safeEqual is not safe

[StarpTech]

@mcollina

How to reproduce

'use strict';

const Bloomrun = require('bloomrun');

let catalog = Bloomrun()

for (var index = 0; index < 100; index++) {

  let pattern = {
    topic: 'math',
    cmd: 'add' + index
  };

  let value = catalog.lookup(pattern);

  if (value) {
    console.log(pattern)
    throw "Already registered!"
  }

  catalog.add(pattern, index);

}

The bug is in safeEqual

console.log(safeEqual('add1', 'add10')) // true

You don't iterate the longest string. add1 is equals with add10 because the character add1[1,3] is equals to add10[1,3]

https://github.com/mcollina/bloomrun/blob/master/lib/safeEqual.js#L10

[StarpTech]

I create a PR https://github.com/mcollina/bloomrun/pull/47

[StarpTech]

@mcollina In which case we can't use a ''===' ?

[mcollina]

This is it https://github.com/mcollina/bloomrun/issues/30