node-http-proxy icon indicating copy to clipboard operation
node-http-proxy copied to clipboard

Published 20 hours ago verified publisher icon http-party

Dependencies upgrade

Open LukaszNowakPL opened this issue 4 years ago • 0 comments
trafficstars

Please upgrade dependencies version the library is using.

Because of outdated dependencies it seems node-http-proxy consumes vulnerable versions of debug. This is for depracated versions range >=3.2.0 <3.2.7 and >=4 <4.3.1

According to debug authors (source):

Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment.
It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)

Below is current dependency tree for debug package

C:\Łukasz\webdev-workspace\node-http-proxy>npm ls debug
[email protected] C:\Łukasz\webdev-workspace\node-http-proxy
+-- [email protected]
| `-- [email protected]
+-- [email protected]
| `-- [email protected]
+-- [email protected]
| +-- [email protected]
| | `-- @babel/[email protected]
| |   `-- [email protected]
| `-- [email protected]
|   `-- [email protected]
+-- [email protected]
| +-- [email protected]
| +-- [email protected]
| | `-- [email protected]
| `-- [email protected]
|   `-- [email protected]
`-- [email protected]
  +-- [email protected]
  `-- [email protected]
    `-- [email protected]

LukaszNowakPL avatar Aug 27 '21 15:08 LukaszNowakPL