uuid.js use native randomUUID() if available #725
Conversation
|
Thank you for the PR. Could you explain what benefit the native function offers? |
|
In addition to avoiding "not invented here", it's actually cryptographically secure like the UUID specification requires. Stating in the documentation that the insecure generation "is not a problem because ..." contrary to the specification has been proven to be problematic every time because someone will end up using it in a security critical code path. To be honest, if I were you, I would just remove the whole file and use |
|
Thank you for the additional details, I agree that using native implementations is preferable whenever possible. tus-js-client not only supports browser but also run in Node.js and mobile environments, such as React Native. So we also have to take these environments and their capabilities into considerations when thinking about dropping these internal implementations. Node.js also implements parts of the Web Crypto API as far as I know, but I'm not sure about React Native. Recently, a similar issue regarding base64 encoding was raised, but it also stalled because not every environment has a native implementation available. I'll be thinking about ways how this can improve in the future. |
https://developer.mozilla.org/en-US/docs/Web/API/Crypto/randomUUID
All the major browsers support it:
https://caniuse.com/mdn-api_crypto_randomuuid