session icon indicating copy to clipboard operation
session copied to clipboard
verified publisher icon expressjs

Please update debug dependency version

Open trabetti-hcl opened this issue 11 months ago • 3 comments

Can the version of debug dependency be updated (currently it is 2.6.9), as it is associated with a vulnerability?

https://www.cve.org/CVERecord?id=CVE-2017-20165

Thank you.

trabetti-hcl avatar Jan 21 '25 04:01 trabetti-hcl

Thanks for reporting it @trabetti-hcl! Seems like [email protected] (https://github.com/debug-js/debug/releases/tag/3.0.0) will be compatible with [email protected]. Do you want to create a PR?

UlisesGascon avatar Jan 21 '25 10:01 UlisesGascon

We are not affected by that vulnerability, see https://github.com/advisories/GHSA-9vvw-cc9w-f27h

bjohansebas avatar Jan 21 '25 14:01 bjohansebas

Thank you @UlisesGascon and @bjohansebas for replying. Even if the vulnerability does not effect express, the automatic open source scanning tools report it.. If possible to upgrade to a higher version that is still compatible it would help your users that need to run compliance scans.

trabetti-hcl avatar Jan 22 '25 00:01 trabetti-hcl