Versions of cryptiles
prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits()
method does not provide sufficient entropy and its generates digits that are not evenly distributed.
Upgrade to version 4.1.2. The package is deprecated and has been moved to @hapi/cryptiles
and it is strongly recommended to use the maintained package.
github.com/advisories/GHSA-rq8g-5pc5-wrhr
github.com/hapijs/cryptiles
github.com/hapijs/cryptiles/commit/6bdcd0f6ee8ade96e7b30350bad39ee0c2ef0f9b
github.com/hapijs/cryptiles/commit/9332d4263a32b84e76bf538d7470d01ea63fa047
github.com/hapijs/cryptiles/issues/34
github.com/hapijs/cryptiles/issues/35
github.com/nodejs/security-wg/blob/master/vuln/npm/476.json
nvd.nist.gov/vuln/detail/CVE-2018-1000620
www.npmjs.com/advisories/1464
www.npmjs.com/advisories/720