nanoid verison is vulnerable to GHSA-mwcw-c2x4-8c55 #218
Comments
marcthe12
changed the title
|
Its used in one place and only if one isn't providing an override: And that is very much an integer value :) So the security issue is not applicable here |
It still results in the supply chain having a vulnerable dependency, which causes security tooling to complain about the risk. So, it's helpful to remove the dep on |
|
Definitely through, it seems harmless but it still adds noise and also has a risk. As I said, it probably does not even need to port just bump but that for the devs to verify. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The package uses nanoid 4.0 series which is vulnerable to GHSA-mwcw-c2x4-8c55.
There is a fix with version 5.0.9 which is a major release although from documentation it seem that not porting will be required. Another option is to drop it as it is used in one place so some other api can be used in place (maybe something in node:crypto)
The text was updated successfully, but these errors were encountered: