Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency debug to v4.3.1 [SECURITY] #1250

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 3, 2023

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
debug 4.2.0 -> 4.3.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2017-16137

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later.
Version 3.1.x: Update to version 3.1.0 or later.
Version 3.2.x: Update to version 3.2.7 or later.
Version 4.x.x: Update to version 4.3.1 or later.

CVE-2017-20165

A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.


Release Notes

debug-js/debug (debug)

v4.3.1

Compare Source

Patch release 4.3.1

v4.3.0

Compare Source

Minor release

  • Deprecated debugInstance.destroy(). Future major versions will not have this method; please remove it from your codebases as it currently does nothing.
  • Fixed quoted percent sign
  • Fixed memory leak within debug instances that are created dynamically

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-debug-vulnerability branch from 5db2dc6 to 6654698 Compare October 23, 2023 13:59
@renovate renovate bot force-pushed the renovate/npm-debug-vulnerability branch from 6654698 to a933dd4 Compare November 10, 2023 22:59
@renovate renovate bot force-pushed the renovate/npm-debug-vulnerability branch from a933dd4 to 04c86c0 Compare December 3, 2023 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants