refactor: replace uuid with native Crypto API

[mag123c]

Description of change

This change by removing unnecessary external cryptographic dependencies (sha.js and uuid) and replacing them with native Crypto API functionality available in modern Node.js and browser environments.

Pull-Request Checklist

• Code is up-to-date with the master branch
• This pull request links relevant issues as Fixes Drop dependencies in favour of native crypto functionality #11693
• There are new or updated unit tests validating the change
• Documentation has been updated to reflect this change

Summary by CodeRabbit

• Chores

  • Removed the external UUID dependency from the project.

• Refactor

  • Centralized UUID generation into an internal utility and replaced dispersed direct UUID usage with the new provider.
  • Implemented a cross-platform UUID v4 generator that uses native crypto where available and falls back to a deterministic method for broader reliability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The PR removes the uuid dependency and centralizes UUID generation by adding RandomGenerator.uuidv4() (native crypto with fallback) and a PlatformTools.generateUuid() wrapper, then updates call sites and templates to use the new wrapper.

Changes

Cohort / File(s)	Summary
Dependency Removal package.json	Removed uuid from dependencies.
Random generator src/util/RandomGenerator.ts	Added RandomGenerator.uuidv4() implementing RFC 4122 v4 UUID: uses crypto.randomUUID() (Node/globalThis) when available, otherwise falls back to crypto.getRandomValues() with correct version/variant bit masking and formatting.
Platform abstraction src/platform/PlatformTools.ts, src/platform/BrowserPlatformTools.template	Added PlatformTools.generateUuid() delegating to RandomGenerator.uuidv4() (template updated for browser).
Call site updates src/cache/DbQueryResultCache.ts, src/query-builder/InsertQueryBuilder.ts, test/github-issues/10569/issue-10569.ts	Replaced direct uuid imports and v4() calls with PlatformTools.generateUuid().
Tests / examples test/...	Updated tests to use PlatformTools.generateUuid() instead of uuid v4.

Sequence Diagram(s)

sequenceDiagram
    participant CallSite as Call Site
    participant PT as PlatformTools
    participant RG as RandomGenerator
    participant Crypto as Native Crypto APIs

    CallSite->>PT: generateUuid()
    PT->>RG: uuidv4()
    alt Node.js crypto.randomUUID available
        RG->>Crypto: crypto.randomUUID()
        Crypto-->>RG: uuid
    else globalThis.crypto.randomUUID available
        RG->>Crypto: globalThis.crypto.randomUUID()
        Crypto-->>RG: uuid
    else Fallback: getRandomValues
        RG->>Crypto: crypto.getRandomValues(16)
        Crypto-->>RG: bytes
        RG->>RG: apply RFC4122 version/variant mask & format
    end
    RG-->>PT: uuid string
    PT-->>CallSite: uuid string

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Pay attention to RandomGenerator.uuidv4(): bit masking, endianness, and formatting for RFC 4122 compliance.
• Verify PlatformTools implementations (Node and Browser template) call correct module paths and avoid dynamic-require pitfalls.
• Confirm all call sites no longer import uuid and package.json removal is consistent with code.
• Run tests that exercise UUID generation paths (Node vs. browser/fallback).

Suggested reviewers

• sgarner

Poem

🐰 I hopped through bytes and cleared a thread,
crypto whispers where uuid once led.
A tidy seed from platform's tune,
IDs born beneath the moon. ✨

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: replacing the uuid dependency with native Crypto API for UUID generation.
Linked Issues check	✅ Passed	The PR partially addresses #11693: uuid dependency removed and replaced with native Crypto API, but SHA-1 changes were reverted per reviewer feedback to avoid breaking changes.
Out of Scope Changes check	✅ Passed	All changes focus on uuid removal and native Crypto API replacement. The RandomGenerator implementation and PlatformTools updates are directly related to the stated objective.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/util/StringUtils.ts (1)

1-1: Consider using native crypto for SHA-1 instead of RandomGenerator.

