Skip to content

fix: replace uuid dependency with node:crypto.randomUUID (critical crash fix)#24

Merged
terchris merged 1 commit into
mainfrom
fix/uuid-esm-crash
Jul 14, 2026
Merged

fix: replace uuid dependency with node:crypto.randomUUID (critical crash fix)#24
terchris merged 1 commit into
mainfrom
fix/uuid-esm-crash

Conversation

@terchris

Copy link
Copy Markdown
Contributor

Summary

  • Critical: uuid@12.0.0+ dropped CommonJS support entirely. The earlier OTel dependency sweep bumped uuid 9.0.1→14.0.1, and the compiled dist/logger.js's static require('uuid') now throws ERR_REQUIRE_ESM immediately on load — crashing every consumer of the published package, not an edge case.
  • Replaced with node:crypto's built-in randomUUID() — a drop-in replacement for the plain v4 UUIDs used here (event_id, temp_trace_id, session_id). This is literally what @opentelemetry/resources' own ServiceInstanceIdDetector uses internally for the same purpose.
  • Removed the uuid/@types/uuid dependency entirely (not just pinned back) — no security tradeoff, npm audit shows zero advisories for uuid at any version, so the original bump wasn't fixing a vulnerability.
  • Added a postbuild smoke test (node -e "require('./dist/index.js')") so a require()-breaking regression like this fails the build immediately instead of only surfacing when a real consumer hits the crash.
  • Version bump: 1.0.11.0.2 (patch — internal dependency fix, no public API change).

Test plan

  • npm run build — clean, postbuild smoke test passes
  • node -e "require('./dist/logger.js')" — confirmed crash before fix, confirmed clean after
  • Full end-to-end verification against real Grafana Cloud data via sovdev-selftest: write-log, write-metric, read-log, read-metric all pass, using a real external consumer's (ollacrm) own credentials
  • npm audit — 0 vulnerabilities after removing uuid

🤖 Generated with Claude Code

uuid@12.0.0 dropped CommonJS support entirely (ESM-only since then).
sovdev-logger's OTel dependency sweep bumped uuid 9.0.1 -> 14.0.1 without
catching this -- the compiled dist/logger.js's static require('uuid')
now throws ERR_REQUIRE_ESM immediately on load, crashing every consumer,
not just an edge case. No security tradeoff either: npm audit shows zero
advisories for uuid at any version, so the original bump wasn't fixing
a vulnerability.

crypto.randomUUID() (Node builtin since v14.17, this project already
requires >=22.0.0) is a drop-in replacement for the plain v4 UUIDs used
here (event_id, temp_trace_id, session_id) -- it's literally what
@opentelemetry/resources' own ServiceInstanceIdDetector uses internally
for the same purpose. Removes the uuid/@types/uuid dependency entirely
rather than just pinning back to a CJS-compatible major, so this can't
regress again from a future uuid bump.

Added a postbuild smoke test (node -e "require('./dist/index.js')") so
a require()-breaking regression like this fails the build immediately
instead of only surfacing when a real consumer hits the crash.

Verified end-to-end against real Grafana Cloud data (write + read-back
via sovdev-selftest), not just a local build check.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@terchris
terchris merged commit fe0315a into main Jul 14, 2026
3 checks passed
@terchris
terchris deleted the fix/uuid-esm-crash branch July 14, 2026 07:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant