debug-js
Alternate solution to CWE-1333 | Inefficient Regular Expression Complexity
Hi, I don't know where to put this obvious suggestion, but it seems like this issue gets created multiple times and then summarily closed off.
Rather to ask for an ETA on a fix (the author has made it explicitly clear there will be no fix), consider that checkmarx does allow suppression of a vulnerability.
The CVE reads "Arbitrary regular expressions could be injected to cause a Denial of Service attack on the user's browser, otherwise known as a ReDoS (Regular Expression Denial of Service)." If you identified that this NPM is NOT used on a browser, or some front-end where there is some possibility of injection, you could safely assume that this is not exploitable and close it off. Most likely, debug is used on the backend of your applications.
Hope this helps.
Good evening:
Sadly I have the same problem with this. And also, in my workplace exists a cibersecurity policy that rescricts the use of checkmarx's vulnerable dependencies :(
Could you please review PR fix? It seems a good solution for it.
@The-Duuude-dot your account is less than a month old, you're spamming multiple issues, and you're pinging people unnecessarily. You're also not actually linking to any of the CVEs, just noise.
Your comments (and others like yours) that are pushy, rude, presumptuous, and entitled make me almost want to deprecate this entire package, if we're being honest. Please learn how to conduct yourself on Github before interacting with any of my repositories again.
As for the vulnerability.
What pisses me off is that @brunodays has not brought up the CVE with me. At all. Neither before nor after filing a report with what appears to be multiple websites. It's also filed as "network exploitable" when it is not.
I'll address this now, but only because I'm sick and tired of the endless string of behavior surrounding this package, and the Javascript community as a whole.
