Skip to content

fix(deps): update dependency nanoid to v5 [security] - autoclosed#5334

Closed
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-nanoid-vulnerability
Closed

fix(deps): update dependency nanoid to v5 [security] - autoclosed#5334
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-nanoid-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Dec 11, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
nanoid 4.0.2 -> 5.0.9 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-55565

When nanoid is called with a fractional value, there were a number of undesirable effects:

  1. in browser and non-secure, the code infinite loops on while (size--)
  2. in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled
  3. if the first call in node is a fractional argument, the initial buffer allocation fails with an error

Version 3.3.8 and 5.0.9 are fixed.

Release Notes

ai/nanoid (nanoid)

v5.0.9

Compare Source

  • Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

v5.0.8

Compare Source

v5.0.7

Compare Source

v5.0.6

Compare Source

  • Fixed React Native support.

v5.0.5

Compare Source

  • Make browser’s version faster by increasing size a little (by Samuel Elgozi).

v5.0.4

Compare Source

v5.0.3

Compare Source

  • Fixed CLI docs (by Chris Schmich).

v5.0.2

Compare Source

  • Fixed webcrypto import (by Divyansh Singh).

v5.0.1

Compare Source

  • Fixed Node.js 18 support.

v5.0.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner December 11, 2024 01:55
@renovate renovate Bot added the dependencies Pull requests that update a dependency file (automatic) label Dec 11, 2024
@renovate renovate Bot enabled auto-merge (squash) December 11, 2024 01:55
@renovate renovate Bot force-pushed the renovate/npm-nanoid-vulnerability branch 4 times, most recently from 3a8106c to 624e9ca Compare December 15, 2024 22:43
@renovate renovate Bot force-pushed the renovate/npm-nanoid-vulnerability branch from 624e9ca to f85338d Compare December 31, 2024 02:02
@renovate renovate Bot force-pushed the renovate/npm-nanoid-vulnerability branch from f85338d to 0d9e9f4 Compare January 13, 2025 07:09
@renovate renovate Bot force-pushed the renovate/npm-nanoid-vulnerability branch from 0d9e9f4 to 2c4a7c6 Compare January 20, 2025 16:52
@renovate renovate Bot force-pushed the renovate/npm-nanoid-vulnerability branch 2 times, most recently from c2f3921 to 61d8cd0 Compare February 24, 2025 07:03
@renovate renovate Bot force-pushed the renovate/npm-nanoid-vulnerability branch 2 times, most recently from 2f879a2 to 78c0e38 Compare March 7, 2025 04:38
@renovate renovate Bot force-pushed the renovate/npm-nanoid-vulnerability branch from 78c0e38 to bfce413 Compare March 19, 2025 17:07
@renovate renovate Bot force-pushed the renovate/npm-nanoid-vulnerability branch 2 times, most recently from b3818be to 651135d Compare April 9, 2025 01:58
@renovate renovate Bot force-pushed the renovate/npm-nanoid-vulnerability branch from 651135d to 8211f47 Compare April 9, 2025 03:44
@renovate renovate Bot changed the title fix(deps): update dependency nanoid to v5 [security] fix(deps): update dependency nanoid to v5 [security] - autoclosed Apr 21, 2025
@renovate renovate Bot closed this Apr 21, 2025
auto-merge was automatically disabled April 21, 2025 02:48

Pull request was closed

@renovate renovate Bot deleted the renovate/npm-nanoid-vulnerability branch April 21, 2025 02:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file (automatic)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants