forecast.io
forecast.io copied to clipboard
Published
20 hours ago •
mateodelnorte
mateodelnorte
Old version of debug dependency causes a warning in the npm audit security report
forecast.io 0.0.11 depends on debug ^0.7.2 (and forecast.io master depends on debug ^0.8.0; note that that has not been released to npm), and those versions include a security vulnerability:
https://npmjs.com/advisories/534
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 2.6.9 < 3.0.0 || >= 3.1.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ forecast.io │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ forecast.io > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
While the severity is low, it is still worth addressing to avoid generating noise in the npm audit report.
Presumably, addressing this would be a simple matter of updating the forecast.io package.json to point to a recent version of the debug package that does not contain the vulnerability.
