New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency nanoid to v3.3.8 [SECURITY] #151

Open

renovate wants to merge 1 commit into develop from renovate/npm-nanoid-vulnerability

Contributor

renovate bot commented May 28, 2023 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
nanoid	`3.1.9` -> `3.3.8`

GitHub Vulnerability Alerts

CVE-2021-23566

The package nanoid from 3.0.0, before 3.1.31, are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

CVE-2024-55565

When nanoid is called with a fractional value, there were a number of undesirable effects:

in browser and non-secure, the code infinite loops on while (size--)
in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled
if the first call in node is a fractional argument, the initial buffer allocation fails with an error

Version 3.3.8 and 5.0.9 are fixed.

Release Notes

ai/nanoid (nanoid)

`v3.3.8`

Fixed a way to break Nano ID by passing non-integer size (by @myndzi).

`v3.3.7`

Fixed node16 TypeScript support (by Saadi Myftija).

`v3.3.6`

Fixed package.

`v3.3.5`

Backport funding information.

`v3.3.4`

Fixed --help in CLI (by @Lete114).

`v3.3.3`

Reduced size (by Anton Khlynovskiy).

`v3.3.2`

Fixed enhanced-resolve support.

`v3.3.1`

Reduced package size.

`v3.3.0`

`v3.2.0`

`v3.1.32`

Reduced async exports size (by Artyom Arutyunyan).
Moved from Jest to uvu (by Vitaly Baev).

`v3.1.31`

Fixed collision vulnerability on object in size (by Artyom Arutyunyan).

`v3.1.30`

Reduced size for project with brotli compression (by Anton Khlynovskiy).

`v3.1.29`

Reduced npm package size.

`v3.1.28`

Reduced npm package size.

`v3.1.27`

Cleaned dependencies from development tools.

`v3.1.26`

Improved performance (by Eitan Har-Shoshanim).
Reduced npm package size.

`v3.1.25`

Fixed browserify support.

`v3.1.24`

Fixed browserify support (by Artur Paikin).

`v3.1.23`

Fixed esbuild support.

`v3.1.22`

Added default and browser.default to package.exports.

`v3.1.21`

Reduced npm package size.

`v3.1.20`

Fix ES modules support.

`v3.1.19`

Reduced customAlphabet size (by Enrico Scherlies).

`v3.1.18`

Fixed package.exports.

`v3.1.17`

Added files without process.

`v3.1.16`

Speeded up Nano ID 4 times (by Peter Boyer).

`v3.1.15`

Fixed package.types path.

`v3.1.14`

Added package.types.

`v3.1.13`

Removed Node.js 15.0.0 with randomFillSync regression from engines.node.

`v3.1.12`

Improved IE 11 docs.

`v3.1.11`

Fixed asynchronous customAlphabet in browser (by @LoneRifle).

`v3.1.10`

Fix ES modules support.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          Update dependency nanoid to v3.3.8 [SECURITY]

2b6a327

renovate bot changed the title ~~Update dependency nanoid to v3.1.31 [SECURITY]~~ Update dependency nanoid to v3.3.8 [SECURITY]

renovate bot force-pushed the renovate/npm-nanoid-vulnerability branch from a9d3878 to 2b6a327 Compare

December 10, 2024 13:22

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet