Bump uuid and @hocuspocus/server

[dependabot]

Removes uuid. It's no longer used after updating ancestor dependency @hocuspocus/server. These dependencies need to be updated together.

Removes uuid

Updates @hocuspocus/server from 2.15.3 to 4.0.0

Release notes

Sourced from @​hocuspocus/server's releases.

v4.0.0

Hocuspocus v4.0 Release Notes

Hocuspocus v4 is a major release that brings cross-runtime support, improved type safety, and important bug fixes. This release focuses on making Hocuspocus run beyond Node.js -- on Bun, Deno, Cloudflare Workers, and Node with uWebSockets -- while improving the developer experience with generic Context typing and structured transaction origins.

Backward Compatibility

A v3 provider can connect to a v4 server, and a v4 provider can connect to a v3 server. The wire protocol remains compatible in both directions:

• v3 provider -> v4 server: The server accepts plain document names (no session routing key), does not require Pong responses, and handles auth messages without a provider version string.
• v4 provider -> v3 server: The provider defaults to sessionAwareness: false, so it sends plain document names. The extra version string in the auth message is ignored by the v3 server as trailing data. The provider does not require server-initiated Ping messages.
• Session awareness caveat: If sessionAwareness: true is explicitly enabled on a v4 provider connecting to a v3 server, the server will treat the composite routing key (documentName\0sessionId) as a literal document name, creating unintended documents. Keep sessionAwareness: false (the default) when connecting to a v3 server.

Highlights

Cross-Runtime Support

Hocuspocus is no longer tied to the Node.js ws library. The server now uses crossws, a universal WebSocket adapter, enabling Hocuspocus to run on:

• Node.js (with ws or uWebSockets.js)
• Bun
• Deno
• Cloudflare Workers

The built-in Server class continues to work as before for Node.js users. For other runtimes, use Hocuspocus directly with handleConnection(), which now accepts any WebSocketLike object and a web-standard Request.

Generic Context Type

All core classes and hook payloads now accept a generic Context type parameter, enabling end-to-end type safety:

interface MyContext {
  userId: string;
  permissions: string[];
}
const server = Server.configure<MyContext>({
async onAuthenticate({ context, token }) {
// context is typed as MyContext
return { userId: '123', permissions: ['read', 'write'] };
},
async onChange({ context }) {
// context.userId is typed as string
console.log(context.userId);
},
});

The generic defaults to any, so existing code without explicit typing continues to work.

... (truncated)

Changelog

Sourced from @​hocuspocus/server's changelog.

4.0.0 (2026-04-23)

Note: Version bump only for package hocuspocus

4.0.0-rc.7 (2026-04-22)

Bug Fixes

• provider-react ESM now emits a clean import { jsx } from "react/jsx-runtime" and zero CJS shims (e40afd9)

4.0.0-rc.6 (2026-04-20)

Bug Fixes

• react provider in strict mode (4f27b7f)

4.0.0-rc.5 (2026-04-16)

Features

• adds package readmes (c7d63f7)

4.0.0-rc.4 (2026-04-16)

Bug Fixes

• publishConfig for provider-react (376765f)

... (truncated)

Commits

• 1c1b348 v4.0.0
• babfca4 chore: adds per-package readme files
• d214278 v4.0.0-rc.7
• e40afd9 fix: provider-react ESM now emits a clean import { jsx } from "react/jsx-runt...
• f8b039a v4.0.0-rc.6
• 4f27b7f fix: react provider in strict mode
• 01af67e v4.0.0-rc.5
• c7d63f7 feat: adds package readmes
• 7e50dc8 v4.0.0-rc.4
• 376765f fix: publishConfig for provider-react
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​hocuspocus/server since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.