frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Ask HN: We just had an actual UUID v4 collision...

28•mittermayr•2h ago
I know what you're thinking... and I still can't believe it, but...

This morning, our database flagged a duplicate UUID (v4). I checked, thinking it may have been a double-insert bug or something, but no.

The original UUID was from a record added in 2025 (about a year ago), and today the system inserted a new document with a fresh UUIDv4 and it came up with the exact same one:

b6133fd6-70fe-4fe3-bed6-8ca8fc9386cd

We're using this: https://www.npmjs.com/package/uuid

I thought this is technically impossible, and it will never happen, and since we're not modifying the UUIDs in any way, I really wonder how that.... is possible!? We're literally only calling:

import { v4 as uuidv4 } from "uuid";

const document_id = uuidv4();

... and then insert into the database, that's it.

Additionally, the database only has about 15.000 records, and now one collision. Statistically... impossible.

Has that ever happened to anyone?! What in the...

Comments

samdhar•2h ago
The math says no. UUID v4 has 122 bits of randomness, so collision probability for 15K records is N²/(2·2^122) ≈ 2·10^-29. That's somewhere around "fewer collisions per universe lifetime than atoms in your liver." Whatever you're seeing, the culprit is overwhelmingly somewhere else.

Things to check, in descending order of how likely they actually are:

1. Data import / migration / backup restore, perhaps? Did anyone load a CSV, run a seed script, restore a snapshot, or copy rows between environments at any point in the last year? This is what "duplicate UUID" is in 99% of cases. Check git on migrations, ops history on the DB, and ask anyone who might have been moving data around.

2. Application retry / rollback bug maybe? Code path that generates a UUID, attempts insert, fails on constraint violation, retries with the same UUID variable still in scope. Check whether UUID generation lives inside or outside the retry boundary.

3. Older versions of the uuid package in certain bundler environments would fall back to Math.random() instead of crypto.getRandomValues(). What version are you on? Anything <4.x is suspect; modern v8+/v9+ uses crypto everywhere correctly.

4. Could also be a process fork bug. If a UUID generator runs in a child process spawned from a parent that already used the PRNG, the entropy state can get copied. Rare in Node specifically, more historical in old Python/Ruby setups.

If you've ruled all of those out and the row really was generated independently a year apart via crypto.getRandomValues, go buy a lottery ticket. But it's almost certainly cause #1.

uncircle•13m ago
Statistically speaking, does extremely unlikely mean impossible? If it were replicable I'd raise my eyebrow, otherwise it's fair game, no?

As someone that enjoys the unterminable complaints about RNG in the video game scene, I would never trust any human's rationalization of random outcomes.

nubg•11m ago
You are replying to an AI bot
mschild•8m ago
> Statistically speaking, does extremely unlikely mean impossible?

No, it means extremely unlikely. Collisions can occur, as op just found out, but the chances are so abysmally small that most people don't care.

Any application I have worked on, I always had a pre-save check to see if the UUID was already present and generate a new one if it was. Don't think it ever triggered unless a bug was introduced somewhere but good practice anyway.

nubg•12m ago
Question to fellow HNers, do you recognize that this comment was written by AI?
uncircle•7m ago
I guess not, and I feel dirty now. I'm logging off for the day.
mschild•6m ago
Kind of. It reads a bit too much like tech support you'd get when asking one for help.
serf•2h ago
1 in 4.72 × 10²⁸

1 in 47.3 octillion.

i'd be suspecting a race condition or some other naive mistake, otherwise id be stocking up on lottery tickets.

(lol at the other user posting at the same time about the lottery ticket.. great minds and all that.)

mittermayr•2h ago
I fully agree. It makes no sense. Yet...

The only guesses I'm having is that we originally generated UUIDv4s on a user's phone before sending it to the database, and the UUID generated this morning that collided was created on an Ubuntu server.

I don't fully know how UUIDv4s are generated and what (if anything) about the machine it's being generated on is part of the algorithm, but that's really the only change I can think of, that it used to generated on-device by users, and for many months now, has moved to being generated on server.

stubish•1h ago
The UUIDv4 collision is statistically extremely unlikely. What is more likely is both systems used the same seed. This might be just a handful of bytes, increasing the chance of collision to one in billions or even millions.
AntiUSAbah•44m ago
You let users generate a UUID?

