chore(deps): upgrade uuid

[jpan-box]

Upgrading UUID, must be >14.0.0

No significant breaking changes between 8 and 14 - most deal with dropping node support.

• v9.0.0 - Sep 2022
• v10.0.0 - Jun 2024
• v12.0.0 - Sep 5, 2025
• v13.0.0 - Sep 8, 2025
• v14.0.0 - Apr 2026

UUID v8 is introduced via direct dependency AND indirect

$ yarn why uuid
yarn why v1.22.22
[1/4] 🤔  Why do we have the module "uuid"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "uuid@8.3.2"
info Has been hoisted to "uuid"
info Reasons this module exists
   - Specified in "devDependencies"
   - Hoisted from "cypress#@cypress#request#uuid"
   - Hoisted from "webpack-dev-server#sockjs#uuid"

The resolutions is required as cypress/request is used within webpack-dev-server, and no version of cypress/request replaces uuid.
cypress-io/cypress#29775 (comment)

Summary by CodeRabbit

• Chores

  • Upgraded development and peer dependency for uuid to ^14.0.0 and added a lock resolution to ensure consistency.

• Tests

  • Adjusted test transformer configuration so the uuid package is processed during test runs (improves test compatibility).

[coderabbitai]

Walkthrough

The uuid dependency is upgraded from ^8.3.2 to ^14.0.0 in devDependencies and peerDependencies, a resolutions.uuid entry is added, and Jest's transformIgnorePatterns is adjusted to allow uuid to be transformed during tests.

Changes

Cohort / File(s)	Summary
Package manifest package.json	Bump uuid from ^8.3.2 → ^14.0.0 in devDependencies and peerDependencies; add resolutions.uuid: ^14.0.0 (keeps resolutions.tar: ^7.5.11).
Test config scripts/jest/jest.config.js	Modify transformIgnorePatterns to exclude uuid from ignore list so it will be transformed; removed @box/metadata-editor from the exception list.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

ready-to-merge

Suggested reviewers

• tjiang-box
• jfox-box
• reneshen0328

Poem

🐰 I hopped from eight up to fourteen today,
Dependencies trimmed and tests set to play.
Resolutions fixed, transforms now true,
I nibble on changes and bid bugs adieu. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore(deps): upgrade uuid' directly and clearly summarizes the main change—upgrading the uuid dependency.
Description check	✅ Passed	The PR description provides clear rationale for the upgrade, explains the version history, addresses why a resolution is needed, and includes supporting evidence. However, it does not follow the repository's template structure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

package.json (1)

291-352: ⚠️ Potential issue | 🟡 Minor

peerDependency bump from ^8.3.2 → ^14.0.0 is a breaking change for consumers.

Any downstream app pinning uuid at v8–v13 will now see a peer-dep mismatch after consuming this release. That is an intentional trade-off here, but please make sure the release that ships this carries a BREAKING CHANGE: footer so semantic-release emits a major version bump and the breaking nature is called out in the changelog.

Also worth noting: uuid is used internally only in src/elements/common/logger/Logger.js (for a one-time SESSION_ID), not exposed on the public API surface. It's debatable whether it needs to be in peerDependencies at all versus a plain dependency. Not blocking for this PR, but worth revisiting separately.

Based on learnings: the team is comfortable raising peerDependency minimums when upgrading packages, even if it's a breaking change for consumers.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 291 - 352, The package bump of peerDependency
"uuid" from ^8.3.2 to ^14.0.0 is a breaking change that will cause peer-dep
mismatches for downstream apps; update the release notes to include a "BREAKING
CHANGE:" footer so semantic-release triggers a major version and documents the
change, and consider moving "uuid" from peerDependencies to dependencies if it's
only used internally (see src/elements/common/logger/Logger.js and the
SESSION_ID usage) to avoid imposing the upgrade on consumers—implement at least
the BREAKING CHANGE footer in the release that contains this package.json
change, and optionally change the package.json entry for "uuid" from
peerDependencies to dependencies if you decide to keep it internal.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 354-361: The "resolutions" entry forcing "uuid": "^14.0.0" is
unsafe because uuid@14 is ESM-only and will break CommonJS transitive consumers;
update the package.json "resolutions" block to pin uuid to a CommonJS-compatible
release (e.g., replace the uuid line with "uuid": "^8.3.2" or another
v8/v3-compatible semver), remove the ^14.0.0 entry if you need ESM-only usage,
then run the end-to-end checks (yarn start / yarn build:dev:dist and yarn cy:run
or yarn test:e2e) and confirm CI Node version matches engines.node (>=20) before
merging.

---

Outside diff comments:
In `@package.json`:
- Around line 291-352: The package bump of peerDependency "uuid" from ^8.3.2 to
^14.0.0 is a breaking change that will cause peer-dep mismatches for downstream
apps; update the release notes to include a "BREAKING CHANGE:" footer so
semantic-release triggers a major version and documents the change, and consider
moving "uuid" from peerDependencies to dependencies if it's only used internally
(see src/elements/common/logger/Logger.js and the SESSION_ID usage) to avoid
imposing the upgrade on consumers—implement at least the BREAKING CHANGE footer
in the release that contains this package.json change, and optionally change the
package.json entry for "uuid" from peerDependencies to dependencies if you
decide to keep it internal.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a6748c62-141c-4982-afee-2b82b68c9a24

📥 Commits

Reviewing files that changed from the base of the PR and between 90261fc and 6df5a98.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find any other direct/indirect consumers of `uuid` in the tree and confirm only v14 resolves.
fd -HI -t f '^yarn\.lock$' --max-depth 2
rg -nP '^\s*uuid@' yarn.lock | head -50
# Confirm only one uuid version will be resolved after the bump
rg -nP '^uuid@[^:]+:\s*$' -A 2 yarn.lock | head -40
# Find first-party call sites for uuid to confirm none rely on removed APIs (e.g. default export, uuid/v4 deep import)
rg -nP --type=js --type=ts --type=tsx -C2 "from ['\"]uuid(/|['\"])|require\(['\"]uuid(/|['\"])"

Repository: box/box-ui-elements

Length of output: 350

---

🌐 Web query:

Does uuid v14 still ship a CommonJS build usable via require('uuid').v4(), and what is the minimum supported Node.js version?

💡 Result:

No, uuid v14 does not ship a CommonJS build usable via require('uuid').v4. Starting with uuid@12, CommonJS support was removed, making it ESM-only. Users must use ESM syntax: import { v4 } from 'uuid';. The minimum supported Node.js version for v14 is 20.

Citations:

• 1: https://github.com/uuidjs/uuid/releases/tag/v14.0.0
• 2: https://github.com/uuidjs/node-uuid
• 3: https://www.npmjs.com/package/uuid
• 4: https://github.com/uuidjs/uuid
• 5: Drop CommonJS Support uuidjs/uuid#881
• 6: uuidjs/uuid@v13.0.0...v14.0.0

---

🏁 Script executed:

#!/bin/bash
# Search for uuid imports/requires more carefully without tsx type
rg -n "uuid" --type js --type ts -C 2 | grep -E "(require|import).*uuid|uuid.*from|uuid.*require" | head -30
# Also try a broader search
rg "uuid" --type js -l

Repository: box/box-ui-elements

Length of output: 743

---

🏁 Script executed:

#!/bin/bash
# Check the actual usage patterns in the codebase
rg -n "from ['\"]uuid|require\(['\"]uuid" --type js --type ts -C 2

Repository: box/box-ui-elements

Length of output: 484

---

🏁 Script executed:

#!/bin/bash
cat -n scripts/jest/jest.config.js | head -30

Repository: box/box-ui-elements

Length of output: 1808

---

🏁 Script executed:

#!/bin/bash
# Search for require('uuid') patterns in source code (not node_modules)
rg "require\(['\"]uuid" src/ scripts/ --type js --type ts -n

Repository: box/box-ui-elements

Length of output: 45

---

🏁 Script executed:

#!/bin/bash
# Check if there's any documentation or comments about uuid usage
rg "uuid" -A 2 -B 2 --type js --type ts src/ | grep -E "(v3|v4|v5|CJS|ESM|CommonJS|ES Module)" | head -20

Repository: box/box-ui-elements

Length of output: 202

---

Forcing uuid@14.0.0 will likely break transitive consumers; do not merge without testing.

uuid@14 is ESM-only (CommonJS support was removed starting with uuid@12). The transitive dependencies — cypress → @cypress/request → uuid and webpack-dev-server → sockjs → uuid — were authored against uuid@3.x/uuid@8.x and almost certainly use require('uuid'). Requiring an ESM-only module with CommonJS will fail at runtime.

