fix(deps): update dependency nanoid to v5.0.9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nanoid	5.0.7 → 5.0.9

---

Predictable results in nanoid generation when given non-integer values

CVE-2024-55565 / GHSA-mwcw-c2x4-8c55

More information

Details

When nanoid is called with a fractional value, there were a number of undesirable effects:

1. in browser and non-secure, the code infinite loops on while (size--)
2. in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled
3. if the first call in node is a fractional argument, the initial buffer allocation fails with an error

Version 3.3.8 and 5.0.9 are fixed.

Severity

• CVSS Score: 4.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-55565
• https://github.com/ai/nanoid/pull/510
• https://github.com/ai/nanoid/compare/3.3.7...3.3.8
• https://github.com/ai/nanoid/releases/tag/5.0.9
• https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html
• https://lists.debian.org/debian-lts-announce/2025/01/msg00006.html
• https://github.com/advisories/GHSA-mwcw-c2x4-8c55

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

ai/nanoid (nanoid)

v5.0.9

Compare Source

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

v5.0.8

Compare Source

• Reduced customAlphabet size (by @​kirillgroshkov).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
chirpy	Ready	Preview, Comment	Apr 27, 2026 11:33pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: baea17c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[relativeci]

#1454 Bundle Size — 2.56MiB (0%).

2c8d1dd(current) vs 3b6dffc main#1453(baseline)

Warning

Bundle contains 4 duplicate packages – View duplicate packages

Bundle metrics   1 change

	Current #1454	Baseline #1453
Initial JS	1.63MiB	1.63MiB
Initial CSS	89.92KiB	89.92KiB
Cache Invalidation	0.16%	65.38%
Chunks	60	60
Assets	80	80
Modules	1817	1817
Duplicate Modules	254	254
Duplicate Code	5.85%	5.85%
Packages	151	151
Duplicate Packages	3	3

Bundle size by type  no changes

	Current #1454	Baseline #1453
JS	2.24MiB	2.24MiB
Fonts	213.87KiB	213.87KiB
CSS	89.92KiB	89.92KiB
Other	15.35KiB	15.35KiB
IMG	1.73KiB	1.73KiB

Bundle analysis report Branch refs/pull/591/merge Project dashboard

---

^{Generated by RelativeCI Documentation Report issue}