jonschlinkert / randomatic Goto Github PK

First of all, thank you for making such useful yet easy to use library. I like this library and use it whenever I can.

Lately I have some Typescript projects, which have problem with import, so for now I still mix import with require('randomatic'), just wonder is there any plan for supporting Typescript?

Regards.

I use randomatic at work and i add locally to my project a option to randomize hebrew characters
Do you interesting in something like that in your code?

const password = randomize("aA0", 8); console.log({password}); //{ password: 'lfwWBUif' }
in this case it didn't include any Numeric character

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Cryptographically Weak PRNG │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ randomatic │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jest [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jest > jest-cli > jest-validate > jest-config > │
│ │ jest-jasmine2 > jest-util > jest-message-util > micromatch > │
│ │ braces > expand-range > fill-range > randomatic │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/157 │
└───────────────┴──────────────────────────────────────────────────────────────┘

For those who have seen the "vulnerability" report

There is no vulnerability in randomatic, and there never was.

1. randomatic, long ago, was used for generating pseudo-random strings for unit tests and temp directory names.
2. later, we added support for cryptographically secure random strings. At that point, we said it could be used for passwords. It was a major bump.
3. then, much later, someone mistakenly assumed that randomatic was previously advertised as a password generator, which it was not, and they wanted to receive a bounty from snyk or something so they reported randomatic as having a vulnerability.

We have asked the individual who created the report to close it or remove it. They won't. Please don't complain here, or on other libraries that use this. Your time would be much better served making those same complaints on NPM or Snyk, to ask them to close that issue.

Hi, love what you've done. Found a little issue in 3.1.0

Exclude defined:
password = randomize('*', 10, { exclude: '0oOiIlL1$^()_{}[];',.' });

Output:
joPUbWOU21

Observations:
Exclude not working as we can see that o and O that were specified to be excluded are being used. Also, in other tests of mine, I see (){} being used output as well.

My Temp Workaround:
password = randomize('?', 10, {chars: 'abcdefghjkmnopqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ123456789~!@#&+-='});

I am a graphic designer. I have a logo proposal for you. Do you have an idea? What do you say?

I found that 'option' heading is missing under API section.

The link option is not working since option tag is missing.

I added randomize("A0", 6); in a helper function. I call it first time OK. I call second time it return same result. How to return a real random?

Hi

Just started using this package. Looks nice

Used ('Aa0!', 10) as the options and the password returned was eVs)ho=pZ; which is failing to include a number.

Is the pattern simply what the generater 'could' include when generating the password and not 'must' include perhaps?

Wondering how it ended up generating a string without a number.......

Thanks

After running security audits (npm audit) on some projects I found out that packages such as jest-cli had this vulnerability due to this package.
It can be explained here: https://nodesecurity.io/advisories/157.

Recently I was working on one project and I was asked to generate a random String with numeric and letter values with specified number like 0 and specified char O as my client was getting confused in between this two char.

So I am suggesting here to add one more argument to the function with array specified value like as below.
[ '0', 'O', 'o'] so it will generate a random string without given values in array.

I get this error when I try to run it in IOS 8 - Safari
I didnt use it directly, I use react with some modules and honestly I dont know here it comes from. I only identifyed it in your module from the error Message.

randomatic('?', 4)

Currently if the chars option is not specified, the characters from undefined are used as the custom characters (including the fact that d, n and e are 2x more frequent than the remaining letters.

Should an error be thrown instead? Or maybe [a-z] used and a message logged to that effect?

The readme does indeed specify that the default is undefined, but it was still a little surprising to me that it was allowed to be coerced to a string if not user-specified.

Shouldn't use built in JS Math.random() since it will repeat itself; too dangerous to use for 'Unique ID' etc.
https://medium.com/@betable/tifu-by-using-math-random-f1c308c4fd9d#.uskhjv9vc

Might be a while before I can even copy/paste & quick test a solution from there, let alone add the 'white noise' & other repeating tests.

tr;dr: "use urandom. In browser you can use crypto.getRandomValues()" I'm not sure if V8's crypto.getRandomValues() can be exposed in node; seems to have its own crypto lib. But node does have crypto.randomBytes(size[, callback])