Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content

[orenBerko]

Checklist

• [x] I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• [x] I have searched the issues and have not found a suitable solution or answer.
• [x] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [x] I agree to the terms within the Auth0 Code of Conduct.

Description

i got this on Dependabot alert: Package Affected versions Patched version formidable (npm)

= 2.1.0, < 2.1.3 None

Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.

Reproduction

check in Dependabot alerts

Additional context

No response

Lock version

13.0.0

Which browsers have you tested in?

Chrome