Skip to content

Update dependency nanoid to v5 [SECURITY]#165

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-nanoid-vulnerability
Open

Update dependency nanoid to v5 [SECURITY]#165
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-nanoid-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Dec 9, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
nanoid ^4.0.2^5.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2024-55565

When nanoid is called with a fractional value, there were a number of undesirable effects:

  1. in browser and non-secure, the code infinite loops on while (size--)
  2. in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled
  3. if the first call in node is a fractional argument, the initial buffer allocation fails with an error

Version 3.3.8 and 5.0.9 are fixed.

Release Notes

ai/nanoid (nanoid)

v5.0.9

Compare Source

  • Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

v5.0.8

Compare Source

v5.0.7

Compare Source

v5.0.6

Compare Source

  • Fixed React Native support.

v5.0.5

Compare Source

  • Make browser’s version faster by increasing size a little (by Samuel Elgozi).

v5.0.4

Compare Source

v5.0.3

Compare Source

  • Fixed CLI docs (by Chris Schmich).

v5.0.2

Compare Source

  • Fixed webcrypto import (by Divyansh Singh).

v5.0.1

Compare Source

  • Fixed Node.js 18 support.

v5.0.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency nanoid to v5 [SECURITY] Update dependency nanoid to v5 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot deleted the renovate/npm-nanoid-vulnerability branch March 27, 2026 02:01
@renovate renovate bot changed the title Update dependency nanoid to v5 [SECURITY] - autoclosed Update dependency nanoid to v5 [SECURITY] Mar 30, 2026
@renovate renovate bot reopened this Mar 30, 2026
@renovate renovate bot force-pushed the renovate/npm-nanoid-vulnerability branch 2 times, most recently from d0140cf to c3a113b Compare March 30, 2026 18:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

renovate-major

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants