-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove dependency on uuid
package
#1824
Conversation
Are you going to be able to progress this PR soon? It looks like you are just waiting for your team to review. |
##### [`v1.11.0](https://github.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1110) - Remove dependency on `uuid` package [#1824](actions/toolkit#1824)
##### [`v1.11.0](https://github.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1110) - Remove dependency on `uuid` package [#1824](actions/toolkit#1824)
As the crypto global package is being used without an import/require statement, if the client is using a node version < 19 (when crypto became a global package in node.js https://nodejs.org/api/globals.html#crypto_1) the action that uses the toolkit will fail with a |
This seems to have caused #1841 |
Just to be sure, are you (or somebody else) going to release a new version of Edit: removed misleading screenshot of @actions/[email protected] |
@MikeMcC399 yes I'm planning to upgrade the packages that depend on It's worth noting that
|
Thanks for the confirmation! Looking forward to new releases which no longer depend on a deprecated version of |
When do you intend to release a version of |
A common pattern in the toolkit is to create temporary file or directory within the existing temp directory using a random UUID.
Versions of the
uuid
package belowv7
are deprecated, so we shouldn't depend on them. Additionally, Node has a built-incrypto.randomUUID()
method that can be used to generate UUIDs without the need for an external package. This function was introduced in versions of Node 14 and 15, so we should be safe to use it for actions that depend on both Node 16 and 20 (which are our only supported versions at this time).I also went ahead and updated
@actions/core
, even though it was using a non-deprecated version of theuuid
package.Since these use cases is purely for temporary files, I don't think we strictly need a cryptographically secure UUID but that's an added bonus of using the built-in Node function.
Packages shouldn't be depending on the exact format of this temp file/directory, but even if they were this should be a compatible as we're still generating a version 4 UUID
There are a couple other packages within the toolkit that have an indirect dependency on
uuid
through@actions/core
, those can be updated as well once we release this new version of@actions/core
.