Skip to content

Replace Math.random() with performance.now() in uuid() for pre-render… #1844

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Replace Math.random() with performance.now() in uuid() for pre-render… #1844

wants to merge 1 commit into from

Conversation

@BOXNYC
Copy link

@BOXNYC BOXNYC commented Nov 10, 2025

… builds in Next.js v16

Replace Math.random() with performance.now() in uuid() for pre-rendered caching in Next.js v16 Uses performance.now() as the primary entropy source, mixed with a counter and simple hashing. This is a replacement to using Math.random().

🔍 Description

What changed?

Why was this change needed?

Closes #(issue_number)

📸 Screenshots/Examples

🔄 Breaking changes

  • This PR contains no breaking changes

📋 Checklist

  • I have read the Contributing Guidelines
  • My PR title follows the conventional commit format: <type>(<scope>): <description>
  • I have run npx nx format to ensure consistent code formatting
  • I have added tests for new functionality (if applicable)
  • I have updated documentation (if applicable)

📝 Additional notes

@BOXNYC
Replace Math.random() with performance.now() in uuid() for pre-render…
2397d80 
… builds in Next.js v16

Replace Math.random() with performance.now() in uuid() for pre-rendered caching in Next.js v16
Uses `performance.now()` as the primary entropy source, mixed with a counter and simple hashing. This is a replacement to using Math.random().
@BOXNYC BOXNYC requested review from a team as code owners November 10, 2025 15:42
@BOXNYC BOXNYC mentioned this pull request Nov 10, 2025
Closed
6 tasks
@mandarini mandarini added the do-not-merge Do not merge this PR. label Nov 10, 2025
@mandarini
Copy link
Contributor

mandarini commented Nov 10, 2025

Hi @BOXNYC,

Thank you for the quick turnaround on this PR. I understand this is blocking for you with Next.js 16. Unfortunately, I can't merge this PR because using performance.now() as an entropy source creates security vulnerabilities:

  1. Predictable UUIDs: Timestamps are easily guessable, which is dangerous for session/auth tokens
  2. Collision risk: High-frequency operations can generate duplicate UUIDs
  3. Security regression: This downgrades security compared to even Math.random()

While I understand that crypto.getRandomValues() also fails the Next.js build (thanks for testing that), the root issue is that createBrowserClient() shouldn't be generating UUIDs during server pre-rendering at all. We need to fix this architecturally.

Workaround to Unblock You

Try deferring client initialization to client-side only, or use a client-only wrapper component. This avoids the prerender issue entirely without compromising security. Let me know if this unblocks you while we work on a proper fix.

We'll work with the team to refactor the library to defer UUID generation appropriately.

Thanks again for reporting this!

@mandarini mandarini closed this Nov 10, 2025
@BOXNYC BOXNYC mentioned this pull request Nov 10, 2025
Closed
2 tasks
@mandarini
Copy link
Contributor

mandarini commented Nov 10, 2025

I am working on a solution here: #1847 but need to discuss with team first

@mandarini mandarini linked an issue Nov 10, 2025 that may be closed by this pull request
Next.js 16: createBrowserClient() used Math.random() inside a Client Component without a Suspense boundary above it #1846
Closed
2 tasks
@BOXNYC
Copy link
Author

BOXNYC commented Nov 10, 2025

The real main issue IMO pertains to createServerClient() which can't be client wrapped. It's the main reason I mention pre-rendering, for us it's an SSR issue. I realize I've been commenting on an issue reporting createBrowserClient()...

@coveralls
Copy link

coveralls commented Nov 10, 2025
edited
Loading

Coverage Status

coverage: 95.276% (+13.5%) from 81.727%
when pulling 2397d80 on BOXNYC:patch-1
into 5e6dda1 on supabase:master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

do-not-merge Do not merge this PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Next.js 16: createBrowserClient() used Math.random() inside a Client Component without a Suspense boundary above it

3 participants

@BOXNYC @mandarini @coveralls