chore(scorecard): update uuid dependency

[christoph-jerolimov]

Hey, I just made a Pull Request!

Update deprecated and 3 year old uuid library. This replaces #2884

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or Updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)

[rhdh-gh-app]

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
@red-hat-developer-hub/backstage-plugin-scorecard-backend	workspaces/scorecard/plugins/scorecard-backend	patch	v2.7.8
@red-hat-developer-hub/backstage-plugin-scorecard-node	workspaces/scorecard/plugins/scorecard-node	patch	v2.7.8

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rhdh-qodo-merge]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 8:33 AM UTC · Completed 8:37 AM UTC
Commit: f5e1232 · View workflow run →

[rhdh-qodo-merge]

PR Summary by Qodo

Scorecard: bump uuid to v14 and remove unused dependency
⚙️ Configuration changes 🕐 10-20 Minutes

Walkthroughs

Description

• Bump uuid dependency in scorecard backend from v9 to v14.
• Remove unused uuid dependency from scorecard node package.
• Add changesets to release patch versions for affected packages.

Diagram

graph TD
  E["Changesets"] --> A["scorecard-backend (pkg)"] --> B(("uuid v14")) --> F{{"npm registry"}}
  E --> C["scorecard-node (pkg)"] --> D["uuid removed"]

  subgraph Legend
    direction LR
    _pkg["Package"] ~~~ _dep(("Dependency")) ~~~ _ext{{"External"}}
  end

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Use Node.js built-in `crypto.randomUUID()`

• ➕ Removes third-party uuid dependency entirely (where only v4 is needed)
• ➕ Reduces supply-chain surface and dependency maintenance
• ➖ Requires validating Node runtime minimum versions across all supported environments
• ➖ Only covers specific UUID generation needs (not all uuid library features)

2. Centralize UUID generation behind a shared helper (scorecard-common)

• ➕ Keeps UUID usage consistent and makes future swaps simpler
• ➕ Avoids repeated dependency decisions across packages
• ➖ Adds indirection and may require a small refactor beyond a simple bump
• ➖ Not necessary if only one package actually needs uuid

Recommendation: The current approach (bump backend to uuid v14 and remove the unused node dependency) is the right minimal-change fix for deprecation. Consider crypto.randomUUID() only if the code uses basic UUID generation and the Node version baseline is guaranteed; otherwise, keep uuid v14.

File Changes

Other (4)

brave-baths-strive.md Add changeset for backend uuid bump +5/-0

Add changeset for backend uuid bump

• Introduces a patch changeset for '@red-hat-developer-hub/backstage-plugin-scorecard-backend'. Documents the uuid upgrade from v9 to v14 for release notes/versioning.

workspaces/scorecard/.changeset/brave-baths-strive.md

---

ninety-squids-move.md Add changeset for removing unused uuid from node package +5/-0

Add changeset for removing unused uuid from node package

• Introduces a patch changeset for '@red-hat-developer-hub/backstage-plugin-scorecard-node'. Records removal of the unused uuid dependency for the upcoming release.

workspaces/scorecard/.changeset/ninety-squids-move.md

---

package.json Bump uuid dependency to ^14.0.0 +1/-1

Bump uuid dependency to ^14.0.0

• Updates the backend plugin's 'uuid' dependency from '^9.0.1' to '^14.0.0' to address deprecation and staleness.

workspaces/scorecard/plugins/scorecard-backend/package.json

---

package.json Remove uuid dependency from scorecard-node +1/-2

Remove uuid dependency from scorecard-node

• Drops 'uuid' from the node package dependencies, indicating it is no longer used/required. Keeps the workspace dependency on 'scorecard-common' unchanged.

workspaces/scorecard/plugins/scorecard-node/package.json

---

[fullsend-ai-review]

Review

Findings

No findings.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.91%. Comparing base (f5e1232) to head (65e65c9).
⚠️ Report is 4 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3371      +/-   ##
==========================================
- Coverage   54.02%   53.91%   -0.11%     
==========================================
  Files        2411     2411              
  Lines       87717    87696      -21     
  Branches    24287    24288       +1     
==========================================
- Hits        47385    47279     -106     
- Misses      39984    40069      +85     
  Partials      348      348              

Flag	Coverage Δ		*Carryforward flag
adoption-insights	83.58% <ø> (ø)		Carriedforward from f5e1232
ai-integrations	70.03% <ø> (ø)		Carriedforward from f5e1232
app-defaults	69.60% <ø> (ø)		Carriedforward from f5e1232
augment	46.39% <ø> (ø)		Carriedforward from f5e1232
bulk-import	72.86% <ø> (ø)		Carriedforward from f5e1232
cost-management	17.48% <ø> (ø)		Carriedforward from f5e1232
dcm	59.86% <ø> (ø)		Carriedforward from f5e1232
extensions	62.17% <ø> (ø)		Carriedforward from f5e1232
global-floating-action-button	74.30% <ø> (ø)		Carriedforward from f5e1232
global-header	61.63% <ø> (ø)		Carriedforward from f5e1232
homepage	52.60% <ø> (ø)		Carriedforward from f5e1232
install-dynamic-plugins	56.23% <ø> (ø)		Carriedforward from f5e1232
konflux	91.01% <ø> (ø)		Carriedforward from f5e1232
lightspeed	68.49% <ø> (ø)		Carriedforward from f5e1232
mcp-integrations	85.46% <ø> (ø)		Carriedforward from f5e1232
orchestrator	37.33% <ø> (ø)		Carriedforward from f5e1232
quickstart	62.09% <ø> (ø)		Carriedforward from f5e1232
sandbox	79.56% <ø> (ø)		Carriedforward from f5e1232
scorecard	81.24% <ø> (-2.70%)	⬇️
theme	64.54% <ø> (ø)		Carriedforward from f5e1232
translations	8.49% <ø> (ø)		Carriedforward from f5e1232
x2a	78.79% <ø> (ø)		Carriedforward from f5e1232

*This pull request uses carry forward flags. Click here to find out more.

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f5e1232...65e65c9. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.