Storia in 1 fonti

Math.random() Is Not Random Enough. I Found It Building API Keys in a 44K-Star Repo.

Math.random() is a PRNG, not a CSPRNG. An attacker who observes a few outputs can predict every future call. I found this exact pattern generating API keys in a 44K-star open-source codebase. Here is why it matters and the ESLint rule that catches it in 3 seconds.

Raccontata da

dev.to

Timeline cronologica

sabato 30 maggio 2026·dev.to
Math.random() Is Not Random Enough. I Found It Building API Keys in a 44K-Star Repo.
Math.random() is a PRNG, not a CSPRNG. An attacker who observes a few outputs can predict every future call. I found this exact pattern generating API keys in a 44K-star…