[Security] Bump nanoid from 3.3.7 to 3.3.8 (!260) · Merge requests · games / onder-ons

Dependabot requested to merge dependabot-npm_and_yarn-nanoid-3.3.8 into master Dec 10, 2024

Bumps nanoid from 3.3.7 to 3.3.8. This update includes a security fix.

Vulnerabilities fixed

Infinite loop in nanoid
nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.

Patched versions: 3.3.8; 5.0.9
Affected versions: = 4.0.0, < 5.0.9

Changelog

Sourced from nanoid's changelog.

3.3.8

Fixed a way to break Nano ID by passing non-integer size (by @myndzi).

Commits

3044cd5 Release 3.3.8 version
4fe3495 Update size limit
d643045 Fix pool pollution, infinite loop (#510)
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump nanoid from 3.3.7 to 3.3.8

3.3.8

Merge request reports