier } from '../shared/consts.js'
 
@@ -92,7 +92,7 @@ export const bundle = async (
   // The name of the bundle will be the hash of its contents, which we can't
   // compute until we run the bundle process. For now, we'll use a random ID
   // to create the bundle artifacts and rename them later.
-  const buildID = uuidv4()
+  const buildID = crypto.randomUUID()
 
   // Loading any configuration options from the deploy configuration API, if it
   // exists.
diff --git a/packages/edge-bundler/node/server/server.test.ts b/packages/edge-bundler/node/server/server.test.ts
@@ -1,3 +1,4 @@
+import crypto from 'crypto'
 import { createWriteStream } from 'fs'
 import { readFile } from 'fs/promises'
 import { join } from 'path'
@@ -10,7 +11,6 @@ import process from 'process'
 import { getURL as getBootstrapURL } from '@netlify/edge-functions-bootstrap/version'
 import getPort from 'get-port'
 import tmp from 'tmp-promise'
-import { v4 as uuidv4 } from 'uuid'
 import { test, expect } from 'vitest'
 
 import { fixturesDir } from '../../test/util.js'
@@ -73,7 +73,7 @@ test('Starts a server and serves requests for edge functions', async () => {
     headers: {
       'x-nf-edge-functions': 'echo_env',
       'x-ef-passthrough': 'passthrough',
-      'X-NF-Request-ID': uuidv4(),
+      'X-NF-Request-ID': crypto.randomUUID(),
     },
   })
   expect(response1.status).toBe(200)
@@ -83,7 +83,7 @@ test('Starts a server and serves requests for edge functions', async () => {
     headers: {
       'x-nf-edge-functions': 'greet',
       'x-ef-passthrough': 'passthrough',
-      'X-NF-Request-ID': uuidv4(),
+      'X-NF-Request-ID': crypto.randomUUID(),
     },
   })
   expect(response2.status).toBe(200)
@@ -93,7 +93,7 @@ test('Starts a server and serves requests for edge functions', async () => {
     headers: {
       'x-nf-edge-functions': 'global_netlify',
       'x-ef-passthrough': 'passthrough',
-      'X-NF-Request-ID': uuidv4(),
+      'X-NF-Request-ID': crypto.randomUUID(),
     },
   })
   expect(await response3.json()).toEqual({
@@ -166,7 +166,7 @@ test('Serves edge functions in a monorepo setup', async () => {
     headers: {
       'x-nf-edge-functions': 'func1',
       'x-ef-passthrough': 'passthrough',
-      'X-NF-Request-ID': uuidv4(),
+      'X-NF-Request-ID': crypto.randomUUID(),
     },
   })
 
diff --git a/packages/edge-bundler/package.json b/packages/edge-bundler/package.json
@@ -78,7 +78,6 @@
     "semver": "^7.3.8",
     "tar": "^7.5.12",
     "tmp-promise": "^3.0.3",
-    "urlpattern-polyfill": "8.0.2",
-    "uuid": "^11.0.0"
+    "urlpattern-polyfill": "8.0.2"
   }
 }
diff --git a/packages/js-client/package.json b/packages/js-client/package.json
@@ -52,7 +52,6 @@
     "nock": "^13.0.0",
     "ts-node": "^10.9.1",
     "typescript": "^5.0.0",
-    "uuid": "^11.0.0",
     "vitest": "^3.2.3"
   },
   "engines": {
diff --git a/packages/js-client/src/index.test.ts b/packages/js-client/src/index.test.ts

Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,6 @@`
`78`	`78`	`"semver": "^7.3.8",`
`79`	`79`	`"tar": "^7.5.12",`
`80`	`80`	`"tmp-promise": "^3.0.3",`
`81`		`- "urlpattern-polyfill": "8.0.2",`
`82`		`- "uuid": "^11.0.0"`
	`81`	`+ "urlpattern-polyfill": "8.0.2"`
`83`	`82`	`}`
`84`	`83`	`}`