build(deps): bump uuid from 3.4.0 to 14.0.0#258
build(deps): bump uuid from 3.4.0 to 14.0.0#258dependabot[bot] wants to merge 1 commit intomasterfrom
Conversation
Bumps [uuid](https://github.com/uuidjs/uuid) from 3.4.0 to 14.0.0. - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](uuidjs/uuid@v3.4.0...v14.0.0) --- updated-dependencies: - dependency-name: uuid dependency-version: 14.0.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![lifeomic-review-bot[bot]](https://avatars.githubusercontent.com/u/29172293?s=60&v=4){kind=small}
| "stream-csv-as-json": "^1.0.1", | ||
| "stream-json": "^1.2.1", | ||
| "uuid": "^3.3.2", | ||
| "uuid": "^14.0.0", |
There was a problem hiding this comment.
Blocking: uuid@14 is published as "type": "module" with ESM dist-node entry points only—require('uuid') from CommonJS will not load this package the way uuid v3 did (module.exports = v4). The tree still uses const uuid = require('uuid'); uuid() (e.g. in test/unit/commands/insights-test.js). Update those call sites to ESM imports (or another supported interop strategy) and ensure the test runner loads them, or pin to a CJS-compatible uuid release line that matches project constraints.
This review was generated by review-bot.
There was a problem hiding this comment.
Blocking: package.json — uuid@14 requires Node 20+ and ships as ESM-only; the repo still declares Node ≥12 and the codebase uses CommonJS require('uuid') callable as v4 (uuid v3 pattern), which will not work against uuid@14 without an import/ESM migration (or choosing a CJS-compatible release line).
Scope
Dependabot raises uuid from 3.4.0 to 14.0.0; canonical change set is package.json and yarn.lock only.
CI
Checks were still pending in the review context. CI failures should gate merge via branch protection; they are not duplicated here as substitute review blockers.
Regression risk
[suggestion] Major semver jump (3→14) includes removal of CommonJS support in the uuid release line and runtime expectations around global crypto; runtime and test behavior need to match what yarn installs.
Bugbot: no blocking threads — no action.
Upstream: uuidjs/uuid (release notes and changelog linked in the PR body; compare v3.4.0→v14.0.0).
This review was generated by review-bot.
Bumps uuid from 3.4.0 to 14.0.0.
Release notes
Sourced from uuid's releases.
... (truncated)
Changelog
Sourced from uuid's changelog.
... (truncated)
Commits
7c1ea08chore(main): release 14.0.0 (#926)3d2c5b0Merge commit from forkf2c235ffix!: expectcryptoto be global everywhere (requires node@20+) (#935)529ef08chore: upgrade TypeScript and fixup types (#927)086fd79chore: update dependencies (#933)dc4ddb8feat!: drop node@18 support (#934)0f1f9c9chore: switch to Biome for parsing and linting (#932)e2879e6chore: use maintained version of npm-run-all (#930)ffa3138fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)0423d49docs: remove obsolete v1 option notes (#915)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.
Install script changes
This version adds
preparescript that runs during installation. Review the package contents before updating.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.