socket-security[bot]
commented
3 months ago New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
| Package | New capabilities | Transitives | Size | Publisher |
|---|
🚮 Removed packages: npm/@azure/core-auth@1.3.2, npm/@azure/core-client@1.3.0, npm/@azure/core-http@2.2.0, npm/@azure/core-lro@2.2.0, npm/@azure/core-paging@1.2.0, npm/@azure/core-rest-pipeline@1.3.0, npm/@azure/core-tracing@1.0.0-preview.12, npm/@azure/identity@1.5.2, npm/@azure/keyvault-keys@4.3.0, npm/@azure/keyvault-secrets@4.3.0, npm/@azure/logger@1.0.2, npm/@azure/msal-common@4.5.1, npm/@azure/msal-node@1.0.0-beta.6, npm/@celo/explorer@1.2.5, npm/@celo/governance@1.2.5, npm/@celo/wallet-hsm-azure@1.2.5, npm/@celo/wallet-hsm@1.2.5, npm/@celo/wallet-ledger@1.2.5, npm/@celo/wallet-remote@1.2.5, npm/@types/lodash@4.14.173, npm/@types/pvutils@1.0.1, npm/@types/stoppable@1.1.1, npm/@types/tunnel@0.0.3, npm/asn1js@2.1.1, npm/axios@0.21.4, npm/follow-redirects@1.14.4, npm/google-libphonenumber@3.2.23, npm/keytar@7.7.0, npm/msal@1.4.12, npm/open@7.4.2, npm/stoppable@1.1.0
This PR contains the following updates:
4.1.1->4.3.1Regular Expression Denial of Service in debug
CVE-2017-16137 / GHSA-gxpj-cx7g-858c
More information
#### Details Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue. This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1. ##### Recommendation Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later. #### Severity - CVSS Score: 3.7 / 10 (Low) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2017-16137](https://nvd.nist.gov/vuln/detail/CVE-2017-16137) - [https://github.com/debug-js/debug/issues/797](https://togithub.com/debug-js/debug/issues/797) - [https://github.com/visionmedia/debug/issues/501](https://togithub.com/visionmedia/debug/issues/501) - [https://github.com/visionmedia/debug/pull/504](https://togithub.com/visionmedia/debug/pull/504) - [https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020](https://togithub.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020) - [https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290](https://togithub.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290) - [https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac](https://togithub.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac) - [https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a](https://togithub.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a) - [https://github.com/visionmedia/debug](https://togithub.com/visionmedia/debug) - [https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E](https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E) - [https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E](https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-gxpj-cx7g-858c) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
debug-js/debug (debug)
### [`v4.3.1`](https://togithub.com/debug-js/debug/releases/tag/4.3.1) [Compare Source](https://togithub.com/debug-js/debug/compare/4.3.0...4.3.1) ### Patch release 4.3.1 - Fixes a ReDOS regression ([#458](https://togithub.com/debug-js/debug/issues/458)) - see [#797](https://togithub.com/debug-js/debug/issues/797) for details. ### [`v4.3.0`](https://togithub.com/debug-js/debug/releases/tag/4.3.0) [Compare Source](https://togithub.com/debug-js/debug/compare/4.2.0...4.3.0) ### Minor release - **Deprecated `debugInstance.destroy()`**. Future major versions will not have this method; please remove it from your codebases as it currently does nothing. - Fixed quoted percent sign - Fixed memory leak within debug instances that are created dynamically ### [`v4.2.0`](https://togithub.com/debug-js/debug/releases/tag/4.2.0) [Compare Source](https://togithub.com/debug-js/debug/compare/4.1.1...4.2.0) ### Minor Release - Replaced phantomJS with chrome backend for browser tests - Deprecated and later removed Changelog.md in lieu of releases page - Removed bower.json ([#602](https://togithub.com/debug-js/debug/issues/602)) - Removed .eslintrc (since we've switched to XO) - Removed .coveralls.yml - Removed the build system that was in place for various alternate package managers - Removed the examples folder ([#650](https://togithub.com/debug-js/debug/issues/650)) - Switched to `console.debug` **in the browser only** when it is available ([#600](https://togithub.com/debug-js/debug/issues/600)) - Copied custom logger to namespace extension ([#646](https://togithub.com/debug-js/debug/issues/646)) - Added issue and pull request templates - Added `"engines"` key to package.json - Added ability to control `selectColor` ([#747](https://togithub.com/debug-js/debug/issues/747)) - Updated dependencies - Marked `supports-color` as an optional peer dependencyConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.