security issues

[azachar]

Hello, due to one of your dependency, is your plugin marked as insecure,

"image-parser@1.2.5", "gm-tools@1.0.8", "gm@1.23.0", "debug@2.2.0"

Here is full report log

        "overview": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.",
        "recommendation": "Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.",
        "cvssVector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
        "cvssScore": 3.7,
        "module": "debug",
        "version": "2.2.0",
        "vulnerableVersions": "<= 2.6.8 || >= 3.0.0 <= 3.0.1",
        "patchedVersions": ">= 2.6.9 < 3.0.0 || >= 3.1.0",
        "title": "Regular Expression Denial of Service",
        "path": ["image-to-ascii@3.0.11", "image-parser@1.2.5", "gm-tools@1.0.8", "gm@1.23.0", "debug@2.2.0"],
        "advisory": "https://nodesecurity.io/advisories/534"

Could you please upgrade your dependencies?

Thank you!

Cheers, Andrej

[IonicaBizau]

Looks like I will have to upgrade gm in gm-tools. Will check it out. Thanks! 😁

[IonicaBizau]

I upgraded the gm package in gm-tools, but I assume it was installing already a newer version of debug:

gm-tools@1.0.9 /Users/ionicabizau/Docs/gm-tools
├─┬ gm@1.23.1
│    ...
│ └─┬ debug@3.1.0
│   └── ms@2.0.0
...

[azachar]

Thanks will check it out!

On 4 Jan 2018, at 15:37, Ionică Bizău (Johnny B.) notifications@github.com wrote:

Closed #61.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.