search

chill117 / express-mysql-session

A MySQL session store for the express framework in node
MIT License
313 stars 106 forks source link

Please update "debug" dependency #118

Closed sseide closed 3 years ago

sseide commented 3 years ago

Current package.json depends on explicit version 4.1.1 of the "debug" library. Running "npm install" we see the following warning by npm:

npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment.
It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)

Can you please either: a) loosen the version restriction to "^4.1.1" or b) increment min version needed to "~4.3.1". Using hard coded explicit versions is problematic as it does not allow using bugfix releases if some security warnings appear (which may happen every time...).

Thanks

chill117 commented 3 years ago

Updated dependencies and published as v2.1.5.

Precise version numbers are used to prevent breaking changes introduced by dependencies in bugfix or minor versions. Package maintainers are not all so diligent about maintaining backwards compatibility or observing semantic versioning. In the future, if I am slow to update a dependency, you are always welcome to fork the project and depend upon your updated fork for your projects.

sseide commented 3 years ago

Yes - you are right about semantic versioning. Some people are really sloopy about this.. But (personally) at least for some projects i'd willing to accept bugfix upgrades for free with "~4.3.1" looking at the history and people committing to a project. And "debug" is one of them... Specially when providing a library others use and not having a "final" app where i use fixed versions whenever possible with the lock file too.

Nonetheless thanks for the update!