Skip to content

Bump uuidv7-js from 1.1.4 to 2.0.0#543

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/uuidv7-js-2.0.0
Closed

Bump uuidv7-js from 1.1.4 to 2.0.0#543
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/uuidv7-js-2.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps uuidv7-js from 1.1.4 to 2.0.0.

Release notes

Sourced from uuidv7-js's releases.

v2.0.0

Major Changes

  • #2 e17d873 Thanks @​TheEdoRan! - Audit, security hardening, and full restructure. Headline changes:

    • No more spin-loop on backwards clock by default. When Date.now() returns a value smaller than the last observed timestamp (NTP step-back, VM time-warp), v1 would busy-wait synchronously until the clock caught up — blocking the event loop for the full skew duration. v2 pins the timestamp to the last observed value and continues incrementing the monotonic counter. RFC 9562 §6.2 explicitly permits this. The v1 behavior is still available via new UUIDv7({ blockOnBackwardsClock: true }) for callers who prefer strict timestamp fidelity over event-loop liveness.
    • Counter double-overflow now advances the timestamp by 1ms (runtime path) instead of busy-waiting. Sub-millisecond drift is permitted by RFC 9562 §6.2.
    • decode / decodeOrThrow reject pathological inputs. v1 would attempt to decode arbitrarily long strings, triggering super-linear BigInt math (a CPU-DoS hazard when input is untrusted). v2 rejects empty inputs and inputs longer than the maximum valid encoding length for the configured alphabet.
    • Custom encode alphabets must be ASCII. v1 silently accepted non-ASCII alphabets and would behave incorrectly with multi-code-unit characters; v2 throws at construction.
    • Internal TimestampUUIDv7 class removed. It was an implementation detail not re-exported from the package entrypoint, but counts as breaking for anyone deep-importing.
    • Performance. Across the four hot paths (gen(), gen(customTimestamp), encode, decode), v2 is at least as fast as v1 on every benchmark and noticeably faster on most: gen() ~+10%, decode ~+23%, encode ~+6%, gen(customTimestamp) ~+3%.
    • Stricter TypeScript build. strictPropertyInitialization and useUnknownInCatchVariables are no longer relaxed.
    • Internal restructure. Source split into generator.ts, codec.ts, format.ts, random.ts. No effect on the public API surface beyond the items listed above.

Minor Changes

  • #2 e17d873 Thanks @​TheEdoRan! - Modernize toolchain: TypeScript 6, Oxlint + Oxfmt (with type-aware linting) replacing ESLint + Prettier, tsdown replacing tsup, Vitest replacing the Node.js built-in test runner, and Changesets replacing semantic-release. Husky / commitlint / commitizen are removed in favor of CI-only enforcement. CI/release split into ci.yml and release.yml. Node 26 pinned for development via .node-version; the library imposes no runtime Node-version constraint. The published package now uses an exports map with proper dual-package types (index.d.ts + index.d.cts) and is type: "module"; dist/index.js is ESM and dist/index.cjs is CJS.
Changelog

Sourced from uuidv7-js's changelog.

2.0.0

Major Changes

  • #2 e17d873 Thanks @​TheEdoRan! - Audit, security hardening, and full restructure. Headline changes:

    • No more spin-loop on backwards clock by default. When Date.now() returns a value smaller than the last observed timestamp (NTP step-back, VM time-warp), v1 would busy-wait synchronously until the clock caught up — blocking the event loop for the full skew duration. v2 pins the timestamp to the last observed value and continues incrementing the monotonic counter. RFC 9562 §6.2 explicitly permits this. The v1 behavior is still available via new UUIDv7({ blockOnBackwardsClock: true }) for callers who prefer strict timestamp fidelity over event-loop liveness.
    • Counter double-overflow now advances the timestamp by 1ms (runtime path) instead of busy-waiting. Sub-millisecond drift is permitted by RFC 9562 §6.2.
    • decode / decodeOrThrow reject pathological inputs. v1 would attempt to decode arbitrarily long strings, triggering super-linear BigInt math (a CPU-DoS hazard when input is untrusted). v2 rejects empty inputs and inputs longer than the maximum valid encoding length for the configured alphabet.
    • Custom encode alphabets must be ASCII. v1 silently accepted non-ASCII alphabets and would behave incorrectly with multi-code-unit characters; v2 throws at construction.
    • Internal TimestampUUIDv7 class removed. It was an implementation detail not re-exported from the package entrypoint, but counts as breaking for anyone deep-importing.
    • Performance. Across the four hot paths (gen(), gen(customTimestamp), encode, decode), v2 is at least as fast as v1 on every benchmark and noticeably faster on most: gen() ~+10%, decode ~+23%, encode ~+6%, gen(customTimestamp) ~+3%.
    • Stricter TypeScript build. strictPropertyInitialization and useUnknownInCatchVariables are no longer relaxed.
    • Internal restructure. Source split into generator.ts, codec.ts, format.ts, random.ts. No effect on the public API surface beyond the items listed above.

Minor Changes

  • #2 e17d873 Thanks @​TheEdoRan! - Modernize toolchain: TypeScript 6, Oxlint + Oxfmt (with type-aware linting) replacing ESLint + Prettier, tsdown replacing tsup, Vitest replacing the Node.js built-in test runner, and Changesets replacing semantic-release. Husky / commitlint / commitizen are removed in favor of CI-only enforcement. CI/release split into ci.yml and release.yml. Node 26 pinned for development via .node-version; the library imposes no runtime Node-version constraint. The published package now uses an exports map with proper dual-package types (index.d.ts + index.d.cts) and is type: "module"; dist/index.js is ESM and dist/index.cjs is CJS.
Commits
  • 8848375 chore: version package (#3)
  • 38ea9f9 chore(package): reset version to 1.1.4 so changesets can compute 2.0.0
  • e17d873 v2.0.0: audit, harden, modernize toolchain, switch to changesets + OIDC publi...
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for uuidv7-js since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [uuidv7-js](https://github.com/TheEdoRan/uuidv7-js) from 1.1.4 to 2.0.0.
- [Release notes](https://github.com/TheEdoRan/uuidv7-js/releases)
- [Changelog](https://github.com/TheEdoRan/uuidv7-js/blob/main/CHANGELOG.md)
- [Commits](TheEdoRan/uuidv7-js@v1.1.4...v2.0.0)

---
updated-dependencies:
- dependency-name: uuidv7-js
  dependency-version: 2.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 6, 2026
@dahlia

dahlia commented Jul 6, 2026

Copy link
Copy Markdown
Member

@dependabot rebase

@dependabot @github

dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Looks like uuidv7-js is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this Jul 6, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/uuidv7-js-2.0.0 branch July 6, 2026 02:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant