search

jonschlinkert / randomatic

Easily generate random strings like passwords, with simple options for specifying a length and for using patterns of numeric, alpha-numeric, alphabetical, special or custom characters. (the original "generate-password")
https://github.com/jonschlinkert
MIT License
183 stars 25 forks source link

npm6 vulnerability #13

Closed caub closed 6 years ago

caub commented 6 years ago 
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Cryptographically Weak PRNG                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ randomatic                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-cli [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-cli > jscodeshift > micromatch > braces >            │
│               │ expand-range > fill-range > randomatic                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/157                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Cryptographically Weak PRNG                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ randomatic                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-cli [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-cli > webpack-addons > jscodeshift > micromatch >    │
│               │ braces > expand-range > fill-range > randomatic              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/157                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
jonschlinkert commented 6 years ago

1. This package was already fixed a long time ago.

2. There was never, at any point in the history of this package, any type of vulnerability whatsoever. The person who created that advisory was wrong.