iperezmx87
commented
1 month ago Good evening:
Sadly I have the same problem with this. And also, in my workplace exists a cibersecurity policy that rescricts the use of checkmarx's vulnerable despendencies :(
Could you please review PR fix? It seems a good solution for it.
Hi, I don't know where to put this obvious suggestion, but it seems like this issue gets created multiple times and then summarily closed off.
Rather to ask for an ETA on a fix (the author has made it explicitly clear there will be no fix), consider that checkmarx does allow suppression of a vulnerability.
The CVE reads "Arbitrary regular expressions could be injected to cause a Denial of Service attack on the user's browser, otherwise known as a ReDoS (Regular Expression Denial of Service)." If you identified that this NPM is NOT used on a browser, or some front-end where there is some possibility of injection, you could safely assume that this is not exploitable and close it off. Most likely, debug is used on the backend of your applications.
Hope this helps.