The PR objectives specify replacing sha.js with the native crypto API, but RandomGenerator.sha1() is a pure JavaScript implementation (ported from PHP's locutus library), not a native crypto call. The comment in RandomGenerator.ts itself recommends "using Node's native crypto modules directly in a streaming fashion for faster and more efficient hashing."

Consider using the native crypto API for SHA-1:

import crypto from "crypto"

Then update the hash function:

 export function hash(input: string, options: IHashOptions = {}): string {
-    const hashedInput = RandomGenerator.sha1(input)
+    const hashedInput = crypto.createHash('sha1').update(input).digest('hex')
     if (options.length && options.length > 0) {
         return hashedInput.slice(0, options.length)
     }
     return hashedInput
 }

For browser environments, this would need platform-specific handling similar to PlatformTools.generateUuid(). Do you want me to propose a complete cross-platform solution?

Also applies to: 120-120

src/platform/PlatformTools.ts (1)

281-289: Verify type safety; error handling is optional depending on supported browser versions.

Node.js version 16.13.0 (minimum in package.json) satisfies the 14.17.0+ requirement for crypto.randomUUID(). The code is compatible with the project's minimum Node.js version.

For the browser path, the type safety concern is valid: (globalThis as any).crypto.randomUUID() bypasses TypeScript checking. Consider improving type safety by replacing the cast with proper optional chaining:

-    return (globalThis as any).crypto.randomUUID()
+    return globalThis.crypto.randomUUID()

Error handling for older browsers (lacking crypto.randomUUID support) is optional and depends on your minimum supported browser versions. If you need to support browsers older than Chrome 92, Firefox 95, or Safari 15.4, add defensive checks before the call.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2681051 and 74bddfd.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (6)

• package.json (0 hunks)
• src/cache/DbQueryResultCache.ts (2 hunks)
• src/platform/PlatformTools.ts (2 hunks)
• src/query-builder/InsertQueryBuilder.ts (2 hunks)
• src/util/StringUtils.ts (2 hunks)
• test/github-issues/10569/issue-10569.ts (2 hunks)

💤 Files with no reviewable changes (1)

• package.json

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-07-27T20:50:10.364Z

Learnt from: alumni
Repo: typeorm/typeorm PR: 11581
File: docs/docs/drivers/postgres.md:23-23
Timestamp: 2025-07-27T20:50:10.364Z
Learning: The correct data source type for Aurora PostgreSQL in TypeORM is `aurora-postgres`, not `aurora-data-api-pg`. The `aurora-data-api-pg` driver was renamed to `aurora-postgres` according to the CHANGELOG.md. This is defined in the DatabaseType union type and AuroraPostgresConnectionOptions interface.

Applied to files:

• src/query-builder/InsertQueryBuilder.ts

🧬 Code graph analysis (4)

src/query-builder/InsertQueryBuilder.ts (1)

src/platform/PlatformTools.ts (1)

• PlatformTools (18-290)

src/util/StringUtils.ts (1)

src/util/RandomGenerator.ts (1)

• RandomGenerator (1-165)

src/cache/DbQueryResultCache.ts (1)

src/platform/PlatformTools.ts (1)

• PlatformTools (18-290)

test/github-issues/10569/issue-10569.ts (1)

src/platform/PlatformTools.ts (1)

• PlatformTools (18-290)

🔇 Additional comments (4)

src/cache/DbQueryResultCache.ts (1)

8-8: LGTM! Clean migration to native UUID generation.

The replacement of uuidv4() with PlatformTools.generateUuid() is correctly implemented for the Spanner-specific case where auto-generated columns are not supported.

Also applies to: 271-271

src/query-builder/InsertQueryBuilder.ts (1)

14-14: LGTM! Proper UUID generation fallback.

The replacement correctly uses PlatformTools.generateUuid() for databases that don't natively support UUID generation. The integration with locallyGenerated tracking is maintained.

Also applies to: 1410-1410

test/github-issues/10569/issue-10569.ts (1)

6-6: LGTM! Test updated to match new UUID generation approach.

The test correctly uses PlatformTools.generateUuid() consistent with the rest of the codebase.

Also applies to: 36-36

src/platform/PlatformTools.ts (1)

2-2: LGTM! Proper crypto import.

The crypto import is correctly added to support native UUID generation.

[alumni]

Can break platforms that don't support crypto. Read the discussion in #11693

Also: the internal sha1 implementation has a flaw (when whitespace chars are in the input) - so this is a breaking change that cannot be merged into master (we use master for the 0.3 version).

[mag123c]

@alumni
Oops, I'll try to change it that no breaking changes occur. Thanks for comment.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/platform/BrowserPlatformTools.template (1)

143-203: Consider eliminating code duplication.

The sha1() and generateUuid() implementations are duplicated between PlatformTools.ts and BrowserPlatformTools.template. While some duplication is expected given the platform-specific nature of this file, the UUID generation fallback logic (lines 171-202) is identical.

If feasible within your build/bundling constraints, consider extracting the common fallback logic to a shared utility that both platform implementations can reference. This would reduce maintenance burden and ensure consistency. However, if the template replacement mechanism makes this impractical, the current duplication is acceptable.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 74bddfd and 1f469bc.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (9)

• package.json (0 hunks)
• src/cache/DbQueryResultCache.ts (2 hunks)
• src/naming-strategy/DefaultNamingStrategy.ts (9 hunks)
• src/naming-strategy/LegacyOracleNamingStrategy.ts (2 hunks)
• src/platform/BrowserPlatformTools.template (1 hunks)
• src/platform/PlatformTools.ts (3 hunks)
• src/query-builder/InsertQueryBuilder.ts (2 hunks)
• src/util/StringUtils.ts (2 hunks)
• test/github-issues/10569/issue-10569.ts (2 hunks)

💤 Files with no reviewable changes (1)

• package.json

🚧 Files skipped from review as they are similar to previous changes (2)

• src/query-builder/InsertQueryBuilder.ts
• src/util/StringUtils.ts

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-07-26T12:22:52.215Z

Learnt from: alumni
Repo: typeorm/typeorm PR: 11580
File: src/util/ImportUtils.ts:58-62
Timestamp: 2025-07-26T12:22:52.215Z
Learning: In TypeORM's codebase, `importOrRequireFile` is always called with resolved file paths. For example, `DirectoryExportedClassesLoader.ts` calls `PlatformTools.pathResolve(file)` before passing the path to `importOrRequireFile`, and `PlatformTools.pathResolve()` is a wrapper around Node.js `path.resolve()`. This means the cache keys in `getNearestPackageJson` will always be absolute paths, eliminating concerns about cache consistency between relative and absolute path formats.

Applied to files:

• src/platform/PlatformTools.ts

🧬 Code graph analysis (5)

src/naming-strategy/LegacyOracleNamingStrategy.ts (1)

src/platform/PlatformTools.ts (1)

• PlatformTools (18-348)

src/cache/DbQueryResultCache.ts (1)

src/platform/PlatformTools.ts (1)

• PlatformTools (18-348)

src/platform/PlatformTools.ts (1)

src/util/RandomGenerator.ts (1)

• RandomGenerator (1-165)

src/naming-strategy/DefaultNamingStrategy.ts (1)

src/platform/PlatformTools.ts (1)

• PlatformTools (18-348)

test/github-issues/10569/issue-10569.ts (1)

src/platform/PlatformTools.ts (1)

• PlatformTools (18-348)

🔇 Additional comments (8)

src/cache/DbQueryResultCache.ts (1)

8-8: LGTM!

The migration from the uuid package to PlatformTools.generateUuid() is clean and maintains the same functionality for Spanner cache ID generation.

Also applies to: 271-271

src/naming-strategy/LegacyOracleNamingStrategy.ts (1)

2-2: LGTM!

The migration to PlatformTools.sha1() maintains backward compatibility since it delegates to the same RandomGenerator.sha1() implementation, ensuring database constraint names remain unchanged.

Also applies to: 57-57

src/naming-strategy/DefaultNamingStrategy.ts (1)

2-2: LGTM!

All constraint name generation methods have been consistently updated to use PlatformTools.sha1(). Since this delegates to the same underlying RandomGenerator.sha1() implementation, existing database constraint names will remain unchanged.

Also applies to: 63-63, 76-76, 92-92, 102-102, 117-117, 133-133, 144-144, 155-155

test/github-issues/10569/issue-10569.ts (1)

6-6: LGTM!

The test has been updated to use PlatformTools.generateUuid() instead of the external uuid package, maintaining the same test behavior.

Also applies to: 36-36

src/platform/PlatformTools.ts (3)

2-2: LGTM!

The crypto import addition and formatting cleanup are appropriate for the new functionality.

Also applies to: 134-136

---

281-290: LGTM!

The sha1() method correctly delegates to RandomGenerator.sha1(), maintaining backward compatibility for constraint names. The lazy import avoids circular dependencies.

---

292-347: Security concern acknowledged but implementation is already defensive; fallback only reached in unsupported environments.

The review correctly identifies that Math.random() is not cryptographically secure (line 324-327). However, verification shows the implementation has three secure fallbacks before reaching it:

1. TypeORM requires Node.js >=16.13.0, which includes crypto.randomUUID() (available since Node 15.7.0)
2. Browser/modern environments try globalThis.crypto.randomUUID()
3. Fallback to crypto.getRandomValues() with RFC 4122 manual implementation
4. Only then Math.random() as last resort

The code already acknowledges this in the comment at line 324: "Last resort: Math.random (not cryptographically secure)."

For the cache key usage, UUIDs are used in DbQueryResultCache for cache IDs, where unpredictability is less critical than for security tokens. The Math.random() fallback would only execute in truly unsupported/legacy environments—modern React Native includes crypto polyfills, modern browsers support the crypto API.

Rather than throwing an error (which could break legitimate edge cases), consider adding a warning log when the Math.random() fallback is used, with clear documentation about supported environments.

src/platform/BrowserPlatformTools.template (1)

143-150: LGTM!

The sha1() method correctly delegates to RandomGenerator.sha1() for consistent hashing across platforms.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Same security concern: Math.random() fallback is not cryptographically secure.

This implementation has the same security issue as PlatformTools.ts: the Math.random() fallback (lines 181-183) produces weak, predictable UUIDs when crypto APIs are unavailable.

Apply the same fix recommended for PlatformTools.ts:

         } else {
-            // Last resort: Math.random (not cryptographically secure)
-            for (let i = 0; i < 16; i++) {
-                randomBytes[i] = Math.floor(Math.random() * 256)
-            }
+            throw new Error(
+                "Cryptographically secure random number generation is not available. " +
+                "Please ensure your browser supports crypto.getRandomValues()."
+            )
         }

