launchdarkly-js-sdk-common 5.8.0 → 5.8.1

package/.github/workflows/dependency-scan.yml

@@ -0,0 +1,30 @@
+name: Dependency Scan
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  generate-nodejs-sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+
+      - name: Generate SBOM
+        uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main
+        with:
+          types: 'nodejs'
+
+  evaluate-policy:
+    runs-on: ubuntu-latest
+    needs:
+      - generate-nodejs-sbom
+    steps:
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+
+      - name: Evaluate SBOM Policy
+        uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main
+        with:
+          artifacts-pattern: bom-*

package/.github/workflows/lint-pr-title.yml

@@ -7,6 +7,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  pull-requests: read
+
 jobs:
   lint-pr-title:
     uses: launchdarkly/gh-actions/.github/workflows/lint-pr-title.yml@main

package/.github/workflows/release-please.yml

@@ -4,14 +4,28 @@ on:
   push:
     branches:
       - main
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: 'Is this a dry run. If so no package will be published.'
+        type: boolean
+        required: true
+      prerelease:
+          description: 'Is this a prerelease. If so, then the latest tag will not be updated in npm.'
+          type: boolean
+          required: true
 
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    if: github.event_name == 'push'
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
         id: release
         with:
           token: ${{secrets.GITHUB_TOKEN}}
@@ -28,14 +42,13 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 20.x
+          node-version: 24.x
           registry-url: 'https://registry.npmjs.org'
 
-      - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
-        name: 'Get NPM token'
-        with:
-          aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
-          ssm_parameter_pairs: '/production/common/releasing/npm/token = NODE_AUTH_TOKEN'
+      - name: Update NPM
+        shell: bash
+        # Must be greater than 11.5.1 for OIDC.
+        run: npm install -g npm@11.6.2
 
       - name: Install Dependencies
         run: npm install
@@ -55,3 +68,32 @@ jobs:
         uses: ./.github/actions/publish-docs
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
+
+  manual-publish-package:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch'
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24.x
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Update NPM
+        shell: bash
+        # Must be greater than 11.5.1 for OIDC.
+        run: npm install -g npm@11.6.2
+
+      - name: Install Dependencies
+        run: npm install
+
+      - id: publish-npm
+        name: Publish NPM Package
+        uses: ./.github/actions/publish-npm
+        with:
+          dry-run: ${{ inputs.dry-run }}
+          prerelease: ${{ inputs.prerelease }}

package/.github/workflows/stale.yml

@@ -0,0 +1,14 @@
+name: "Close stale issues and PRs"
+on:
+  workflow_dispatch:
+  schedule:
+    # Happen once per day at 1:30 AM
+    - cron: "30 1 * * *"
+
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  sdk-close-stale:
+    uses: launchdarkly/gh-actions/.github/workflows/sdk-stale.yml@main

package/.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "5.8.0"
+  ".": "5.8.1"
 }

package/CHANGELOG.md

@@ -2,6 +2,13 @@
 
 All notable changes to the `launchdarkly-js-sdk-common` package will be documented in this file. Changes that affect the dependent SDKs such as `launchdarkly-js-client-sdk` should also be logged in those projects, in the next release that uses the updated version of this package. This project adheres to [Semantic Versioning](http://semver.org).
 
+## [5.8.1](https://github.com/launchdarkly/js-sdk-common/compare/5.8.0...5.8.1) (2026-05-21)
+
+
+### Bug Fixes
+
+* remove uuid dependency, replace with inline implementation ([#146](https://github.com/launchdarkly/js-sdk-common/issues/146)) ([98c87d0](https://github.com/launchdarkly/js-sdk-common/commit/98c87d02a6c58b336bbb40b7a80f9bb3489bbed9))
+
 ## [5.8.0](https://github.com/launchdarkly/js-sdk-common/compare/5.7.1...5.8.0) (2025-09-05)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "launchdarkly-js-sdk-common",
-  "version": "5.8.0",
+  "version": "5.8.1",
   "description": "LaunchDarkly SDK for JavaScript - common code",
   "author": "LaunchDarkly <team@launchdarkly.com>",
   "license": "Apache-2.0",
@@ -49,8 +49,7 @@
   },
   "dependencies": {
     "base64-js": "^1.3.0",
-    "fast-deep-equal": "^2.0.1",
-    "uuid": "^8.0.0"
+    "fast-deep-equal": "^2.0.1"
   },
   "repository": {
     "type": "git",

package/src/AnonymousContextProcessor.js

@@ -1,4 +1,4 @@
-const { v1: uuidv1 } = require('uuid');
+const { randomUuidV4 } = require('./uuid');
 const { getContextKinds } = require('./context');
 
 const errors = require('./errors');
@@ -57,7 +57,7 @@ function AnonymousContextProcessor(persistentStorage) {
           context.key = cachedId;
           return context;
         } else {
-          const id = uuidv1();
+          const id = randomUuidV4();
           context.key = id;
           return setCachedContextKey(id, kind).then(() => context);
         }

package/src/EventSender.js

@@ -1,6 +1,6 @@
 const errors = require('./errors');
 const utils = require('./utils');
-const { v1: uuidv1 } = require('uuid');
+const { randomUuidV4 } = require('./uuid');
 const { getLDHeaders, transformHeaders } = require('./headers');
 
 function EventSender(platform, environmentId, options) {
@@ -25,7 +25,7 @@ function EventSender(platform, environmentId, options) {
     }
 
     const jsonBody = JSON.stringify(events);
-    const payloadId = isDiagnostic ? null : uuidv1();
+    const payloadId = isDiagnostic ? null : randomUuidV4();
 
     function doPostRequest(canRetry) {
       const headers = isDiagnostic

package/src/__tests__/diagnosticEvents-test.js

@@ -16,6 +16,12 @@ describe('DiagnosticId', () => {
     expect(id1.diagnosticId).not.toEqual(id2.diagnosticId);
   });
 
+  it('generates valid UUID v4 format', () => {
+    const id = DiagnosticId('key');
+    const uuidV4Regex = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+    expect(id.diagnosticId).toMatch(uuidV4Regex);
+  });
+
   it('uses only last 6 characters of key', () => {
     const id = DiagnosticId('0123456789abcdef');
     expect(id.sdkKeySuffix).toEqual('abcdef');

package/src/diagnosticEvents.js

@@ -1,7 +1,4 @@
-const { v1: uuidv1 } = require('uuid');
-// Note that in the diagnostic events spec, these IDs are to be generated with UUID v4. However,
-// in JS we were already using v1 for unique context keys, so to avoid bringing in two packages we
-// will use v1 here as well.
+const { randomUuidV4 } = require('./uuid');
 
 const { baseOptionDefs } = require('./configuration');
 const messages = require('./messages');
@@ -9,7 +6,7 @@ const { appendUrlPath } = require('./utils');
 
 function DiagnosticId(sdkKey) {
   const ret = {
-    diagnosticId: uuidv1(),
+    diagnosticId: randomUuidV4(),
   };
   if (sdkKey) {
     ret.sdkKeySuffix = sdkKey.length > 6 ? sdkKey.substring(sdkKey.length - 6) : sdkKey;

package/src/uuid.js

@@ -0,0 +1,70 @@
+/* global crypto */
+// The implementation in this file generates UUIDs in v4 format and is suitable
+// for use as a UUID in LaunchDarkly events. It is not a rigorous implementation.
+//
+// Adapted from:
+// https://github.com/launchdarkly/js-core/blob/main/packages/sdk/browser/src/platform/randomUuidV4.ts
+
+// It uses crypto.randomUUID when available.
+// If crypto.randomUUID is not available, then it uses random values and forms
+// the UUID itself.
+// When possible it uses crypto.getRandomValues, but it can use Math.random
+// if crypto.getRandomValues is not available.
+
+// UUIDv4 Struct definition.
+// https://www.rfc-archive.org/getrfc.php?rfc=4122
+// Appendix A.  Appendix A - Sample Implementation
+const timeLow = { start: 0, end: 3 };
+const timeMid = { start: 4, end: 5 };
+const timeHiAndVersion = { start: 6, end: 7 };
+const clockSeqHiAndReserved = { start: 8, end: 8 };
+const clockSeqLow = { start: 9, end: 9 };
+const nodes = { start: 10, end: 15 };
+
+function getRandom128bit() {
+  if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+    const typedArray = new Uint8Array(16);
+    crypto.getRandomValues(typedArray);
+    return [...typedArray.values()];
+  }
+  const values = [];
+  for (let index = 0; index < 16; index += 1) {
+    values.push(Math.floor(Math.random() * 256));
+  }
+  return values;
+}
+
+function hex(bytes, range) {
+  let strVal = '';
+  for (let index = range.start; index <= range.end; index += 1) {
+    strVal += bytes[index].toString(16).padStart(2, '0');
+  }
+  return strVal;
+}
+
+function formatDataAsUuidV4(bytes) {
+  // eslint-disable-next-line no-bitwise, no-param-reassign
+  bytes[clockSeqHiAndReserved.start] = (bytes[clockSeqHiAndReserved.start] | 0x80) & 0xbf;
+  // eslint-disable-next-line no-bitwise, no-param-reassign
+  bytes[timeHiAndVersion.start] = (bytes[timeHiAndVersion.start] & 0x0f) | 0x40;
+
+  return (
+    `${hex(bytes, timeLow)}-${hex(bytes, timeMid)}-${hex(bytes, timeHiAndVersion)}-` +
+    `${hex(bytes, clockSeqHiAndReserved)}${hex(bytes, clockSeqLow)}-${hex(bytes, nodes)}`
+  );
+}
+
+function fallbackUuidV4() {
+  const bytes = getRandom128bit();
+  return formatDataAsUuidV4(bytes);
+}
+
+function randomUuidV4() {
+  if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') {
+    return crypto.randomUUID();
+  }
+
+  return fallbackUuidV4();
+}
+
+module.exports = { randomUuidV4, fallbackUuidV4, formatDataAsUuidV4 };

package/.github/workflows/manual-publish.yml

@@ -1,42 +0,0 @@
-name: Manual Publish Package
-on:
-  workflow_dispatch:
-    inputs:
-      dry-run:
-        description: 'Is this a dry run. If so no package will be published.'
-        type: boolean
-        required: true
-      prerelease:
-          description: 'Is this a prerelease. If so, then the latest tag will not be updated in npm.'
-          type: boolean
-          required: true
-
-jobs:
-  publish-package:
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: write
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20.x
-          registry-url: 'https://registry.npmjs.org'
-
-      - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
-        name: 'Get NPM token'
-        with:
-          aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
-          ssm_parameter_pairs: '/production/common/releasing/npm/token = NODE_AUTH_TOKEN'
-
-      - name: Install Dependencies
-        run: npm install
-
-      - id: publish-npm
-        name: Publish NPM Package
-        uses: ./.github/actions/publish-npm
-        with:
-          dry-run: ${{ inputs.dry-run }}
-          prerelease: ${{ inputs.prerelease }}