The repo's direct usage is correct (import { v4 as uuidv4 } from 'uuid' in Logger.js), but the transitive breakage is real. Test end-to-end before merging:

• yarn start / yarn build:dev:dist (webpack-dev-server + sockjs path)
• yarn cy:run (or yarn test:e2e) (cypress + @cypress/request path)

uuid@14 requires Node ≥ 20; the repo's engines.node: ">=20.x" is compatible, but verify CI runners are not still on Node 18.x.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 354 - 361, The "resolutions" entry forcing "uuid":
"^14.0.0" is unsafe because uuid@14 is ESM-only and will break CommonJS
transitive consumers; update the package.json "resolutions" block to pin uuid to
a CommonJS-compatible release (e.g., replace the uuid line with "uuid": "^8.3.2"
or another v8/v3-compatible semver), remove the ^14.0.0 entry if you need
ESM-only usage, then run the end-to-end checks (yarn start / yarn build:dev:dist
and yarn cy:run or yarn test:e2e) and confirm CI Node version matches
engines.node (>=20) before merging.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

scripts/jest/jest.config.js (1)

14-14: ⚠️ Potential issue | 🟠 Major

Remove the ^uuid$ moduleNameMapper entry — it conflicts with uuid v14's exports field.

The transformIgnorePatterns whitelist on line 31 already handles uuid correctly. The moduleNameMapper on line 14 is redundant and can interfere with Jest's export field resolution, potentially short-circuiting to a wrong entry point. Modern versions of uuid (v14+) and Jest (27+) handle exports natively; the mapping should be removed entirely.

Current jest.config.js excerpt (lines 8–17)

    moduleNameMapper: {
        'box-ui-elements-locale-data': '<rootDir>/i18n/bundles/en-US.js',
        'box-locale-data': '<rootDir>/node_modules/@box/cldr-data/locale-data/en-US',
        '\\.(jpg|jpeg|png|gif|eot|otf|webp|svg|ttf|woff|woff2|mp4|webm|wav|mp3|m4a|aac|oga)$':
            '<rootDir>/scripts/jest/mocks/fileMock.js',
        '\\.(css|less|scss|md)$': '<rootDir>/scripts/jest/mocks/styleMock.js',
        '^uuid$': require.resolve('uuid'),
        '^react-markdown$': '<rootDir>/scripts/jest/mocks/reactMarkdownMock.js',
        '^remark-gfm$': '<rootDir>/scripts/jest/mocks/remarkGfmMock.js',
    },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/jest/jest.config.js` at line 14, Remove the '^uuid$' entry from
moduleNameMapper in the jest configuration to avoid overriding uuid v14's export
resolution; locate the moduleNameMapper object (the mapping that currently
contains '^uuid$': require.resolve('uuid')) and delete that key/value pair so
Jest uses uuid's native exports (transformIgnorePatterns already handles uuid).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@scripts/jest/jest.config.js`:
- Line 14: Remove the '^uuid$' entry from moduleNameMapper in the jest
configuration to avoid overriding uuid v14's export resolution; locate the
moduleNameMapper object (the mapping that currently contains '^uuid$':
require.resolve('uuid')) and delete that key/value pair so Jest uses uuid's
native exports (transformIgnorePatterns already handles uuid).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9a0db23c-92eb-40a4-aad7-20149e0089fd

📥 Commits

Reviewing files that changed from the base of the PR and between 6df5a98 and 6e58d05.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• package.json
• scripts/jest/jest.config.js

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json