Modern browsers have supported crypto.getRandomValues() since 2013-2014, so this fallback should rarely (if ever) be needed in practice.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	/**
	* Generates UUID v4 with fallback for environments without crypto support.
	*/
	static generateUuid(): string {
	try {
	// Try modern browser crypto API
	if (
	typeof globalThis !== "undefined" &&
	globalThis.crypto &&
	typeof globalThis.crypto.randomUUID === "function"
	) {
	return globalThis.crypto.randomUUID()
	}
	} catch (e) {
	// Fall through to polyfill
	}
	// Fallback implementation for older browsers and React Native
	// Based on RFC 4122 version 4 UUID
	const randomBytes = new Uint8Array(16)
	if (
	typeof globalThis !== "undefined" &&
	globalThis.crypto &&
	typeof globalThis.crypto.getRandomValues === "function"
	) {
	globalThis.crypto.getRandomValues(randomBytes)
	} else {
	// Last resort: Math.random (not cryptographically secure)
	for (let i = 0; i < 16; i++) {
	randomBytes[i] = Math.floor(Math.random() * 256)
	}
	}
	// Set version (4) and variant bits according to RFC 4122
	randomBytes[6] = (randomBytes[6] & 0x0f) | 0x40
	randomBytes[8] = (randomBytes[8] & 0x3f) | 0x80
	// Convert to UUID string format
	const hexValues: string[] = []
	randomBytes.forEach((byte) => {
	hexValues.push(byte.toString(16).padStart(2, "0"))
	})
	return [
	hexValues.slice(0, 4).join(""),
	hexValues.slice(4, 6).join(""),
	hexValues.slice(6, 8).join(""),
	hexValues.slice(8, 10).join(""),
	hexValues.slice(10, 16).join(""),
	].join("-")
	}
	/**
	* Generates UUID v4 with fallback for environments without crypto support.
	*/
	static generateUuid(): string {
	try {
	// Try modern browser crypto API
	if (
	typeof globalThis !== "undefined" &&
	globalThis.crypto &&
	typeof globalThis.crypto.randomUUID === "function"
	) {
	return globalThis.crypto.randomUUID()
	}
	} catch (e) {
	// Fall through to polyfill
	}
	// Fallback implementation for older browsers and React Native
	// Based on RFC 4122 version 4 UUID
	const randomBytes = new Uint8Array(16)
	if (
	typeof globalThis !== "undefined" &&
	globalThis.crypto &&
	typeof globalThis.crypto.getRandomValues === "function"
	) {
	globalThis.crypto.getRandomValues(randomBytes)
	} else {
	throw new Error(
	"Cryptographically secure random number generation is not available. " +
	"Please ensure your browser supports crypto.getRandomValues()."
	)
	}
	// Set version (4) and variant bits according to RFC 4122
	randomBytes[6] = (randomBytes[6] & 0x0f) | 0x40
	randomBytes[8] = (randomBytes[8] & 0x3f) | 0x80
	// Convert to UUID string format
	const hexValues: string[] = []
	randomBytes.forEach((byte) => {
	hexValues.push(byte.toString(16).padStart(2, "0"))
	})
	return [
	hexValues.slice(0, 4).join(""),
	hexValues.slice(4, 6).join(""),
	hexValues.slice(6, 8).join(""),
	hexValues.slice(8, 10).join(""),
	hexValues.slice(10, 16).join(""),
	].join("-")
	}

[mag123c]

@alumni
Thanks for the feedback! I'd appreciate your review to confirm this approach is correct.

Changes Made

Platform Compatibility

• Added multi-level fallback for UUID generation:
• Primary: crypto.randomUUID() (Node.js, modern browsers)
• Fallback 1: crypto.getRandomValues() (older browsers, React Native)
• Fallback 2: Math.random() (last resort)

Updated both Node and Browser PlatformTools implementations

SHA-1 Breaking Change

• Approach taken: Use RandomGenerator.sha1() on ALL platforms instead of native crypto
• Reason: Avoids breaking existing database constraint names
• Trade-off: Keeps the whitespace handling behavior (encodeURIComponent) for consistency

Please let me know if this direction is acceptable or if you'd prefer a different approach.

[alumni]

So first of all, if there's any breaking change, we would like to do this in the next major version of TypeORM, which is developed in the next branch (instead of master).

The Crypto WebAPI (crypto.randomUUID()) should work in nodejs/browsers (at least in recent versions of NodeJS). However, it may not work on every platform, so it would be great if we implemented our own UUIDv4 function. Not sure why crypto.getRandomValues() and Math.random() would be needed. Later edit: Ah, I see Math.random is used for the UUID generation. But that will no longer be a UUIDv4. I'd rather copy the implementation from the uuid library to maintain compatibility.

We could add a uuidv4 function to RandomGenerator that calls the native implementation if it exists and falls back to the custom implementation otherwise.

