-
-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability: debug package #118
Comments
I just work on a PR #119 |
Thanks for the note. This is pretty low severity for this package because it's not used as part of a web server, so we'll update when we do another release. |
Do you think @nzakas that we can update ? |
As I said, when we do another release we can update it. Because of how this package is used, it doesn't pose any security issue. |
Have you any idea @nzakas of when you will do another release ? |
Hi ! There a vulnerability identified by GitHub on debug package.
In fact, there are a ReDoS vulnerability on
< 4.3.1
versions.Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
You have more infos here : GHSA-gxpj-cx7g-858c
Do you think that you can update your package.json file in consequence ?
The text was updated successfully, but these errors were encountered: