Publish patch version to v0.3 upgrade uuid version

[bung87]

current depends on "uuid": "^3.4.0"
uuid latest version is 8.3.2

[jaqua]

@bung87 uuid has been updated in June 2020 (da1f106#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519), but this version marked as 0.4-rc has never been published.

@brycekahle I think this package isn't maintained anymore...

[brycekahle]

It is definitely maintained, but is in a stable state where things are not upgraded without compelling reasons.

[bung87]

I have some front end projects using webpack4 which depends on Webpack-dev-server ( -> sockjs-node -> uuid)
), they all warning uuid 3 is deprecated during installation , but I can't upgrade uuid through upgrade webpack nor Webpack-dev-server.

[reporter123]

This seems to be an issue only for cryptographically secure functions as Math.Random can not provide this garentee. https://v8.dev/blog/math-random
npm produces the fallowing warning as a result:

[email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.

For webpack-dev-server that would be harmless. As the package is not ment for production anyway. yarn gave me the trace for where this warning was originating. At least I know its not urgent for my use case.

[cleverativity]

I would love seeing this package being updated to the latest version of uuid since it's breaking a project I need to take to production by the end of the year.. does anyone know any workaround?

[yellowweak]

I had the same issue when adding webpack-dev-server via yarn.
As a workaround, I added a resolution rule into package.json as bellow to force using the latest package.

{
  "devDependencies": {
    "webpack-dev-server": "^x.x.x"
  },
  "resolutions": {
    "uuid": "^8.3.2"
  }
}

Hope this helps.

yarn official ref

[melroy89]

I don't know if were are talking about uuid stable version or you were talking that sockjs is now 'stable'.

Sockjs v0.3.21 doesn't sound like stable. I would expect v1.0.0 according to sem versioning. Also seeing no new versions of sockjs is actually the main reason I will not go for this package, but use socket.io instead. I think its important to at least keep the depedencies up to date.

Personally, it looks like a dead project from my perspective. I do NOT want to be rude, but this is how new end-users may see it.

[dartess]

Any updates when 0.4 is ready?

[hailwood]

@brycekahle While it doesn't appear to break anything, having this output on your npm installs is not nice

It's going to affect everyone using webpack-dev-server so maybe easier to do the release than hold off for what feels like "it's not a big enough update to justify 1.0?". Especially if as you say the package is in a stable state I'd imagine there won't be any big updates so what is considered a 'compelling reason' if causing a warning for millions of users is not?

[zdm]

It's time to release 1.0.0.

[zdm]

Is it hard to release npm package?
I see, that uuid v8 is already used in the latest code.

[jankanty]

If your changes keep from releasing v1.0.0 maybe we can release v0.3.22 with only uuid bumped up?

[jaqua]

@jankanty brycekahle said in his answer he won't do this bump up, as he think this package is in stable state.
But @brycekahle following semver stable release should not be 0.3.21. So in my opinion the explanation doesn't fit the needs of the user. Versioning shouldn't be done emotionaly, but just rational.
You also said the package is maintained, but in fact it is not - as many users explained in this thread.
Just my cents... Please don't mind.

[zdm]

uuid v8 will make this package more "stable", because it will remove potential issues, found last years (as it described in warnings on install).
really unable to understand why it is impossible to publish it to the npm registry.
by the way, sockjs will be removed from the webpack dev server on next major release.

[brycekahle]

said in his answer he won't do this bump up, as he think this package is in stable state.

@jaqua That isn't exactly what I said. I said I don't upgrade things without compelling reasons. As @reporter123 observed, the issue with Math.random and thus some uuid versions, is that it isn't cryptographically secure. That isn't a concern for the usage of UUIDs in this project, where they are only used for session ids. If someone had opened an issue outlining how they thought the old uuid was affecting this project specifically, that would've been a productive conversation towards an upgrade.

following semver stable release should not be 0.3.21

The thinking on 0.x releases has shifted over time. Node.js itself was 0.x releases for a long time and used in production. React.js was the same.

@zdm Some folks are willing to demand work done by others, but not do the work themselves. I don't see any PRs with this change.

The main branch is not ready, as the conversion from coffeescript to javascript is a decent amount of work to verify. If I were to do this, it would be in the form @jankanty suggested.

[brycekahle]

Fixed in b55d47856efb9b6274578c37feec71e662e9a03e

[jankanty]

@brycekahle Can I then create new branch from v0.3.21 tag and fix it and you will publish it? Everybody will be happy :)

[brycekahle]

@jankanty I went ahead and did it.

[jankanty]

@brycekahle you are a diamond <3