As an example a GitHub Search reveals that UUIDv4 implementations based on a highly-voted Y2010 StackOverflow answer that uses mt_rand() are not uncommon, as per above, UUID collisions are expected after 80000 requests if nothing else uses randomness within the request.
[...]
To clean up the API and to guide developers to better alternatives, the global Mt19937 should be deprecated and then removed. The function-based API will then provide just the random_int() function which is the “secure by default” choice based on the CSPRNG
Random::MTRAND is only ever used if explicitely specified as a source to the util.Random constructor. The sources ::SECURE, ::FAST and ::BEST are all aliased to random_bytes() / random_int().
Motivation
See https://wiki.php.net/rfc/deprecations_php_8_3#global_mersenne_twister
Effect
Random::MTRAND
is only ever used if explicitely specified as a source to theutil.Random
constructor. The sources::SECURE
,::FAST
and::BEST
are all aliased torandom_bytes()
/random_int()
.Future scope
We can incorporate PHP 8.2's https://www.php.net/manual/de/class.random-randomizer.php class and its engines as a source, see https://wiki.php.net/rfc/rng_extension