chore(deps): bump uuid from 3.4.0 to 14.0.0#394
chore(deps): bump uuid from 3.4.0 to 14.0.0#394dependabot[bot] wants to merge 1 commit intomasterfrom
Conversation
Bumps [uuid](https://github.com/uuidjs/uuid) from 3.4.0 to 14.0.0. - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](uuidjs/uuid@v3.4.0...v14.0.0) --- updated-dependencies: - dependency-name: uuid dependency-version: 14.0.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![lifeomic-review-bot[bot]](https://avatars.githubusercontent.com/u/29172293?s=60&v=4){kind=small}
| "tmp-promise": "^2.0.1", | ||
| "unzipper": "^0.10.0", | ||
| "uuid": "^3.3.2", | ||
| "uuid": "^14.0.0", |
There was a problem hiding this comment.
Blocking: uuid 14.x is ESM-only and targets Node 20+ (global crypto). This repo’s GitHub Actions matrix still runs Node 14.x and 16.x; on Node 16, require('uuid') throws ERR_REQUIRE_ESM. Merge needs a coordinated Node matrix / runtime bump or a different dependency strategy—uuid 14 alone will not pass existing CI as configured.
This review was generated by review-bot.
There was a problem hiding this comment.
[blocking] Blocking: package.json — uuid 14.x requires Node 20+ and ships as ESM (type: module); the repository still runs PR checks on Node 14.x and 16.x, where require('uuid') in tests fails with ERR_REQUIRE_ESM. The dependency bump needs an accompanying CI/runtime upgrade (or a different uuid major that matches the supported Node line).
Scope
Dependabot raises direct uuid from 3.x to ^14.0.0 in package.json with matching yarn.lock refresh only; no workflow or source import changes are included.
Bugbot: no blocking threads — no action.
CI
Checks are still pending in context; regardless, the configured matrix in .github/workflows/pr-build.yaml targets Node 14 and 16, which is incompatible with uuid 14’s stated platform support and observed runtime behavior.
Regression risk
High: installs/tests that use CommonJS require('uuid') will break on Node versions below those uuid 14 supports, matching the current CI matrix.
Upstream: uuidjs/uuid#926 (v14.0.0 release thread in Dependabot notes; compare view covers 3.4.0→14.0.0).
Follow-up for merge
Raise the Actions Node matrix (and any documented consumer minimum) to Node 20+ before or with this bump, migrate CJS tests off require('uuid') if any target remains on older Node, and [suggestion] drop or realign @types/uuid now that uuid ships its own types.
This review was generated by review-bot.
|
Automatically requested review from @jagoda because they were a top contributor. Feel free to reassign this to someone else who may be better able to review this PR. Please merge this PR after approving.
|
1 participant
Bumps uuid from 3.4.0 to 14.0.0.
Release notes
Sourced from uuid's releases.
... (truncated)
Changelog
Sourced from uuid's changelog.
... (truncated)
Commits
7c1ea08chore(main): release 14.0.0 (#926)3d2c5b0Merge commit from forkf2c235ffix!: expectcryptoto be global everywhere (requires node@20+) (#935)529ef08chore: upgrade TypeScript and fixup types (#927)086fd79chore: update dependencies (#933)dc4ddb8feat!: drop node@18 support (#934)0f1f9c9chore: switch to Biome for parsing and linting (#932)e2879e6chore: use maintained version of npm-run-all (#930)ffa3138fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)0423d49docs: remove obsolete v1 option notes (#915)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.
Install script changes
This version adds
preparescript that runs during installation. Review the package contents before updating.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.