Insecure Randomness for the useof Math.random() in lcg API and defaultSource.js (security vulnerability)

[shubhamvinayak]

Since Math.random could potentially return the same value twice and it is not cryptographically secure causing the insecure randomness when we scan the code in the fortify tool.

Please confirm if there is any future plan to remove Math.random and use cryptographically secure code for getting random values.
just by using crypto API

const myArray = new Uint32Array(10);
crypto.getRandomValues(myArray);

lcg: https://github.com/d3/d3-random/blob/main/src/lcg.js#L6
deafultSource.js: https://github.com/d3/d3-random/blob/main/src/defaultSource.js#L1

Below APIs are dependent on the defaultsource which gives Math.random values
d3.uniform
d3.int
d3.normal
d3.logNormal
d3.irwinHall
d3.bates
d3.exponential
d3.pareto
d3.bernoulli
d3.geometric
d3.gamma
d3.beta
d3.binomial
d3.weibull
d3.cauchy
d3.logistic
d3.poisson

[Fil]

All the random methods accept a user-defined source. See https://observablehq.com/@d3/random-source for usage examples (including crypto and seedrandom).