nanoid verison is vulnerable to GHSA-mwcw-c2x4-8c55

[marcthe12]

The package uses nanoid 4.0 series which is vulnerable to GHSA-mwcw-c2x4-8c55.

There is a fix with version 5.0.9 which is a major release although from documentation it seem that not porting will be required. Another option is to drop it as it is used in one place so some other api can be used in place (maybe something in node:crypto)

[voxpelli]

Its used in one place and only if one isn't providing an override: 'webc-' + nanoid(5)

And that is very much an integer value :) So the security issue is not applicable here

[Eric-Arellano]

So the security issue is not applicable here

It still results in the supply chain having a vulnerable dependency, which causes security tooling to complain about the risk. So, it's helpful to remove the dep on nanoid or upgrade to v5.

[marcthe12]

Definitely through, it seems harmless but it still adds noise and also has a risk. As I said, it probably does not even need to port just bump but that for the devs to verify.