To be honest, the chance that you are doing something weird is probably higher than you experiencing a real UUID conflict.

How did your database 'flag' that conflict?

mittermayr•39m ago
user-generated (as in: on the user's phone) was only at the very early stages of this product, and we've since moved to on-server. It's a cash-register type of app, where the same invoice must not be stored twice. So we used to generate a fresh invoice_id (uuidv4) on the user's device for each new invoice, and a double-send of that would automatically be flagged server-side (same id twice). This has since moved on to a server-only mechanism.

The database flagged it simply by having a UNIQUE key on the invoice_id column. First entry was from 2025, second entry from today.

beardyw•1h ago
Just a stupid question, but why not append the date, even in seconds as hex. It's just a few bytes and would guarantee that everything OK now will be OK in the future?
mittermayr•1h ago
yeah, any sort of additional semi-random data could've helped prevent this, I'm sure. That, however, is also kind of the idea of UUIDv4, it has lots of randomness and time built in already.
flohofwoe•1h ago
UUID v4 consists of only random bits, no timestamp info.
mittermayr•1h ago
oh, interesting, I didn't know that and this could possibly be part of the problem perhaps depending on what's used as the seed.
flohofwoe•1h ago
You can just use a different UUID variant which includes timestamp data instead (e.g. v1 or v7), there are also variants which include the MAC address.
pan69•44m ago
> but why not append the date

And use uuid v5 to hash it :)

wg0•1h ago
Would the UUID v7 be more collision proof? Hard to say because it takes time into account but then the number of entropy bits are reduced hence the UUID generated exactly at the same time have more chance of a collusion because number of entropy bits are a much smaller space hence could result in collusions more easily.

Thoughts?

AntiUSAbah•47m ago
You open up every millisecond a new block. Should be even more unlikely
naikrovek•1h ago
The chance of a UUIDv4 collision is very low, but it is never zero.

If everything is done properly, then this is very likely the one and only time anyone involved in the telling or reading of this account will ever experience this.

dalmo3•1h ago
Classic gamblers fallacy!
jordiburgos•1h ago
Please, do not use b6133fd6-70fe-4fe3-bed6-8ca8fc9386cd, I checked my database and I was using it already.
mittermayr•1h ago
I knew it, we're all getting the same cheap UUIDs and the good ones are reserved for the big dogs.
Galanwe•43m ago
uuid.uuidv4() recently switched to "adaptive entropy" instead of "xmax entropy" in an effort to save costs on non-premium users.
robshep•40m ago
I'm using 16b55183-1697-496e-bc8a-854eb9aae0f3 and probably some more too. I suppose if we all post our list here, then we can all check for duplicates?
mittermayr•35m ago
We should all send our already-generated UUIDs to a shared database, we could just put it on Supabase with a shared username/password posted on HN, so we can all ensure that after generating a UUIDv4 locally, it's not used by anyone else. If it's in the database, we know it's taken.

It's a super simple mechanism, check in common worldwide UUID database, if not in there, you can use it. Perhaps if we use a START TRANSACTION, we could ensure it's not taken as we insert. But that's all easy, I'll ask Claude to wire it up, no problem.

volemo•35m ago
A site previously posted here could be useful: https://everyuuid.com/
jsnell•31m ago
You can check https://everyuuid.com/ for collisions.
adyavanapalli•42m ago
What you're talking about is so extremely rare that it's much more likely that the entire Earth is destroyed by an asteroid right this inst...
tumdum_•35m ago
Poorly seeded prng.
jdthedisciple•6m ago
most likely the culprit indeed
glaslong•15m ago
Buy some lava lamps

Canvas is down as ShinyHunters threatens to leak schools’ data

https://www.theverge.com/tech/926458/canvas-shinyhunters-breach
655•stefanpie•12h ago•402 comments

Cloudflare to cut about 20% workforce

https://www.reuters.com/business/world-at-work/cloudflare-cut-over-1100-jobs-2026-05-07/
762•PriorityLeft•13h ago•495 comments

Maybe you shouldn't install new software for a bit

https://xeiaso.net/blog/2026/abstain-from-install/
533•psxuaw•11h ago•280 comments

Dirtyfrag: Universal Linux LPE

https://www.openwall.com/lists/oss-security/2026/05/07/8
648•flipped•15h ago•262 comments

