Closed BDav24 closed 6 years ago
Can you provide some output from nsp or similar, just so I know what we're talking about?
Here is the output when you run nsp from notifme-sdk
: https://github.com/notifme/notifme-sdk/issues/25
Here is the output from nsp
after running it on a project with a package.json
that includes the latest version of node-gcm
:
(+) 1 vulnerabilities found
┌───────────────┬───────────────────────────────────────────────────────────────────────────┐
│ │ Regular Expression Denial of Service │
├───────────────┼───────────────────────────────────────────────────────────────────────────┤
│ Name │ debug │
├───────────────┼───────────────────────────────────────────────────────────────────────────┤
│ CVSS │ 3.7 (Low) │
├───────────────┼───────────────────────────────────────────────────────────────────────────┤
│ Installed │ 0.8.1 │
├───────────────┼───────────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <= 2.6.8 || >= 3.0.0 <= 3.0.1 │
├───────────────┼───────────────────────────────────────────────────────────────────────────┤
│ Patched │ >= 2.6.9 < 3.0.0 || >= 3.1.0 │
├───────────────┼───────────────────────────────────────────────────────────────────────────┤
│ Path │ tester@1.0.0 > node-gcm@0.14.6 > debug@0.8.1 │
├───────────────┼───────────────────────────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/534 │
└───────────────┴───────────────────────────────────────────────────────────────────────────┘
It seems that updating debug
would fix this, @hypesystem any reason not to do so?
Only if it breaks platform compatibility. (We need to continue supporting node 0.10.) They don't have an engine
tag in the latest version, so I don't know.
If you have time to test it on node 0.10.x with newest debug, that would be great :smile:
Seems to be working :)
> docker run -it --rm node:0.10 bash
root@00393189f13b:/# node -v
v0.10.48
root@00393189f13b:/# echo "var debug = require('debug')('node-gcm');" > index.js
root@00393189f13b:/# echo "debug(\"Error 4xx -- no use retrying. Something is wrong with the request (probably authentication?)\");" >> index.js
root@00393189f13b:/# more index.js
var debug = require('debug')('node-gcm');
debug("Error 4xx -- no use retrying. Something is wrong with the request (probably authentication?)")
;
root@00393189f13b:/# npm init
This utility will walk you through creating a package.json file.
It only covers the most common items, and tries to guess sensible defaults.
See `npm help json` for definitive documentation on these fields
and exactly what they do.
Use `npm install <pkg> --save` afterwards to install a package and
save it as a dependency in the package.json file.
Press ^C at any time to quit.
name: test
version: (1.0.0)
description:
entry point: (index.js)
test command:
git repository:
keywords:
author:
license: (ISC)
About to write to /package.json:
{
"name": "test",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC"
}
Is this ok? (yes)
root@00393189f13b:/# npm i -S debug
npm WARN package.json test@1.0.0 No description
npm WARN package.json test@1.0.0 No repository field.
npm WARN package.json test@1.0.0 No README data
debug@3.1.0 node_modules/debug
└── ms@2.0.0
root@00393189f13b:/# node index.js
root@00393189f13b:/# DEBUG=node-gcm node index.js
node-gcm Error 4xx -- no use retrying. Something is wrong with the request (probably authentication?) +0ms
Great! If anyone wants to do a PR for this, we'll get it merged ASAP :smile:
@hypesystem PR submitted 😄
The problem comes from
debug
dependency version. An upgrade should fix the problem.