Nanoid version 3.1.12 is a minor update to the popular, tiny, and secure URL-friendly unique string ID generator, building upon the solid foundation of version 3.1.11. Both versions maintain the library's core characteristics: a minuscule footprint (advertised at 108 bytes), MIT license, and authorship by Andrey Sitnik. Developers familiar with the library will find the upgrade seamless.
The key difference lies in the under-the-hood improvements reflected in the slightly increased unpacked size of 3.1.12 which has 48750 bytes vs the 48644 bytes of the previous version. While seemingly small, this suggests an optimization, bug fix, or subtle feature addition. Released on July 29, 2020, 3.1.12 arrived just two days after 3.1.11 (July 27, 2020), implying a quick turnaround fix or enhancement.
For developers, this update signifies a potential refinement of an already reliable tool. If you are using nanoid you should prefer 3.1.12. If you care about even a little bit of extra security you will want to be running on the latest minor version. While the core functionality and API remain identical, users benefit from the latest stability and any incremental improvements incorporated in the newer release.
All the vulnerabilities related to the version 3.1.12 of the package
Exposure of Sensitive Information to an Unauthorized Actor in nanoid
The package nanoid from 3.0.0, before 3.1.31, are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Predictable results in nanoid generation when given non-integer values
When nanoid is called with a fractional value, there were a number of undesirable effects:
Version 3.3.8 and 5.0.9 are fixed.
