Giter Club home page Giter Club logo

Comments (3)

jonschlinkert avatar jonschlinkert commented on June 20, 2024
  1. Please only create one issue, on one repository.
  2. Please follow responsible disclosure and don't ever create issues about security or vulnerabilities. Please close the other issues.
  3. There is not now, and never was a vulnerability in this library. We added a feature to allow users to choose a more cryptographically secure function for generating random strings.
  4. Prior to that, this library did nothing at all related to that. It was for generating pseudo-random strings for things like folder names and test fixtures. We never mentioned anything related to passwords or API tokens, and no one was using it for anything like that, given that the library had something like 3 or 4 dependents before the latest major release.

from randomatic.

Berkmann18 avatar Berkmann18 commented on June 20, 2024
  1. There wre no open issues about this still problematic issue.
  2. Some of the other issues aren't of my doing especially when this package is used by a few widely used packages and that I'm not the first one to the "call".
  3. How come NPM (technically NSP and apparently also Snyk) treat that as a genuine vulnerability?
    I'm not saying it's bad to allow users to choose functions for generating random strings but it appears that the default one or something is too vulnerable.
  4. What guarantee do you have that no malicious person would exploit your code for passwords/tokens or whatever other reason?

I'm not a NSP/NPM security staff but there's surely a reason why the audits traced back to this package which lead in having this same vulnerability flagged more than enough on a few packages.

And before you jump at me for trying to help and having fewer people annoyed by the propagative warnings, you should perhaps speak to the person who audited your package and generated the audit 157.
It would be irresponsible to ignore and not do anything when there's supposedly something concerning.

from randomatic.

xehpuk avatar xehpuk commented on June 20, 2024

Please follow responsible disclosure […]

The advisory was published on April 14, 2017. This issue was created on July 23, 2018. I don't see any disclosure here?

We added a feature to allow users to choose a more cryptographically secure function for generating random strings.

Why did you see the need to add this "feature"? If this library is never ever to be used in a context where security is important, isn't this simply a performance penalty?

from randomatic.

Related Issues (16)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.