fix(scorecard): replace uuid dependency with Node.js built-in crypto.randomUUID

[christoph-jerolimov]

Hey, I just made a Pull Request!

Closes task https://redhat.atlassian.net/browse/RHIDP-14849

Update deprecated and 3 year old uuid library. This replaces #2884

The uuid package is no longer needed — Node.js provides crypto.randomUUID natively.

This removes the dependency from both scorecard-backend and scorecard-node.

This is aligned with backstage/backstage#34035

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

[rhdh-gh-app]

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
@red-hat-developer-hub/backstage-plugin-scorecard-backend	workspaces/scorecard/plugins/scorecard-backend	patch	v2.7.9
@red-hat-developer-hub/backstage-plugin-scorecard-node	workspaces/scorecard/plugins/scorecard-node	patch	v2.7.9

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 8:33 AM UTC · Completed 8:37 AM UTC
Commit: f5e1232 · View workflow run →

[rhdh-qodo-merge]

PR Summary by Qodo

Scorecard: bump uuid to v14 and remove unused dependency
⚙️ Configuration changes 🕐 10-20 Minutes

Walkthroughs

Description

• Bump uuid dependency in scorecard backend from v9 to v14.
• Remove unused uuid dependency from scorecard node package.
• Add changesets to release patch versions for affected packages.

Diagram

graph TD
  E["Changesets"] --> A["scorecard-backend (pkg)"] --> B(("uuid v14")) --> F{{"npm registry"}}
  E --> C["scorecard-node (pkg)"] --> D["uuid removed"]

  subgraph Legend
    direction LR
    _pkg["Package"] ~~~ _dep(("Dependency")) ~~~ _ext{{"External"}}
  end

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Use Node.js built-in `crypto.randomUUID()`

• ➕ Removes third-party uuid dependency entirely (where only v4 is needed)
• ➕ Reduces supply-chain surface and dependency maintenance
• ➖ Requires validating Node runtime minimum versions across all supported environments
• ➖ Only covers specific UUID generation needs (not all uuid library features)

2. Centralize UUID generation behind a shared helper (scorecard-common)

• ➕ Keeps UUID usage consistent and makes future swaps simpler
• ➕ Avoids repeated dependency decisions across packages
• ➖ Adds indirection and may require a small refactor beyond a simple bump
• ➖ Not necessary if only one package actually needs uuid

Recommendation: The current approach (bump backend to uuid v14 and remove the unused node dependency) is the right minimal-change fix for deprecation. Consider crypto.randomUUID() only if the code uses basic UUID generation and the Node version baseline is guaranteed; otherwise, keep uuid v14.

File Changes

Other (4)

brave-baths-strive.md Add changeset for backend uuid bump +5/-0

Add changeset for backend uuid bump

• Introduces a patch changeset for '@red-hat-developer-hub/backstage-plugin-scorecard-backend'. Documents the uuid upgrade from v9 to v14 for release notes/versioning.

workspaces/scorecard/.changeset/brave-baths-strive.md

---

ninety-squids-move.md Add changeset for removing unused uuid from node package +5/-0

Add changeset for removing unused uuid from node package

• Introduces a patch changeset for '@red-hat-developer-hub/backstage-plugin-scorecard-node'. Records removal of the unused uuid dependency for the upcoming release.

workspaces/scorecard/.changeset/ninety-squids-move.md

---

package.json Bump uuid dependency to ^14.0.0 +1/-1

Bump uuid dependency to ^14.0.0

• Updates the backend plugin's 'uuid' dependency from '^9.0.1' to '^14.0.0' to address deprecation and staleness.

workspaces/scorecard/plugins/scorecard-backend/package.json

---

package.json Remove uuid dependency from scorecard-node +1/-2

Remove uuid dependency from scorecard-node

• Drops 'uuid' from the node package dependencies, indicating it is no longer used/required. Keeps the workspace dependency on 'scorecard-common' unchanged.

workspaces/scorecard/plugins/scorecard-node/package.json

---

[fullsend-ai-review]

Review

Findings

Info

• [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 unavailable on deployment.
• [sub-agent-failure] N/A — The intent-coherence sub-agent did not return findings: model claude-sonnet-4-5@20250929 unavailable on deployment.

The correctness sub-agent (opus) confirmed a clean, correct replacement of uuid.v4() with node:crypto.randomUUID(). Both produce RFC 4122 v4 UUIDs with no behavioral difference. The removed jest.mock('uuid') in the test file was not depended on by any assertion. No stale uuid references remain in scorecard source code. The scorecard-node package had uuid listed as a dependency but no source-level imports, so removal is safe.

Previous run

Review

Findings

No findings.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.02%. Comparing base (e9efe2e) to head (bfe8864).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3371   +/-   ##
=======================================
  Coverage   54.02%   54.02%           
=======================================
  Files        2409     2409           
  Lines       87733    87733           
  Branches    24284    24283    -1     
=======================================
  Hits        47400    47400           
  Misses      38752    38752           
  Partials     1581     1581           

Flag	Coverage Δ		*Carryforward flag
adoption-insights	83.58% <ø> (ø)		Carriedforward from e9efe2e
ai-integrations	70.03% <ø> (ø)		Carriedforward from e9efe2e
app-defaults	69.60% <ø> (ø)		Carriedforward from e9efe2e
augment	46.39% <ø> (ø)		Carriedforward from e9efe2e
bulk-import	72.69% <ø> (ø)		Carriedforward from e9efe2e
cost-management	17.48% <ø> (ø)		Carriedforward from e9efe2e
dcm	60.27% <ø> (ø)		Carriedforward from e9efe2e
extensions	62.17% <ø> (ø)		Carriedforward from e9efe2e
global-floating-action-button	74.30% <ø> (ø)		Carriedforward from e9efe2e
global-header	61.63% <ø> (ø)		Carriedforward from e9efe2e
homepage	52.60% <ø> (ø)		Carriedforward from e9efe2e
install-dynamic-plugins	56.23% <ø> (ø)		Carriedforward from e9efe2e
konflux	91.01% <ø> (ø)		Carriedforward from e9efe2e
lightspeed	68.62% <ø> (ø)		Carriedforward from e9efe2e
mcp-integrations	85.46% <ø> (ø)		Carriedforward from e9efe2e
orchestrator	37.33% <ø> (ø)		Carriedforward from e9efe2e
quickstart	62.09% <ø> (ø)		Carriedforward from e9efe2e
sandbox	79.56% <ø> (ø)		Carriedforward from e9efe2e
scorecard	83.93% <100.00%> (ø)
theme	64.44% <ø> (ø)		Carriedforward from e9efe2e
translations	8.49% <ø> (ø)		Carriedforward from e9efe2e
x2a	78.79% <ø> (ø)		Carriedforward from e9efe2e

*This pull request uses carry forward flags. Click here to find out more.

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e9efe2e...bfe8864. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 7:53 AM UTC · Completed 7:57 AM UTC
Commit: e9efe2e · View workflow run →

[dzemanov]

Tested that this works fine, thank you!