-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: add a crypto.uuid() method #23441
Conversation
6d02aa7
to
9836a94
Compare
It’s going to break if Node.js is compiled without openssl support… That’s one of the reasons all of these functions tend to end up in
I’m not against this PR in any way, but this might be a good sign that this works really well as an npm package :) A lot of us feel that things that can be implemented easily in userland should be. On the other hand, this does not add much complexity, so I’d personally be fine with it. |
@addaleax is it possible to detect if openssl support is present? If so, I could still use I can just move it to |
@tlhunter Checking using I don’t know whether this generator needs any specific cryptographic properties, but if there’s a |
@addaleax in this commit ec68ac2b346e71a8566f1fff78d96975213d64fd I've added a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't feel like the 'why' answer above really answers the question... I mean, yes, uuid is a common thing and yes, those packages are popular but that in itself isn't a good reason. This works just as well as a user land package. I don't see a particularly strong case for why things can't stay as they already are.
@tlhunter |
@addaleax oh yeah good point, I do think that running an OpenSSL-less CI would make sense for Node.js in general since there are some conditionals in the codebase around openssl support. |
@apapirovski I think this UUID PR is in a similar vein as the recently merged mkdirp PR: #21875. In that PR @bcoe mentions the following when referring to the mkdirp module (which gets a little over 8mm weekly downloads):
|
This would require corresponding doc changes as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-1 I think this is best left to userland as there are many different expectations about UUIDs in general and in behavior (e.g. should it fall back to Math.random()
? should it allow returning a different type/format of value? should it include shelling out to an openssl child process as a fallback?) and providing and promoting this one particular implementation/interpretation in core is not a good idea.
Falling back to Math.random() is not likely a good idea, UUIDs are often used for security purposes, they need cryptographic PRNG. I'm -1, the |
@sam-github I agree that falling back to |
I'm not a fan of having this in core since
|
I'm not 100% 👍 or 👎 (comes to mind that this would sometimes be useful in Node.js itself, for instance when generating random file names for coverage output). a few thoughts:
|
I'm kind of -1 to add this. What are the benefits of adding this directly into core? What's @nodejs/tooling point of view? |
I'm also -1 on this one for all the same reasons stated above. |
Hey gang, thanks for looping me in. I'll refrain from expressing a 👍 or 👎 on including this in core as I'm not familiar with the criteria that apply to that decision. I do have a few comments though ... First, do not use Edit: 'Realized that the above reaction is a result of dealing with all the various browser Math.random() implementations out there. In the context of this PR, though, we need only worry about Node's implementation. But that comes from v8, right? Thus, this is likely still concern. From https://v8.dev/blog/math-random:
Regarding:
... except when it's 1 or 3 or 5. Also, @bcoe is correct about needing a
As soon as you support
This may add more complexity than you think. Specifically, the inevitable demand for other UUID versions may introduce dependencies on things like the host's MAC address (for One final comment: it'd be nice if whatever uuid API ends up in core were as cross-compatible as possible with the existing |
I see UUID support as more of a slippery slope. |
Given the -1's and the general sentiment expressed in the thread, I'm inclined to close this. @tlhunter ... thank you for the work here on this, even if it didn't land, the contribution and discussion are still helpful. |
Thanks for the detailed feedback, everyone. |
This PR introduces a new method called
crypto.uuid()
. This method generates a UUID v4 string. It can be used like so:Why introduce this into Node.js Core
The Node.js community has a great need for this method. For example, the npm package uuid receives 11.4mm downloads per week, and the deprecated node-uuid still receives 1.6mm downloads per week.
This same functionality is often provided by other languages/platforms such as the C#/.NET implementation System.Guid.NewGuid() or Pythons import uuid.
Anecdotally, most projects I build require a UUID generator.
What's a UUID
A UUID string is a random series of 32 hexadecimal characters separated by hyphens at well-known locations for a total length of 36 characters. The 13th character is always a
'4'
, so that leaves 31 hexadecimal characters of entropy. According to Wikipedia that means the overall string has 2^122, or 5.3x1036 (5.3 undecillion) possible variations.Why UUID v4?
This is the most popular method as far as I've seen used in the wild. It's also the easiest to generate since it's just random characters. The other versions take current time into consideration and may generate ever-increasing values. Some attempt to maintain uniqueness across different systems which also adds complexity.
This approach would be forward compatible if we did want to support different UUID versions in the future. For example
.uuid
could have further methods attached, such as.uuid.v1()
or even.uuid.v4()
which would be an alias for.uuid()
.Checklist
I haven't added documentation yet since this method may move around before being accepted (if it's accepted at all). I'll definitely write docs after the first round of feedback!
make -j4 test
(UNIX), orvcbuild test
(Windows) passes