For SHA1, we can't use native crypto since it's async, so we can use our own implementation. Our implementation has a bug with certain characters (missing unescape in src/util/RandomGenerator.ts:44 IIRC). So sha.js/native crypto and our implementation have different output when some special characters are in the input. If we fix our implementation we might generate a lot of migrations for e.g. check constraints. If we don't, we might generate migrations everywhere else.

I think the UUIDv4 change is not breaking, but the SHA1 will be.

[mag123c]

@alumni
Thank you for the detailed feedback! I've updated the implementation based on your review

Changes Made

UUID Implementation

• Moved UUID generation to RandomGenerator.uuidv4() as suggested
• Native crypto.randomUUID() is used when available
• Fallback to crypto.getRandomValues() with proper RFC 4122 implementation
• Removed Math.random() fallback - now throws error instead (as you noted, Math.random would not be RFC 4122 compliant)
• Successfully removed uuid dependency

SHA1 Scope Reduction

• Reverted all SHA1-related changes from this PR

---

Should I update the PR title to reflect the reduced scope (e.g., "refactor: replace uuid with native Crypto API")? Or keep the current title and clarify in comments?

And, May I proceed with creating a PR targeting the next branch for SHA1 removal?
If I could be, Are there any specific guidelines or considerations I should be aware of when contributing to the next major version?

Looking forward to your feedback!

[alumni]

@mag123c a few more things: the lockfile needs updating after sha.js was added back. Also the PR title should be updated.

Looking at the source code of uuid, I also wonder how it worked on React Native - crypto is not available in Hermes, not even getRandomValues, so probably a good fallback would be to create the array and set each element to a random value, like react-native-uuid does in rng (and similar to what was here before). The UUIDv4 format is achieved via the bitwise & on bytes 6 and 8, I think.

[mag123c]

@alumni Thank you for the detailed feedback on React Native/Hermes support!

Updates Made

• package-lock.json updated after restoring sha.js dependency
• Math.random() fallback added to RandomGenerator.ts for Hermes compatibility

---

Before implementing, I conducted research to ensure this is the optimal approach

1. Hermes crypto support

• Confirmed via Hermes issue #915 that crypto APIs are officially out of scope
• Hermes team: "This falls outside of the JavaScript specification... should be addressed at the React Native level"

2. RFC 4122 compliance

• Section 4.4 explicitly permits "randomly (or pseudo-randomly) chosen values"
• Math.random() is compliant for UUID v4 generation

3. Others

• expo-crypto uses identical Math.random() fallback

[mag123c]

Fixed missing socks@2.8.7 dependency in package-lock.json.

The entry was accidentally removed during a previous lock update when npm pruned the optional package. Manually restored from master's lock file.

[pkuczynski]

@mag123c this should be done against next branch as it's planned for 1.0. I just changed the base branch for PR. Can you solve conflicts?

[alumni]

@pkuczynski I think here it's a problem of how we created the tasks, we should probably create 3 of them (shajs, uuid, and buffer), not just one :P

However, if globalThis.crypto is a headache in TS with the old versions of node, we could as well do it for the next major 🤷🏻‍♂️ I think this is what I was afraid of when I added it to the next major TODO :)

[mag123c]

I've resolved the conflicts after the base branch was changed to next

[pujux]

seems the lockfile needs an update so the checks run correctly :) @mag123c

[qodo-free-for-open-source-projects]

