Our version of debug is vulnerable to ReDos attacks

EnCiv / undebate

Not debates, but recorded online video Q&A with candidates so voters can quickly can get to know them, for every candidate, for every election, across the US.

Other

20 stars 14 forks source link

Our version of debug is vulnerable to ReDos attacks #69

Open epg323 opened 4 years ago

epg323 commented 4 years ago

This project uses the debug package

Debug has been tagged by the audit package as having low severity vulnerabilities.

Debug should be updated, unless there is a reason not to update it.

https://www.npmjs.com/advisories/534

ddfridley commented 4 years ago

debug is a dependency of socket.io-streams. We'd have to change the dependency, and then test it. But, socket.io-streams hasn't been updated in a while so maybe we should not use it, and implement the video upload by having the browser upload to cloudinary directly, or by switching to S3. For now, lets leave this as a low priority. Also, the risk is a low priority of denial of service which we can tolerate for now.

epg323 commented 4 years ago

Sounds good, I also created an issue on socket.io-streams to see if maybe they might be able to make that small change.