chore(deps): bump uuid from 11.1.1 to 14.0.0

[dependabot]

Bumps uuid from 11.1.1 to 14.0.0.

Release notes

Sourced from uuid's releases.

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

• expect crypto to be global everywhere (requires node@20+) (#935)
• drop node@18 support (#934)

Features

• drop node@18 support (#934) (dc4ddb8)

Bug Fixes

• expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)
• Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

v13.0.2

13.0.2 (2026-05-04)

Bug Fixes

• rerelease to fix provenance. (49ccb35)

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

• backport fix for GHSA-w5hq-g745-h8pq (9d27ddf)

v13.0.0

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

• make browser exports the default (#901)

Bug Fixes

• make browser exports the default (#901) (bce9d72)

v12.0.1

12.0.1 (2026-04-29)

... (truncated)

Changelog

Sourced from uuid's changelog.

14.0.0 (2026-04-19)

Security

• Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

• crypto is now expected to be globally defined (requires node@20+) (#935)
• drop node@18 support (#934)
• upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

• make browser exports the default (#901)

Bug Fixes

• make browser exports the default (#901) (bce9d72)

12.0.0 (2025-09-05)

⚠ BREAKING CHANGES

• update to typescript@5.2 (#887)
• remove CommonJS support (#886)
• drop node@16 support (#883)

Features

• add node@24 to ci matrix (#879) (42b6178)
• drop node@16 support (#883) (0f38cf1)
• remove CommonJS support (#886) (ae786e2)
• update to typescript@5.2 (#887) (c7ee405)

Bug Fixes

• improve v4() performance (#894) (5fd974c)
• restore node: prefix (#889) (e1f42a3)

11.1.0 (2025-02-19)

... (truncated)

Commits

• 7c1ea08 chore(main): release 14.0.0 (#926)
• 3d2c5b0 Merge commit from fork
• f2c235f fix!: expect crypto to be global everywhere (requires node@20+) (#935)
• 529ef08 chore: upgrade TypeScript and fixup types (#927)
• 086fd79 chore: update dependencies (#933)
• dc4ddb8 feat!: drop node@18 support (#934)
• 0f1f9c9 chore: switch to Biome for parsing and linting (#932)
• e2879e6 chore: use maintained version of npm-run-all (#930)
• ffa3138 fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)
• 0423d49 docs: remove obsolete v1 option notes (#915)
• Additional commits viewable in compare view

---

Note

Medium Risk
Dependency-only change but uuid@14 has breaking runtime assumptions (expects global crypto / Node 20+), so UUID generation paths could fail in unsupported environments or test runners.

Overview
Updates the uuid dependency from 11.1.1 to 14.0.0 in package.json and refreshes pnpm-lock.yaml accordingly.

No application code changes are included, so any impact will come from uuid behavior/runtime requirement changes affecting existing uuidv4() call sites.

^{Reviewed by Cursor Bugbot for commit 45c4576. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: ESM-only uuid breaks declared Node 20.0-20.18 compatibility
  • Replaced direct uuid usage with Node's native randomUUID and removed the uuid dependency so CommonJS output no longer loads an ESM-only package under Node 20.

Or push these changes by commenting:

@cursor push 567072a443

Preview (567072a443)

diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -80,7 +80,6 @@
     "recast": "0.23.9",
     "semver": "7.7.1",
     "terminal-link": "2.1.1",
-    "uuid": "14.0.0",
     "xcode": "3.0.1",
     "yargs": "16.2.0",
     "zod": "4.3.6",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -113,9 +113,6 @@
       terminal-link:
         specifier: 2.1.1
         version: 2.1.1
-      uuid:
-        specifier: 14.0.0
-        version: 14.0.0
       xcode:
         specifier: 3.0.1
         version: 3.0.1
@@ -3622,10 +3619,6 @@
   util-arity@1.1.0:
     resolution: {integrity: sha512-kkyIsXKwemfSy8ZEoaIz06ApApnWsk5hQO0vLjZS6UkBiGiW++Jsyb8vSBoc0WKlffGoGs5yYy/j5pp8zckrFA==}
 
-  uuid@14.0.0:
-    resolution: {integrity: sha512-Qo+uWgilfSmAhXCMav1uYFynlQO7fMFiMVZsQqZRMIXp0O7rR7qjkj+cPvBHLgBqi960QCoo/PH2/6ZtVqKvrg==}
-    hasBin: true
-
   uuid@7.0.3:
     resolution: {integrity: sha512-DPSke0pXhTZgoF/d+WSt2QaKMCFSfx7QegxEWT+JOuHF5aWrKEn0G+ztjuJg/gG8/ItK+rbPCD/yNv8yyih6Cg==}
     deprecated: uuid@10 and below is no longer supported.  For ESM codebases, update to uuid@latest.  For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
@@ -7205,8 +7198,6 @@
 
   util-arity@1.1.0: {}
 
-  uuid@14.0.0: {}
-
   uuid@7.0.3: {}
 
   v8-compile-cache-lib@3.0.1: {}

diff --git a/src/lib/observability/correlation.ts b/src/lib/observability/correlation.ts
--- a/src/lib/observability/correlation.ts
+++ b/src/lib/observability/correlation.ts
@@ -5,7 +5,7 @@
  * - runId: new UUID per agent attempt (reset on stall-retry)
  */
 
-import { v4 as uuidv4 } from 'uuid';
+import { randomUUID } from 'node:crypto';
 
 let _sessionId: string | null = null;
 let _runId: string | null = null;
@@ -14,7 +14,7 @@
 /** Initialize with the analytics session ID. Call once at startup. */
 export function initCorrelation(sessionId: string): void {
   _sessionId = sessionId;
-  _runId = uuidv4().slice(0, 8); // Short for log readability
+  _runId = randomUUID().slice(0, 8); // Short for log readability
   _sessionStartMs = Date.now();
 }
 
@@ -40,6 +40,6 @@
 
 /** Create a new run ID (call on agent retry / stall recovery). */
 export function rotateRunId(): string {
-  _runId = uuidv4().slice(0, 8);
+  _runId = randomUUID().slice(0, 8);
   return _runId;
 }

diff --git a/src/utils/__tests__/analytics.test.ts b/src/utils/__tests__/analytics.test.ts
--- a/src/utils/__tests__/analytics.test.ts
+++ b/src/utils/__tests__/analytics.test.ts
@@ -1,5 +1,3 @@
-import { type MockedFunction } from 'vitest';
-
 const { mockCreateInstance, MockIdentify } = vi.hoisted(() => {
   const mockCreateInstance = vi.fn(() => ({
     init: vi.fn(() => ({ promise: Promise.resolve() })),
@@ -22,10 +20,6 @@
   Identify: MockIdentify,
 }));
 
-vi.mock('uuid', () => ({
-  v4: vi.fn(() => 'test-uuid'),
-}));
-
 vi.mock('../../lib/observability', () => ({
   getSessionId: vi.fn().mockReturnValue('test-session-id'),
   getRunId: vi.fn().mockReturnValue('test-run-id'),
@@ -54,18 +48,13 @@
   getOrCreateInstallId: vi.fn(() => 'test-uuid'),
 }));
 
-import { v4 as uuidv4 } from 'uuid';
-
 import { Analytics, resolveTelemetryApiKey } from '../analytics.js';
 
-const mockUuidv4 = uuidv4 as MockedFunction<typeof uuidv4>;
-
 describe('Analytics', () => {
   let analytics: Analytics;
 
   beforeEach(() => {
     vi.clearAllMocks();
-    mockUuidv4.mockReturnValue('test-uuid' as any);
     analytics = new Analytics();
   });
 

diff --git a/src/utils/analytics.ts b/src/utils/analytics.ts
--- a/src/utils/analytics.ts
+++ b/src/utils/analytics.ts
@@ -1,6 +1,6 @@
+import { randomUUID } from 'node:crypto';
 import { createInstance, Identify } from '@amplitude/analytics-node';
 import type { WizardSession } from '../lib/wizard-session';
-import { v4 as uuidv4 } from 'uuid';
 import { debug } from './debug';
 import { IS_DEV } from '../lib/constants';
 import { getSessionId, getRunId, setSentryUser } from '../lib/observability';
@@ -96,7 +96,7 @@
     this.sessionProperties = { $app_name: this.appName };
     // Persistent install ID stitches pre-auth runs across invocations;
     // fall back to a per-process UUID if disk access fails.
-    this.anonymousId = getOrCreateInstallId() ?? uuidv4();
+    this.anonymousId = getOrCreateInstallId() ?? randomUUID();
     this.distinctId = undefined;
     this.client = createInstance();
   }

diff --git a/src/utils/install-id.ts b/src/utils/install-id.ts
--- a/src/utils/install-id.ts
+++ b/src/utils/install-id.ts
@@ -12,7 +12,7 @@
 import * as fs from 'node:fs';
 import * as os from 'node:os';
 import * as path from 'node:path';
-import { v4 as uuidv4 } from 'uuid';
+import { randomUUID } from 'node:crypto';
 import { z } from 'zod';
 import { atomicWriteJSON } from './atomic-write.js';
 import { debug } from './debug.js';
@@ -56,7 +56,7 @@
   }
 
   const record: InstallRecord = {
-    installId: uuidv4(),
+    installId: randomUUID(),
     createdAt: new Date().toISOString(),
   };

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit 7149428. Configure here.}

[cursor]

ESM-only uuid breaks declared Node 20.0-20.18 compatibility

Low Severity

Bumping uuid from 11.1.1 to 14.0.0 crosses v12's removal of CommonJS support. This project emits CJS (no "type": "module", module: "node16" in tsconfig), so TypeScript compiles import { v4 } from 'uuid' to require('uuid'). This works on Node 20.19+ (which backported require(esm)) but fails with ERR_REQUIRE_ESM on Node 20.0–20.18, which the engines field ">=20" still advertises as supported.

Additional Locations (1)

• package.json#L121-L123

 

^{Reviewed by Cursor Bugbot for commit 7149428. Configure here.}