PR Code Suggestions ✨

Latest suggestions up to dd2cb3c

Category	Suggestion	Impact
Security	Avoid weak Math.random() for UUIDs Replace the Math.random() fallback for UUID generation with an error. This avoids using a cryptographically weak method for generating IDs and forces developers to provide a proper crypto polyfill when one is not available. src/util/RandomGenerator.ts [23-30] -// Fallback for React Native/Hermes and environments without crypto support -// Hermes (React Native's JavaScript engine) does not provide crypto APIs -// Math.random() is permitted by RFC 4122 for UUID v4 ("pseudo-randomly") -// This approach is also used by expo-crypto and other RN libraries -// Note: For TypeORM's use case (DB IDs, cache IDs), uniqueness is sufficient -for (let i = 0; i < 16; i++) { - randomBytes[i] = Math.floor(Math.random() * 256) -} +// Fallback for environments without crypto support +// Throw error to ensure developers provide proper crypto polyfills +throw new Error( + "crypto.getRandomValues() is not available. " + + "Please provide a crypto polyfill for your environment." +) Apply / Chat Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies that using Math.random() for UUID generation is a security risk due to its predictability and potential for collisions. Proposing to throw an error instead of silently falling back to a weak generator is a much safer default for a library, forcing developers to address the lack of a proper crypto implementation in their environment.	Medium
More

---

Previous suggestions

Suggestions up to commit f823ff8

Category	Suggestion	Impact
Security	Replace insecure Math.random() fallback Replace the insecure Math.random() fallback for UUID generation. Instead of using a non-cryptographically secure method, throw an error if a secure random number generator is not available. src/util/RandomGenerator.ts [28-30] -for (let i = 0; i < 16; i++) { - randomBytes[i] = Math.floor(Math.random() * 256) -} +throw new Error( + "Cryptographically secure random number generation is not available. " + + "Please ensure your environment supports crypto.getRandomValues() or crypto.randomUUID()." +) Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a significant security risk in using Math.random() for UUID generation, as it's not cryptographically secure. Proposing to throw an error instead of silently falling back to an insecure method is a much safer design for a library.	High

Suggestions up to commit 26feed2

Category	Suggestion	Impact
Security	Avoid insecure Math.random() fallback Replace the insecure Math.random() fallback for UUID generation. Instead of silently using a non-cryptographically secure method, throw an error if a secure random number generator is unavailable. src/util/RandomGenerator.ts [28-30] -for (let i = 0; i < 16; i++) { - randomBytes[i] = Math.floor(Math.random() * 256) -} +throw new Error( + "Cryptographically secure random number generation is not available. " + + "Please ensure your environment supports crypto.getRandomValues() or crypto.randomUUID()." +) Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that Math.random() is not cryptographically secure, which is a valid security concern. However, the PR author has explicitly added this as a fallback for environments like React Native and documented this trade-off, so the proposed change to throw an error would be a breaking change against the PR's intent.	Medium

Suggestions up to commit ce231ba

Category	Suggestion	Impact
Security	Insecure UUID generation fallback Replace the insecure Math.random() fallback for UUID generation with an error to prevent creating predictable and potentially vulnerable database IDs when cryptographic APIs are unavailable. src/util/RandomGenerator.ts [28-30] -for (let i = 0; i < 16; i++) { - randomBytes[i] = Math.floor(Math.random() * 256) -} +throw new Error( + "Cryptographically secure random number generation is not available. " + + "UUID generation requires crypto.getRandomValues() or crypto.randomUUID()." +) Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a significant security vulnerability by using Math.random() for UUID generation, as it is not cryptographically secure and can lead to predictable IDs, which is a critical issue.	High

Suggestions up to commit bb5b5b5

Category	Suggestion	Impact
Security	Insecure UUID generation fallback Replace the insecure Math.random() fallback for UUID generation with an error, or add a production warning, to avoid creating predictable and potentially vulnerable IDs. src/util/RandomGenerator.ts [28-30] -for (let i = 0; i < 16; i++) { - randomBytes[i] = Math.floor(Math.random() * 256) -} +throw new Error( + "Cryptographically secure random number generation is not available. " + + "UUID generation requires crypto.getRandomValues() or crypto.randomUUID(). " + + "This environment does not support secure random generation." +) Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies a significant security vulnerability introduced in the PR by using Math.random() for UUID generation, which is not cryptographically secure and could lead to predictable IDs.	Medium

