paralleldrive/cuid2

`isCuid` incorrectly validates non-CUID strings in version `2.2.2`

kova1max opened this issue · 5 comments

I encountered a problem with the isCuid function in version 2.2.2. Specifically, the function returns true for non-CUID strings.

const cuid = require('cuid');

console.log(cuid.isCuid("42")); // true

Environment:

  • Node.js version: 22.2.0
  • package version: 2.2.2

I discovered that the isCuid function has a minLength: 2 constraint and a second argument, options, which includes both minLength and maxLength parameters. However, the options argument is missing from the type definitions in the index.d.ts file.

image

The type definitions should include options with minLength and maxLength as properties to accurately represent the function's behaviour.

Also, a question: Can a CUID be of length 2? 🤔

I'm also having an issue with validating strings as cuid2.

isCuid("yi7rqj1trke") // true <- this is the first part of a generated cuid "yi7rqj1trke65guy7oj3imeu"
isCuid("aaaaDLL") // true

Are there no better indicators to look at for a valid cuid than checking if it's a string of letters and numbers within a given min/max?

Are there no better indicators to look at for a valid cuid than checking if it's a string of letters and numbers within a given min/max?

We can perhaps improve isCuid, but because Cuid2 is a cryptographically hashed random string, and not an object instance with properties you can check, no, there is no 100% reliable way to reject strings that were NOT generated by Cuid2.

@ericelliott – npm version is still 2.2.2