Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid using deprecated version of UUID #925

Closed
aeisenberg opened this issue Oct 22, 2021 · 14 comments
Closed

Avoid using deprecated version of UUID #925

aeisenberg opened this issue Oct 22, 2021 · 14 comments
Assignees
Labels
bug Something isn't working cache tool-cache

Comments

@aeisenberg
Copy link

aeisenberg commented Oct 22, 2021

All versions of the UUID npm package < 7 have been deprecated due to a weakness in Math.random(). There are two packages in this repository that use the deprecated version.

Any downstream package that depends on these packages will include the following line in their package-lock.json:

      "deprecated": "Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.",

Can you upgrade node UUID to the latest released version? Happy to submit a PR to help you out.

@aeisenberg aeisenberg added the bug Something isn't working label Oct 22, 2021
@stevenwdv
Copy link

stevenwdv commented Jun 3, 2022

@ maintainers?

@MikeMcC399
Copy link

Is there some reason this has not been addressed?

"uuid": "^3.3.3"

In other places uuid@8.3.2 is being used rather than uuid@3.4.0.

Could this also be updated in https://github.com/actions/toolkit/blob/main/packages/cache/package.json to avoid the deprecation warning?

$ npm install @actions/cache@latest
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

added 55 packages, and audited 56 packages in 12s

found 0 vulnerabilities
$ npm ls uuid
cache-test@1.0.0
└─┬ @actions/cache@3.2.1
  ├─┬ @actions/core@1.10.0
  │ └── uuid@8.3.2
  ├─┬ @azure/ms-rest-js@2.6.6
  │ └── uuid@8.3.2
  ├─┬ @azure/storage-blob@12.13.0
  │ └─┬ @azure/core-http@3.0.1
  │   └── uuid@8.3.2
  └── uuid@3.4.0

@MikeMcC399
Copy link

@actions/cache@3.2.2 (latest) is still using a deprecated version uuid@3.4.0

$ npm ls uuid
cache-test@1.0.0 D:\github2\cache-test
└─┬ @actions/cache@3.2.2
  ├─┬ @actions/core@1.10.1
  │ └── uuid@8.3.2
  ├─┬ @azure/ms-rest-js@2.7.0
  │ └── uuid@8.3.2
  ├─┬ @azure/storage-blob@12.17.0
  │ └─┬ @azure/core-http@3.0.4
  │   └── uuid@8.3.2
  └── uuid@3.4.0

@MikeMcC399
Copy link

@actions/cache@3.2.3 also uses the deprecated version uuid@3.4.0

Could this issue please be addressed?

@MikeMcC399
Copy link

@actions/cache@3.2.4 has been released, however this issue still remains unresolved.

@hemarina
Copy link

I also ran into this message when using tool-cache package and it will be great to get uuid update to 7 or higher version.
@bethanyj28 It looks like you are an active maintainer for this repo. Would you mind helping us on this issue or direct us to the right person?

@jakebailey
Copy link

FWIW the dep isn't even needed; all uses of the library in the repo are just generating UUIDv4s, and Node has had crypto.randomUUID() as a global since Node 16.7 (and even earlier on the crypto module): https://nodejs.org/docs/latest/api/webcrypto.html#cryptorandomuuid

@MikeMcC399
Copy link

Do the packages tool-cache and cache in this repo have a designated maintainer and is there any hope that this issue can be resolved?

@joshmgross joshmgross self-assigned this Sep 2, 2024
@joshmgross
Copy link
Member

👋 Sorry for the delay, this issue got lost on our backlog and we can definitely do better here.

I'll follow up tomorrow on updating the UUID we use, whether that's updating the uuid package or utilizing a built-in Node function. I need to do some research there first 😄.

@joshmgross
Copy link
Member

#1824 will remove this direct dependency, we'll need another update for any packages that have an indirect dependency on uuid through @actions/core after that new version is released. @actions/core isn't using a deprecated version of uuid, but I still think it's worth removing an unnecessary external dependency if we can.

@MikeMcC399
Copy link

@joshmgross

@actions/cache@3.2.4 (latest) still depends on the deprecated uuid@3.4.0

Are you expecting to release an update anytime soon for @actions/cache with this issue fixed?

@joshmgross
Copy link
Member

There will be a new update soon, the changes broke users on Node 18 - #1841

@joshmgross
Copy link
Member

@actions/cache 3.3.0 does not depend on uuid - https://www.npmjs.com/package/@actions/cache?activeTab=dependencies

@actions/tool-cache still needs to be updated.

@joshmgross
Copy link
Member

#1872

https://www.npmjs.com/package/@actions/tool-cache?activeTab=dependencies

That should be everything, if I missed anything please let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working cache tool-cache
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants
@aeisenberg @jakebailey @joshmgross @stevenwdv @MikeMcC399 @hemarina and others