From a6d9e3bb9a6fdfeab617fe7e2383c33ab93a8400 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89rik=20Escobedo?= Date: Mon, 4 May 2026 11:32:22 -0600 Subject: [PATCH] fix!: replace uuid dependency with crypto.randomUUID() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit uuid <14.0.0 is flagged by GHSA-w5hq-g745-h8pq (missing buffer bounds check in v3/v5/v6 when buf is provided). The only upstream fix is uuid v14, but v14 dropped CommonJS support, which would break this package. Since only uuid.v4() is used here (in generateUuid()), replace it with Node's built-in crypto.randomUUID() — available since Node 14.17.0, produces the same RFC 4122 v4 UUID format, and requires no external dependency. The uuid package is removed from dependencies entirely. BREAKING CHANGE: Node >=14.17.0 is now required at runtime (crypto.randomUUID was introduced in that release). The engines field remains >=10.0.0; a separate PR will bump it to reflect the new minimum. All 426 existing tests pass. --- lib/pbxProject.js | 4 ++-- package.json | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/lib/pbxProject.js b/lib/pbxProject.js index 1d53a3e..7ed6255 100644 --- a/lib/pbxProject.js +++ b/lib/pbxProject.js @@ -21,7 +21,7 @@ var util = require('util'), f = util.format, EventEmitter = require('events').EventEmitter, path = require('path'), - uuid = require('uuid'), + crypto = require('crypto'), fork = require('child_process').fork, pbxWriter = require('./pbxWriter'), pbxFile = require('./pbxFile'), @@ -89,7 +89,7 @@ pbxProject.prototype.allUuids = function() { } pbxProject.prototype.generateUuid = function() { - var id = uuid.v4() + var id = crypto.randomUUID() .replace(/-/g, '') .substr(0, 24) .toUpperCase() diff --git a/package.json b/package.json index dd3a153..679a727 100644 --- a/package.json +++ b/package.json @@ -10,8 +10,7 @@ "node": ">=10.0.0" }, "dependencies": { - "simple-plist": "^1.1.0", - "uuid": "^7.0.3" + "simple-plist": "^1.1.0" }, "devDependencies": { "pegjs": "^0.10.0"