Duplicate UUIDs Generated Using new UUID(4)

[vamche]

Issue: We've observed that the new UUID(4) function from the pure-uuid npm package has returned identical UUIDs in a few instances, even though these instances were months apart.

Details: Package Name: pure-uuid Function in Question: new UUID(4) Observed Behavior: Duplicate UUIDs generated in separate instances months apart. Expected Behavior: UUIDs, especially v4, should be universally unique and the chances of collisions should be extremely low.

Steps to Reproduce: This issue might not be consistently reproducible given the nature of UUIDs, but it has been observed in our environment multiple times.

Request: We kindly request the maintainers look into this issue and provide a fix or clarification on the observed behavior. If there are any best practices or additional configurations that we might have missed, please advise.

Thank you for your attention to this matter.

[vamche]

Could this be because of the Math.random returning the same value here in the PCG?

seed = ui64_n2i(seed !== undefined ?
            (seed >>> 0) : ((Math.random() * 0xffffffff) >>> 0));

[rse]

Yes, indeed. Math.random() is a weak PRNG, but there is no other standardized one available AFAIK except perhaps the newer window.crypto.getRandomValues(). I think I will change PureUUID to at least try to use getRandomValues() if available. In addition, PureUUID could (with a small API change) allow an external seed to be feeded into it and then the application (in case it really has a better PRNG at hand) could provide the seed.

[rse]

I've improved the PCG PRNG seeding now with the help of the cryptographically stronger crypto.getRandomBytes().

[vamche]

Great, thank you for the quick resolution.