Perhaps put a warning in the name since the folks who don’t read the docs are the ones you’re trying to protect?
For example: Math.RandomNotCrypto()
When someone uses that in production for cryptographic purposes (and, yes someone is going to do that), they have to wear a dunce cap to the office for a month.
People are likely to use it in security-relevant ways without being aware that the use case constitutes “crypto”.
Exactly - I'm just generating random session ids, I'm not encrypting anything (or using any bitcoins). There's no crypto here, right?
Anakin Padme 4 Panel "right?" meme.
Math.random is a web API so you can't just rename it without breaking a large chunk of the web.
A non-breaking change would be to upgrade Math.random to be cryptographically secure - these days we know how to do this with minimal performance impact.
This is a “next time” recommendation. Short of a time machine, we can’t change published names.
And, yes, I’d be down with going cryptographically secure (for now) with existing systems.