Advisories for Npm/Pbkdf2 package

On historic but declared as supported Node.js versions (0.12-2.x), pbkdf2 silently disregards Uint8Array input This only affects Node.js <3.0.0, but pbkdf2 claims to: Support Node.js >= 0.12 (and there seems to be ongoing effort in this repo to maintain that) Support Uint8Array input (input is typechecked against Uint8Array, and the error message includes e.g. "Password must be a string, a Buffer, a typed array or a DataView"

This affects both: Unsupported algos (e.g. sha3-256 / sha3-512 / sha512-256) Supported but non-normalized algos (e.g. Sha256 / Sha512 / SHA1 / sha-1 / sha-256 / sha-512) All of those work correctly in Node.js, but this polyfill silently returns highly predictable ouput Under Node.js (only with pbkdf2/browser import, unlikely) / Bun (pbkdf2 top-level import is affected), the memory is not zero-filled but is uninitialized, as Buffer.allocUnsafe is used Under browsers, …