This repository has been archived by the owner on Jan 17, 2025. It is now read-only.

Update dependency nanoid to v3.3.8 [SECURITY] #64

Open

renovate wants to merge 1 commit into main from renovate/npm-nanoid-vulnerability

renovate bot commented Dec 10, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
nanoid	`3.3.4` -> `3.3.8`

GitHub Vulnerability Alerts

CVE-2024-55565

When nanoid is called with a fractional value, there were a number of undesirable effects:

in browser and non-secure, the code infinite loops on while (size--)
in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled
if the first call in node is a fractional argument, the initial buffer allocation fails with an error

Version 3.3.8 and 5.0.9 are fixed.

Release Notes

ai/nanoid (nanoid)

`v3.3.8`

Fixed a way to break Nano ID by passing non-integer size (by @myndzi).

`v3.3.7`

Fixed node16 TypeScript support (by Saadi Myftija).

`v3.3.6`

Fixed package.

`v3.3.5`

Backport funding information.

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Oslo, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          Update dependency nanoid to v3.3.8 [SECURITY]

89d9f0f

Dependency update (patch) :)

renovate bot added the security label

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels