Skip to content

fix(deps): update dependency nanoid to v5 [security] - autoclosed#284

Closed
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-nanoid-vulnerability
Closed

fix(deps): update dependency nanoid to v5 [security] - autoclosed#284
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-nanoid-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 11, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
nanoid ^4.0.0 -> ^5.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-55565

When nanoid is called with a fractional value, there were a number of undesirable effects:

  1. in browser and non-secure, the code infinite loops on while (size--)
  2. in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled
  3. if the first call in node is a fractional argument, the initial buffer allocation fails with an error

Version 3.3.8 and 5.0.9 are fixed.

Release Notes

ai/nanoid (nanoid)

v5.0.9

Compare Source

  • Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

v5.0.8

Compare Source

v5.0.7

Compare Source

v5.0.6

Compare Source

  • Fixed React Native support.

v5.0.5

Compare Source

  • Make browser’s version faster by increasing size a little (by Samuel Elgozi).

v5.0.4

Compare Source

v5.0.3

Compare Source

  • Fixed CLI docs (by Chris Schmich).

v5.0.2

Compare Source

  • Fixed webcrypto import (by Divyansh Singh).

v5.0.1

Compare Source

  • Fixed Node.js 18 support.

v5.0.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner December 11, 2024 01:01
@renovate renovate bot added the dependencies Pull requests that update a dependency file label Dec 11, 2024
@renovate renovate bot enabled auto-merge (squash) December 11, 2024 01:01
@renovate renovate bot force-pushed the renovate/npm-nanoid-vulnerability branch from e00aabb to eeff4cb Compare December 11, 2024 16:11
@renovate renovate bot force-pushed the renovate/npm-nanoid-vulnerability branch from eeff4cb to 7be4cbc Compare April 11, 2025 16:55
@renovate renovate bot changed the title fix(deps): update dependency nanoid to v5 [security] fix(deps): update dependency nanoid to v5 [security] - autoclosed Apr 17, 2025
@renovate renovate bot closed this Apr 17, 2025
auto-merge was automatically disabled April 17, 2025 04:44

Pull request was closed

@renovate renovate bot deleted the renovate/npm-nanoid-vulnerability branch April 17, 2025 04:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants