TypeError: randomBytes is not a function
alfredriesen opened this issue · comments
I'm using serialize-javascript on server-side in v8js (PHP) - Context. There is no crypto.randomBytes available. Is there a way to fix this?
As far as I know, you are the first person to use this on a non Node.js environment.
I'm not sure about v8js, but I think it should work if you use an older version like v2.x or v3.0.0.
If I remain on v3.0.0, then the Snyk audit does not pass.
Issues to fix by upgrading: Upgrade serialize-javascript@3.0.0 to serialize-javascript@3.1.0 to fix ✗ Arbitrary Code Injection (new) [High Severity][https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062] in serialize-javascript@3.0.0 introduced by serialize-javascript@3.0.0 and 1 other path(s)
I tried to update only minimist to v1.2.5 in yarn.lock . But Snyk continue reporting the vulnerable path. Do I have any other options?
As a workaround I implemented a bridge PHP - Javascript for this function "randomBytes":
On Javascript:
const crypto = {
randomBytes: function (val) {
let newBuffer = new Uint8Array (val)
let bytesNumbers = global.randomBytes(val) // refers to PHP $randomBytes
return newBuffer.map((number,index) => bytesNumbers[index])
},
}
On PHP:
$randomBytes = function (int $length) {
return array_map(function ($i) { return ord($i); }, str_split(random_bytes($length)));
};
Now I can update to v3.1.0