Comments (3)
- Please only create one issue, on one repository.
- Please follow responsible disclosure and don't ever create issues about security or vulnerabilities. Please close the other issues.
- There is not now, and never was a vulnerability in this library. We added a feature to allow users to choose a more cryptographically secure function for generating random strings.
- Prior to that, this library did nothing at all related to that. It was for generating pseudo-random strings for things like folder names and test fixtures. We never mentioned anything related to passwords or API tokens, and no one was using it for anything like that, given that the library had something like 3 or 4 dependents before the latest major release.
from randomatic.
- There wre no open issues about this still problematic issue.
- Some of the other issues aren't of my doing especially when this package is used by a few widely used packages and that I'm not the first one to the "call".
- How come NPM (technically NSP and apparently also Snyk) treat that as a genuine vulnerability?
I'm not saying it's bad to allow users to choose functions for generating random strings but it appears that the default one or something is too vulnerable. - What guarantee do you have that no malicious person would exploit your code for passwords/tokens or whatever other reason?
I'm not a NSP/NPM security staff but there's surely a reason why the audits traced back to this package which lead in having this same vulnerability flagged more than enough on a few packages.
And before you jump at me for trying to help and having fewer people annoyed by the propagative warnings, you should perhaps speak to the person who audited your package and generated the audit 157.
It would be irresponsible to ignore and not do anything when there's supposedly something concerning.
from randomatic.
Please follow responsible disclosure […]
The advisory was published on April 14, 2017. This issue was created on July 23, 2018. I don't see any disclosure here?
We added a feature to allow users to choose a more cryptographically secure function for generating random strings.
Why did you see the need to add this "feature"? If this library is never ever to be used in a context where security is important, isn't this simply a performance penalty?
from randomatic.
Related Issues (16)
- New Feature For Skipping Specified Char HOT 3
- npm6 vulnerability HOT 1
- FIXED: NPM 6 vulnerability - Cryptographically Weak PRNG HOT 1
- Logo proposal HOT 2
- Exclude not working. HOT 3
- README file not showing 'Option' HOT 2
- Adding Hebrew randomize HOT 5
- Should it throw an error on `randomatic('?', 4)`? HOT 1
- not generating number HOT 1
- Typescript support? HOT 2
- There is no vulnerability
- Generate same results HOT 1
- Not always using all the types in the pattern HOT 2
- Math.random() is not HOT 5
- TypeError: Map constructor does not accept arguments HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from randomatic.