Vulnerability: debug package

[martinez-hugo]

Hi ! There a vulnerability identified by GitHub on debug package.

In fact, there are a ReDoS vulnerability on < 4.3.1 versions.

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

You have more infos here : GHSA-gxpj-cx7g-858c

Do you think that you can update your package.json file in consequence ?

[martinez-hugo]

I just work on a PR #119

[nzakas]

Thanks for the note. This is pretty low severity for this package because it's not used as part of a web server, so we'll update when we do another release.

[martinez-hugo]

Do you think @nzakas that we can update ?

[nzakas]

As I said, when we do another release we can update it. Because of how this package is used, it doesn't pose any security issue.

[martinez-hugo]

Have you any idea @nzakas of when you will do another release ?
How can I help on this ?