ClojureScript Gets Async/Await

https://clojurescript.org/news/2026-05-07-release
65•Borkdude•3h ago•18 comments

Nintendo announces price increases for Nintendo Switch 2

https://www.nintendo.co.jp/corporate/release/en/2026/260508.html
22•razorbeamz•3h ago•17 comments

The map that keeps Burning Man honest

https://www.not-ship.com/burning-man-moop/
656•speckx•20h ago•318 comments

The surprisingly complex journey to text-selectable client-side generated PDFs

https://sdocs.dev/blogs/journey-to-pdf-generation
17•FailMore•1d ago•3 comments

Pinocchio is weirder than you remembered

https://storica.club/blog/pinocchio-in-italian/
157•cemsakarya•1d ago•69 comments

A polynomial autoencoder beats PCA on transformer embeddings

https://ivanpleshkov.dev/blog/polynomial-autoencoder/
44•timvisee•2d ago•15 comments

Agents need control flow, not more prompts

https://bsuh.bearblog.dev/agents-need-control-flow/
470•bsuh•17h ago•230 comments

Dithering with CSS

https://ikesau.co/blog/dithering-with-css/
14•speckx•3d ago•6 comments

Blaise – A modern self-hosting zero-legacy Object Pascal compiler targeting QBE

https://github.com/graemeg/blaise
49•peter_d_sherman•5h ago•16 comments

Natural Language Autoencoders: Turning Claude's Thoughts into Text

https://www.anthropic.com/research/natural-language-autoencoders
283•instagraham•16h ago•95 comments

DeepSeek 4 Flash local inference engine for Metal

https://github.com/antirez/ds4
394•tamnd•18h ago•109 comments

Ask HN: We just had an actual UUID v4 collision...

31•mittermayr•2h ago•36 comments

Floats Don't Agree with Themselves

https://docs.merca.earth/blog/floats-dont-agree-with-themselves
15•cremer•1d ago•4 comments

AlphaEvolve: Gemini-powered coding agent scaling impact across fields

https://deepmind.google/blog/alphaevolve-impact/
295•berlianta•19h ago•123 comments

Singapore introduces caning for boys who bully others at school

https://www.theguardian.com/world/2026/may/06/singapore-caning-school-bullies
189•rustoo•2d ago•271 comments

Brazil's Pix payment system faces pressure from Visa and Mastercard

https://www.elciudadano.com/en/brazils-pix-payment-system-faces-pressure-from-visa-and-mastercard...
205•wslh•16h ago•179 comments

Plasticity and language in the anaesthetized human hippocampus

https://www.bcm.edu/news/researchers-discover-advanced-language-processing-in-the-unconscious-hum...
108•hhs•11h ago•42 comments

GNU IFUNC is the real culprit behind CVE-2024-3094

https://github.com/robertdfrench/ifuncd-up
81•foltik•10h ago•37 comments

Hardening Firefox with Claude Mythos Preview

https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/
198•HieronymusBosch•18h ago•93 comments

AI slop is killing online communities

https://rmoff.net/2026/05/06/ai-slop-is-killing-online-communities/
672•thm•15h ago•576 comments

How to make SSE token streams resumable, cancellable, and multi-device

https://zknill.io/posts/everyone-said-sse-token-streaming-was-easy/
34•zknill•1d ago•4 comments

Digging into Drama at the Document Foundation

https://lwn.net/Articles/1066418/
33•signa11•6h ago•3 comments

Two Home Affairs officials suspended after AI 'hallucinations' found

https://www.citizen.co.za/news/home-affairs-officials-suspended-ai-hallucinations/
101•jruohonen•14h ago•22 comments

Nonprofit hospitals spend billions on consultants with no clear effect

https://www.uchicagomedicine.org/forefront/research-and-discoveries-articles/nonprofit-hospitals-...
156•hhs•11h ago•53 comments

Programming Still Sucks

https://www.stvn.sh/writing/programming-still-sucks-fqffhyp
622•jeromechoo•1d ago•308 comments

Los Alamos and the long path to detecting neutrinos

https://www.lanl.gov/media/publications/1663/from-ghost-particle-to-cosmic-messenger
32•LAsteNERD•1d ago•3 comments