[Security] Bump nanoid from 3.3.7 to 3.3.8 (!520) · Merge requests · SSIS / track1

Dependabot requested to merge dependabot-npm_and_yarn-nanoid-3.3.8 into main Dec 16, 2024

Bumps nanoid from 3.3.7 to 3.3.8. This update includes a security fix.

Vulnerabilities fixed

Predictable results in nanoid generation when given non-integer values
When nanoid is called with a fractional value, there were a number of undesirable effects:

in browser and non-secure, the code infinite loops on while (size--)

in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled

if the first call in node is a fractional argument, the initial buffer allocation fails with an error

Version 3.3.8 and 5.0.9 are fixed.

Patched versions: 3.3.8; 5.0.9
Affected versions: = 4.0.0, < 5.0.9

Changelog

Sourced from nanoid's changelog.

3.3.8

Fixed a way to break Nano ID by passing non-integer size (by @myndzi).

Commits

3044cd5 Release 3.3.8 version
4fe3495 Update size limit
d643045 Fix pool pollution, infinite loop (#510)
See full diff in compare view

[Security] Bump nanoid from 3.3.7 to 3.3.8

3.3.8

Merge request reports