Avoid using deprecated version of UUID

[aeisenberg]

All versions of the UUID npm package < 7 have been deprecated due to a weakness in Math.random(). There are two packages in this repository that use the deprecated version.

• https://github.com/actions/toolkit/blob/main/packages/tool-cache/package.json#L44
• https://github.com/actions/toolkit/blob/main/packages/cache/package.json#L48

Any downstream package that depends on these packages will include the following line in their package-lock.json:

      "deprecated": "Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.",

Can you upgrade node UUID to the latest released version? Happy to submit a PR to help you out.

[stevenwdv]

@ maintainers?

[MikeMcC399]

Is there some reason this has not been addressed?

toolkit/packages/cache/package.json

Line 49 in 4573039

"uuid": "^3.3.3"

In other places uuid@8.3.2 is being used rather than uuid@3.4.0.

Could this also be updated in https://github.com/actions/toolkit/blob/main/packages/cache/package.json to avoid the deprecation warning?

$ npm install @actions/cache@latest
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

added 55 packages, and audited 56 packages in 12s

found 0 vulnerabilities

$ npm ls uuid
cache-test@1.0.0
└─┬ @actions/cache@3.2.1
  ├─┬ @actions/core@1.10.0
  │ └── uuid@8.3.2
  ├─┬ @azure/ms-rest-js@2.6.6
  │ └── uuid@8.3.2
  ├─┬ @azure/storage-blob@12.13.0
  │ └─┬ @azure/core-http@3.0.1
  │   └── uuid@8.3.2
  └── uuid@3.4.0

[MikeMcC399]

@actions/cache@3.2.2 (latest) is still using a deprecated version uuid@3.4.0

$ npm ls uuid
cache-test@1.0.0 D:\github2\cache-test
└─┬ @actions/cache@3.2.2
  ├─┬ @actions/core@1.10.1
  │ └── uuid@8.3.2
  ├─┬ @azure/ms-rest-js@2.7.0
  │ └── uuid@8.3.2
  ├─┬ @azure/storage-blob@12.17.0
  │ └─┬ @azure/core-http@3.0.4
  │   └── uuid@8.3.2
  └── uuid@3.4.0

• PR Upgrade uuid #1571 was submitted and is waiting for review and merge

[MikeMcC399]

@actions/cache@3.2.3 also uses the deprecated version uuid@3.4.0

Could this issue please be addressed?

[MikeMcC399]

@actions/cache@3.2.4 has been released, however this issue still remains unresolved.

[hemarina]

I also ran into this message when using tool-cache package and it will be great to get uuid update to 7 or higher version.
@bethanyj28 It looks like you are an active maintainer for this repo. Would you mind helping us on this issue or direct us to the right person?

[jakebailey]

FWIW the dep isn't even needed; all uses of the library in the repo are just generating UUIDv4s, and Node has had crypto.randomUUID() as a global since Node 16.7 (and even earlier on the crypto module): https://nodejs.org/docs/latest/api/webcrypto.html#cryptorandomuuid

[MikeMcC399]

Do the packages tool-cache and cache in this repo have a designated maintainer and is there any hope that this issue can be resolved?

[joshmgross]

👋 Sorry for the delay, this issue got lost on our backlog and we can definitely do better here.

I'll follow up tomorrow on updating the UUID we use, whether that's updating the uuid package or utilizing a built-in Node function. I need to do some research there first 😄.