toolkit
toolkit copied to clipboard
actions
Avoid using deprecated version of UUID
All versions of the UUID npm package < 7 have been deprecated due to a weakness in Math.random(). There are two packages in this repository that use the deprecated version.
- https://github.com/actions/toolkit/blob/main/packages/tool-cache/package.json#L44
- https://github.com/actions/toolkit/blob/main/packages/cache/package.json#L48
Any downstream package that depends on these packages will include the following line in their package-lock.json:
"deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.",
Can you upgrade node UUID to the latest released version? Happy to submit a PR to help you out.
Is there some reason this has not been addressed?
https://github.com/actions/toolkit/blob/457303960f03375db6f033e214b9f90d79c3fe5c/packages/cache/package.json#L49
In other places [email protected] is being used rather than [email protected].
Could this also be updated in https://github.com/actions/toolkit/blob/main/packages/cache/package.json to avoid the deprecation warning?
$ npm install @actions/cache@latest
npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
added 55 packages, and audited 56 packages in 12s
found 0 vulnerabilities
$ npm ls uuid
[email protected]
└─┬ @actions/[email protected]
├─┬ @actions/[email protected]
│ └── [email protected]
├─┬ @azure/[email protected]
│ └── [email protected]
├─┬ @azure/[email protected]
│ └─┬ @azure/[email protected]
│ └── [email protected]
└── [email protected]
@actions/[email protected] (latest) is still using a deprecated version [email protected]
$ npm ls uuid
[email protected] D:\github2\cache-test
└─┬ @actions/[email protected]
├─┬ @actions/[email protected]
│ └── [email protected]
├─┬ @azure/[email protected]
│ └── [email protected]
├─┬ @azure/[email protected]
│ └─┬ @azure/[email protected]
│ └── [email protected]
└── [email protected]
- PR #1571 was submitted and is waiting for review and merge
@actions/[email protected] also uses the deprecated version [email protected]
Could this issue please be addressed?
I also ran into this message when using tool-cache package and it will be great to get uuid update to 7 or higher version.
@bethanyj28 It looks like you are an active maintainer for this repo. Would you mind helping us on this issue or direct us to the right person?
FWIW the dep isn't even needed; all uses of the library in the repo are just generating UUIDv4s, and Node has had crypto.randomUUID() as a global since Node 16.7 (and even earlier on the crypto module): https://nodejs.org/docs/latest/api/webcrypto.html#cryptorandomuuid
Do the packages tool-cache and cache in this repo have a designated maintainer and is there any hope that this issue can be resolved?
👋 Sorry for the delay, this issue got lost on our backlog and we can definitely do better here.
I'll follow up tomorrow on updating the UUID we use, whether that's updating the uuid package or utilizing a built-in Node function. I need to do some research there first 😄.
https://github.com/actions/toolkit/pull/1824 will remove this direct dependency, we'll need another update for any packages that have an indirect dependency on uuid through @actions/core after that new version is released. @actions/core isn't using a deprecated version of uuid, but I still think it's worth removing an unnecessary external dependency if we can.