From: http://davidbau.com/encode/seedrandom.js

// seedrandom.js version 2.2.
// Author: David Bau
// Date: 2013 Jun 15

// Version notes:
//
// The random number sequence is the same as version 1.0 for string seeds.
// Version 2.0 changed the sequence for non-string seeds.
// Version 2.1 speeds seeding and uses window.crypto to autoseed if present.
// Version 2.2 alters non-crypto autoseeding to sweep up entropy from plugins.

Hi. Thanks for the nice tool. I get here from the mathjs.

Right now, if there's no crypto on global, we will use this as the default seed: [+new Date, GLOBAL, GLOBAL.navigator && GLOBAL.navigator.plugins, GLOBAL.screen, tostring(pool)];. And then do flatten to it and convert it to a string.

But, actually, there could be some problems with this since we don't know what is existed in the user's global environment. For example, if the global environment has some Symbol values or nested Symbol values in-depth 3, then it will break by TypeError: Cannot convert a Symbol value to a string.

It's just one case that may crash the program. And there may be some others. So, I think maybe we should not use the whole user global object and do operators to it. It's a little bit out of control.

Version 10 of Node.js (code name Dubnium) has been released! 🎊

To see what happens to your code in Node.js 10, Greenkeeper has created a branch with the following changes:

• Added the new Node.js version to your .travis.yml

If you’re interested in upgrading this repo to Node.js 10, you can open a PR with these changes. Please note that this issue is just intended as a friendly reminder and the PR as a possible starting point for getting your code running on Node.js 10.

Your Greenkeeper Bot 🌴

Currently, the autoseed() function returns the following as randomly-generated seed:

    return [+new Date, GLOBAL, GLOBAL.navigator && GLOBAL.navigator.plugins,
            GLOBAL.screen, tostring(pool)];

This is nowhere near secure, probably even Math.random() is better than that when entropy is not enabled.

Node.js provides crypto.randomBytes() which is supposed to be "cryptographically strong pseudo-random." So why not add that as an option?

I stumbled upon an issue where calling seed() causes an (almost) infinite recursive loop:

• seed() is called without arguments, in which case it uses a local entropy. This entropy is generated (amongst others) from all globally defined objects.
• seed() is called via a getter on an object which is globally defined (obj.random in the example).
• hence, when creating the local entropy, seed calls the obj.random getter which calls seed again -> infinite loop

node.js example code:

var seed = require('seed-random');

var count = 0;

// create an object
var obj = {};

// expose the object globally
global.obj = obj;

Object.defineProperty(obj, 'random', {
  get: function () {
    console.log('obj.random getter');
    count++;

    // call seed inside a getter of the globally defined object
    return seed();
  },
  configurable: true,
  enumerable: true
});

// call the getter... will cause an (almost) infinite loop
var a = obj.random();
console.log('a', a);

console.log('number of recursive loops over obj.random (should be 1):', count); 
// outputs for example count = 1425

Some ideas for a solution:

• Ignore properties which are getters when creating local entropy
• Output an informative warning when this loop happens (check whether seed is called whilst it's being executed)
• Throw an error when seed is called whilst it is being executed, and when generating local entropy, catch this error and silently ignore it.