Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Please update debug dependency version #1013

Open
trabetti-hcl opened this issue Jan 21, 2025 · 3 comments · May be fixed by #1014
Open

Please update debug dependency version #1013

trabetti-hcl opened this issue Jan 21, 2025 · 3 comments · May be fixed by #1014

Comments

@trabetti-hcl
Copy link

Can the version of debug dependency be updated (currently it is 2.6.9), as it is associated with a vulnerability?

https://www.cve.org/CVERecord?id=CVE-2017-20165

Thank you.
@UlisesGascon
Copy link
Member

Thanks for reporting it @trabetti-hcl! Seems like debug@3.0.0 (https://github.com/debug-js/debug/releases/tag/3.0.0) will be compatible with Node@0.8. Do you want to create a PR?

@bjohansebas
Copy link
Member

We are not affected by that vulnerability, see GHSA-9vvw-cc9w-f27h

@trabetti-hcl
Copy link
Author

Thank you @UlisesGascon and @bjohansebas for replying.
Even if the vulnerability does not effect express, the automatic open source scanning tools report it..
If possible to upgrade to a higher version that is still compatible it would help your users that need to run compliance scans.

@UlisesGascon UlisesGascon linked a pull request Jan 22, 2025 that will close this issue
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

deps: debug@3.2.7 expressjs/session
3 participants
@UlisesGascon @trabetti-hcl @bjohansebas