This version of debug is vulnerable to ReDos attacks

[epg323]

This project uses the debug package

Debug has been tagged by the audit package as having low severity vulnerabilities.

Debug should be updated, unless there is a reason not to update it.

https://www.npmjs.com/advisories/534

[derricktang94]

Yes, I'm having the same issue

[iamle0pard]

We are seeing this issue as well because we include 'serverless' which has child dependencies that use this.

yarn audit v1.22.4 ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ low │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ debug │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >= 2.6.9 < 3.0.0 || >= 3.1.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ serverless │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ serverless > @serverless/components > │ │ │ @serverless/platform-client-china > @serverless/utils-china │ │ │ > socket.io-stream > debug │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/534 │ └───────────────┴──────────────────────────────────────────────────────────────┘ 1 vulnerabilities found - Packages audited: 1652 Severity: 1 Low Done in 3.22s.

The solution is to update the package.json to a newer version of 'debug' (>= 2.6.9 < 3.0.0 || >= 3.1.0 )

[iamle0pard]

By the way, for anyone who is hitting this issue due to it being a child dependency of serverless, you can update your existing package.json to include this:

"resolutions": {
   "@serverless/utils-china": "^0.1.15"
}

to fix the issue. After doing this the vulnerability goes away.