apparently uid is based on Math.random() and the author is opposed to correcting this:

https://github.com/matthewmueller/uid/blob/master/Readme.md

It's better to use node's crypto API as a source for random numbers used in authentication. uid2 is probably a better choice. https://www.npmjs.com/package/uid2