Skip to content

chore(deps): upgrade uuid #4516

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jpan-box wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): upgrade uuid #4516

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,7 @@
"tabbable": "^1.1.3",
"ts-loader": "^6.2.1",
"typescript": "5.2.2",
"uuid": "^8.3.2",
"uuid": "^14.0.0",
"wait-on": "^9.0.5",
"webpack": "^5.105.4",
"webpack-bundle-analyzer": "^4.10.2",
Expand Down Expand Up @@ -349,14 +349,15 @@
"sass": "1.77.6",
"scroll-into-view-if-needed": "^2.2.31",
"tabbable": "^1.1.3",
"uuid": "^8.3.2"
"uuid": "^14.0.0"
},
"resolutions": {
"draft-js/immutable": "^3.8.3",
"eslint-plugin-formatjs/**/minimatch": "^9.0.9",
"qs": "^6.14.1",
"serialize-javascript": "^7.0.5",
"tar": "^7.5.11"
"tar": "^7.5.11",
"uuid": "^14.0.0"
},
Comment on lines 354 to 361
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find any other direct/indirect consumers of `uuid` in the tree and confirm only v14 resolves.
fd -HI -t f '^yarn\.lock$' --max-depth 2
rg -nP '^\s*uuid@' yarn.lock | head -50
# Confirm only one uuid version will be resolved after the bump
rg -nP '^uuid@[^:]+:\s*$' -A 2 yarn.lock | head -40
# Find first-party call sites for uuid to confirm none rely on removed APIs (e.g. default export, uuid/v4 deep import)
rg -nP --type=js --type=ts --type=tsx -C2 "from ['\"]uuid(/|['\"])|require\(['\"]uuid(/|['\"])"

Repository: box/box-ui-elements

Length of output: 350

🌐 Web query:

Does uuid v14 still ship a CommonJS build usable via require('uuid').v4(), and what is the minimum supported Node.js version?

💡 Result:

No, uuid v14 does not ship a CommonJS build usable via require('uuid').v4. Starting with uuid@12, CommonJS support was removed, making it ESM-only. Users must use ESM syntax: import { v4 } from 'uuid';. The minimum supported Node.js version for v14 is 20.

Citations:

🏁 Script executed:

#!/bin/bash
# Search for uuid imports/requires more carefully without tsx type
rg -n "uuid" --type js --type ts -C 2 | grep -E "(require|import).*uuid|uuid.*from|uuid.*require" | head -30
# Also try a broader search
rg "uuid" --type js -l

Repository: box/box-ui-elements

Length of output: 743

🏁 Script executed:

#!/bin/bash
# Check the actual usage patterns in the codebase
rg -n "from ['\"]uuid|require\(['\"]uuid" --type js --type ts -C 2

Repository: box/box-ui-elements

Length of output: 484

🏁 Script executed:

#!/bin/bash
cat -n scripts/jest/jest.config.js | head -30

Repository: box/box-ui-elements

Length of output: 1808

🏁 Script executed:

#!/bin/bash
# Search for require('uuid') patterns in source code (not node_modules)
rg "require\(['\"]uuid" src/ scripts/ --type js --type ts -n

Repository: box/box-ui-elements

Length of output: 45

🏁 Script executed:

#!/bin/bash
# Check if there's any documentation or comments about uuid usage
rg "uuid" -A 2 -B 2 --type js --type ts src/ | grep -E "(v3|v4|v5|CJS|ESM|CommonJS|ES Module)" | head -20

Repository: box/box-ui-elements

Length of output: 202

Forcing uuid@14.0.0 will likely break transitive consumers; do not merge without testing.

uuid@14 is ESM-only (CommonJS support was removed starting with uuid@12). The transitive dependencies — cypress@cypress/requestuuid and webpack-dev-serversockjsuuid — were authored against uuid@3.x/uuid@8.x and almost certainly use require('uuid'). Requiring an ESM-only module with CommonJS will fail at runtime.

The repo's direct usage is correct (import { v4 as uuidv4 } from 'uuid' in Logger.js), but the transitive breakage is real. Test end-to-end before merging:

  • yarn start / yarn build:dev:dist (webpack-dev-server + sockjs path)
  • yarn cy:run (or yarn test:e2e) (cypress + @cypress/request path)

uuid@14 requires Node ≥ 20; the repo's engines.node: ">=20.x" is compatible, but verify CI runners are not still on Node 18.x.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 354 - 361, The "resolutions" entry forcing "uuid":
"^14.0.0" is unsafe because uuid@14 is ESM-only and will break CommonJS
transitive consumers; update the package.json "resolutions" block to pin uuid to
a CommonJS-compatible release (e.g., replace the uuid line with "uuid": "^8.3.2"
or another v8/v3-compatible semver), remove the ^14.0.0 entry if you need
ESM-only usage, then run the end-to-end checks (yarn start / yarn build:dev:dist
and yarn cy:run or yarn test:e2e) and confirm CI Node version matches
engines.node (>=20) before merging.

"msw": {
"workerDirectory": [".storybook/public"]
Expand Down
2 changes: 1 addition & 1 deletion scripts/jest/jest.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,6 @@ module.exports = {
testMatch: ['**/__tests__/**/*.test.+(js|jsx|ts|tsx)'],
testPathIgnorePatterns: ['stories.test.js$', 'stories.test.tsx$', 'stories.test.d.ts'],
transformIgnorePatterns: [
'node_modules/(?!(@box/react-virtualized/dist/es|@box/cldr-data|@box/blueprint-web|@box/blueprint-web-assets|@box/metadata-editor|@box/box-ai-content-answers|@box/box-ai-agent-selector|@box/item-icon|@box/combobox-with-api|@box/tree|@box/metadata-filter|@box/metadata-view|@box/content-field|@box/types|@box/box-item-type-selector|@box/unified-share-modal|@box/user-selector|@box/copy-input)/)',
'node_modules/(?!(@box/react-virtualized/dist/es|@box/cldr-data|@box/blueprint-web|@box/blueprint-web-assets|@box/metadata-editor|@box/box-ai-content-answers|@box/box-ai-agent-selector|@box/item-icon|@box/combobox-with-api|@box/tree|@box/metadata-filter|@box/metadata-view|@box/content-field|@box/types|@box/box-item-type-selector|@box/unified-share-modal|@box/user-selector|@box/copy-input|uuid)/)',
],
};
8 changes: 4 additions & 4 deletions yarn.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19134,10 +19134,10 @@ utils-merge@1.0.1:
resolved "https://registry.yarnpkg.com/utils-merge/-/utils-merge-1.0.1.tgz#9f95710f50a267947b2ccc124741c1028427e713"
integrity sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA==

uuid@^8.3.2:
version "8.3.2"
resolved "https://registry.yarnpkg.com/uuid/-/uuid-8.3.2.tgz#80d5b5ced271bb9af6c445f21a1a04c606cefbe2"
integrity sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==
uuid@>=14.0.0, uuid@^14.0.0, uuid@^8.3.2:
version "14.0.0"
resolved "https://registry.yarnpkg.com/uuid/-/uuid-14.0.0.tgz#0af883220163d264ffe0c084f6b8a89b9666966d"
integrity sha512-Qo+uWgilfSmAhXCMav1uYFynlQO7fMFiMVZsQqZRMIXp0O7rR7qjkj+cPvBHLgBqi960QCoo/PH2/6ZtVqKvrg==

v8-to-istanbul@^9.0.1:
version "9.3.0"
Expand Down
Loading