The satori/go.uuid library has a known vulnerability described in
CVE-2021-3538,
A flaw was found in github.com/satori/go.uuid in versions from commit
0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to
d91630c8510268e75203009fe7daf2b8e1d60c45. Due to insecure randomness in the
g.rand.Read function the generated UUIDs are predictable for an attacker.
and gofrs/uuid is a fork of
satori that was created to fix the vulnerabilities, as the original project
is no longer maintained.
A detail to take into account is that the gofrs forces error handling when UUID
creation fails, which only happens for v4 UUIDs when a random number couldn't be
obtained from the source. This should be a very low percentage and in practice
shouldn't happen (even less for this project as it is something you run locally
or in tests), but nevertheless the error should be handled.
As with satori this problem still existed, but it panicked when it failed, to
maintain the behaviour uuid.Must is used, which panics when an error occurs.
The satori/go.uuid library has a known vulnerability described in CVE-2021-3538,
and gofrs/uuid is a fork of satori that was created to fix the vulnerabilities, as the original project is no longer maintained.
A detail to take into account is that the gofrs forces error handling when UUID creation fails, which only happens for v4 UUIDs when a random number couldn't be obtained from the source. This should be a very low percentage and in practice shouldn't happen (even less for this project as it is something you run locally or in tests), but nevertheless the error should be handled.
As with satori this problem still existed, but it panicked when it failed, to maintain the behaviour uuid.Must is used, which panics when an error occurs.
Satori panic reference: [1] [2]