Why this issue exists
Pinned uuid at 11.1.0 (current resolved) in PR fix/macos-tui-hardening. uuid is 3 majors behind (latest 14.0.0). Tracking the migration as a focused PR — small surface but breaking changes warrant explicit verification.
How we use it
Only 2 files import uuid. Trivial usage:
// src/lib/mailbox.ts
import { v4 as uuidv4 } from 'uuid';
return `msg-${uuidv4()}`;
// src/lib/team-chat.ts
import { v4 as uuidv4 } from 'uuid';
const id = `chat-${uuidv4()}`;That's it. Two call sites, both v4(), both used as ID prefixes for mailbox messages and team chat sessions.
What's changed (11.1.0 → 14.0.0)
v12.0.0 — breaking
- CommonJS support removed — ESM only. We're already ESM — no impact.
- Node 16 dropped (now ≥ 18). We're on Node 24 — no impact.
- TypeScript 5.2 minimum for type definitions. We're on TS 5.8 — no impact.
- v4() perf improvement (bug-fix categorized as "fix").
v13.0.0 — breaking
- Browser exports made the default — Node imports unchanged when using bare
from 'uuid'. Our import { v4 as uuidv4 } from 'uuid' still resolves to the Node entry under bun/node — no impact in practice, but worth verifying with a test.
v14.0.0 — breaking
- Requires Node.js 20+ (we're on 24 — no impact).
- Expects
crypto to be globalThis everywhere — node 20+ exposes globalThis.crypto, so this is automatic. Bun also exposes it. No impact.
Verification needed
Even though the breaking changes don't apply to our environment, verify after bump:
bun install uuid@14.0.0
bun test src/lib/mailbox.test.ts src/lib/team-chat.test.ts # whichever exists
node -e "import('uuid').then(m => console.log(m.v4()))" # smoke testWhat we gain
- Supply-chain hygiene. Exact pin per the post-CanisterWorm policy.
- v4() perf improvement from v12.0.0 — micro-optimization but free.
- Smaller install footprint — CJS shim removed in v12, ~30% smaller package.
- Modernized typings — TS 5.2+ baseline matches the rest of our toolchain.
Migration cost estimate
- 15 minutes total. Two
import lines, no API change for v4(). Just bump and smoke test.
- Risk: very low. The smallest of the four pending bumps.
Acceptance criteria
Context
- Followup from PR
fix/macos-tui-hardening (pinned packages for supply-chain hygiene post-CanisterWorm)
- Companion follow-ups: commander v14, inquirer v8, zod v4
Why this issue exists
Pinned
uuidat11.1.0(current resolved) in PRfix/macos-tui-hardening.uuidis 3 majors behind (latest14.0.0). Tracking the migration as a focused PR — small surface but breaking changes warrant explicit verification.How we use it
Only 2 files import
uuid. Trivial usage:That's it. Two call sites, both
v4(), both used as ID prefixes for mailbox messages and team chat sessions.What's changed (11.1.0 → 14.0.0)
v12.0.0 — breaking
v13.0.0 — breaking
from 'uuid'. Ourimport { v4 as uuidv4 } from 'uuid'still resolves to the Node entry under bun/node — no impact in practice, but worth verifying with a test.v14.0.0 — breaking
cryptoto be globalThis everywhere — node 20+ exposesglobalThis.crypto, so this is automatic. Bun also exposes it. No impact.Verification needed
Even though the breaking changes don't apply to our environment, verify after bump:
What we gain
Migration cost estimate
importlines, no API change forv4(). Just bump and smoke test.Acceptance criteria
uuidto14.0.0inpackage.json(exact pin)src/lib/mailbox.ts,src/lib/team-chat.ts) still resolve and produce valid v4 UUIDsbun testcleanContext
fix/macos-tui-hardening(pinned packages for supply-chain hygiene post-CanisterWorm)