Suggestions up to commit af425f4

Category	Suggestion	Impact
Security	Avoid weak Math.random() for UUIDs To mitigate a security risk, replace the Math.random() fallback for UUID generation with an error that prompts developers to provide a proper crypto polyfill for their environment. src/util/RandomGenerator.ts [23-30] -// Fallback for React Native/Hermes and environments without crypto support -// Hermes (React Native's JavaScript engine) does not provide crypto APIs -// Math.random() is permitted by RFC 4122 for UUID v4 ("pseudo-randomly") -// This approach is also used by expo-crypto and other RN libraries -// Note: For TypeORM's use case (DB IDs, cache IDs), uniqueness is sufficient -for (let i = 0; i < 16; i++) { - randomBytes[i] = Math.floor(Math.random() * 256) -} +// Fallback for environments without crypto support +// Throw error to ensure developers provide proper crypto polyfills +throw new Error( + "crypto.getRandomValues() is not available. " + + "Please provide a crypto polyfill for your environment." +) Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical security risk in using the non-cryptographically secure Math.random() for UUID generation, which could lead to predictable IDs. Forcing an error is a much safer default for a library.	High

[coveralls]

coverage: 80.87% (-0.02%) from 80.886%
when pulling dd2cb3c on mag123c:refactor/remove-sha-uuid-deps
into e5a8afb on typeorm:master.

[alumni]

Should be removed. globalThis.crypto should exist in all node versions that we support: Crypto: randomUUID() method - Web APIs | MDN

[alumni]

Let's use more modern JS, if TS allows it. This applies in other places in this PR, but I'll only write it here.

Suggested change

	if (
	typeof globalThis !== "undefined" &&
	globalThis.crypto &&
	typeof globalThis.crypto.randomUUID === "function"
	) {
	try {
	return globalThis.crypto.randomUUID()
	} catch (e) {
	// Fall through to custom implementation
	}
	}
	const uuid = globalThis.crypto?.randomUUID?.()
	if (uuid) {
	return uuid
	}

[alumni]

This would make more sense for SHA-1 which we already merged CC: @G0maa

But for UUIDv4, since the implementation is generic, we probably don't need to do it, we can use the implementation directly, without having to go through PlatformTools.

[alumni]

Let's keep the TSDoc for now

[G0maa]

Thanks for your contribution @mag123c.

Few nitpicks, PR is ok.

[G0maa]

I think these JSDoc params raise eslint warnings when not-existent. So if we're not going to fix them (understandable, unrelated to the PR) we shouldn't delete them. wdyt?

[alumni]

Yeah, this is what I mentioned in an earlier comment. I would revert the changes to this file.

[G0maa]

nitpick(needn't to fix): it seems that this type of logic is going to repeat a lot, should we abstract it somewhere (e.g. PlatformTools?) @alumni

[G0maa]

I see your comment references this above, so just to clarify: It seems in different places we have to do the same logic: If node do x, if browser do y, if RN do z. so I was suggesting a "standarized" way of doing this somewhere. i.e. such that every PR uses the same method.

[alumni]

I'd keep it as it is - we don't need to do things based on which platform we're running, but based on what features the platform provides. So if the platform provides the randomUUID function, we should use it.

Over time we should get rid of PlatformTools if possible.

[G0maa]

which environment is going to use this branch? (Browser, Node, RN, ...?)

[alumni]

Anything that does not support the Crypto WebAPI (or doesn't support it properly).

There are problems in Hermes (RN/Expo) as I understand.

[smith-xyz]

is this enough entropy for uniqueness? I imagine its generally okay but thought I'd ask out of interest 😄

[mag123c]

Yes, for uniqueness it's sufficient. This fallback is only for RN/Hermes environments, and was already discussed with @alumni above

[G0maa]

I think this PR is ready @alumni

[alumni]

I think this PR is ready @alumni

Our comments in PlatformTools were not solved entirely :P The PR is still removing the TSDoc that you recently added :P

[gioboa]

Thanks @mag123c 👏