Nanoid version 3.1.20 is a minor release following 3.1.19 of this popular, tiny, and secure unique string ID generator designed for URL-friendly use. Both versions are licensed under MIT and authored by Andrey Sitnik, maintaining the core promise of generating compact and secure IDs well-suited for web applications. Key differences lie in the package's distribution details. Version 3.1.20 comes in at an unpacked size of 57479 bytes with 25 files included, a notable increase compared to version 3.1.19, which had an unpacked size of 42041 bytes and 17 files. This suggests the newer release may incorporate additional features, optimizations, or dependencies that contribute to the size difference. Developers considering upgrading should be mindful of this increased footprint, though the library remains exceptionally lightweight overall. Those interested in contributing or understanding the inner workings can find the source code on the GitHub repository. The updated release date of December 1, 2020 at 15:15:13.191Z for version 3.1.20 indicates a focused update compared to the release of 3.1.19 on the same day at 00:47:05.592Z, possibly addressing bugs or minor enhancements identified shortly after the previous release. If you need a small, secure, and URL-friendly ID generator, nanoid is a solid choice and upgrading to 3.1.20 appears beneficial, but check the changelog for crucial differences.
All the vulnerabilities related to the version 3.1.20 of the package
Exposure of Sensitive Information to an Unauthorized Actor in nanoid
The package nanoid from 3.0.0, before 3.1.31, are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Predictable results in nanoid generation when given non-integer values
When nanoid is called with a fractional value, there were a number of undesirable effects:
Version 3.3.8 and 5.0.9 are fixed.
