koa-protect
koa-protect copied to clipboard
may215
Remove Debug Vulnerability
upgrading debug to 2.6.9 to eliminate the RegExp DOS low severity vulnerability per https://www.npmjs.com/advisories/534
@may215 very simple change. Would love to hear your thoughts and clear this up
@may215 @crobinson42 Can you please run npm update on this project to update the dependencies with vulnerabilities and publish an update? There is a certain irony to using a package about protection when it is the only source of known vulnerabilities in a project.
This is a simple fix.
Are you not a contributor of this project? I imagine you are capable of doing what I've asked
@crobinson42 The other reason, of course, is that it has been almost 3 years since I've requested this update, and now there is a 'high' level vulnerability in this dependency. Ultimately, I aim for a vulnerability-free project, and this is the one outstanding dependency. The fix is simple, but there has been no response.
I'm tagging you so this gets attention.
Accept the merge request.
debug package https://github.com/advisories/GHSA-9vvw-cc9w-f27h https://github.com/advisories/GHSA-w9mr-4mfr-499f https://github.com/advisories/GHSA-gxpj-cx7g-858c
@briveramelo You must not understand what a contributor and npm package owner are. I'll educate you:
Github Repository Contributor
A user who has made a change to a Github repo, ie: PR that is merged into the repo.
NPM Package Owner
A user(s) who has control or ownership of the NPM package to publish new package versions to the NPM repository.
You obviously found my name in the commit history and if you look at it with a little more diligence other than a lazy shotgun approach you would see I only suggested a Slack badge be added to the README.md.
I hope this explanation helps you be less annoying in the future, spread the word.
