See on npm

nanoid 5.0.7

1 security vulnerability found in version 5.0.7

Predictable results in nanoid generation when given non-integer values

medium severity CVE-2024-55565
medium severity CVE-2024-55565
Affected versions: >= 4.0.0, < 5.0.9

When nanoid is called with a fractional value, there were a number of undesirable effects:

  1. in browser and non-secure, the code infinite loops on while (size--)
  2. in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled
  3. if the first call in node is a fractional argument, the initial buffer allocation fails with an error

Version 3.3.8 and 5.0.9 are fixed.

No license issues detected.

This package version has a license in the source code.

This package version is available.

This package version has not been yanked and is still available for usage.