SEC004errorFree tier

insecure-random

Non-cryptographic random is predictable and insecure for tokens/passwords

Applies to: Go, JavaScript, Python, Ruby, Rust, TypeScript

Why this matters

Python's random module and JavaScript's Math.random() are not cryptographically secure. Attackers can predict the output! For passwords, tokens, or any security purpose, use secrets (Python) or crypto.randomBytes (Node.js).

Catch it before it ships

pip install stablestack # or: npx stablestackstablestack # scans your project, SEC004 includedstablestack explain SEC004

False positive in your codebase? Suppress a single line with # noqa: SEC004