Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Recommendation
Version 2.x.x: Update to version 2.6.9 or later.
Version 3.1.x: Update to version 3.1.0 or later.
Version 3.2.x: Update to version 3.2.7 or later.
Version 4.x.x: Update to version 4.3.1 or later.
Release Notes
debug-js/debug (debug)
### [`v4.3.1`](https://togithub.com/debug-js/debug/releases/tag/4.3.1)
[Compare Source](https://togithub.com/debug-js/debug/compare/4.3.0...4.3.1)
### Patch release 4.3.1
- Fixes a ReDOS regression ([#458](https://togithub.com/debug-js/debug/issues/458)) - see [#797](https://togithub.com/debug-js/debug/issues/797) for details.
### [`v4.3.0`](https://togithub.com/debug-js/debug/releases/tag/4.3.0)
[Compare Source](https://togithub.com/debug-js/debug/compare/4.2.0...4.3.0)
### Minor release
- **Deprecated `debugInstance.destroy()`**. Future major versions will not have this method; please remove it from your codebases as it currently does nothing.
- Fixed quoted percent sign
- Fixed memory leak within debug instances that are created dynamically
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
4.2.0->4.3.1GitHub Vulnerability Alerts
CVE-2017-16137
Affected versions of
debugare vulnerable to regular expression denial of service when untrusted user input is passed into theoformatter.As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Recommendation
Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
Release Notes
debug-js/debug (debug)
### [`v4.3.1`](https://togithub.com/debug-js/debug/releases/tag/4.3.1) [Compare Source](https://togithub.com/debug-js/debug/compare/4.3.0...4.3.1) ### Patch release 4.3.1 - Fixes a ReDOS regression ([#458](https://togithub.com/debug-js/debug/issues/458)) - see [#797](https://togithub.com/debug-js/debug/issues/797) for details. ### [`v4.3.0`](https://togithub.com/debug-js/debug/releases/tag/4.3.0) [Compare Source](https://togithub.com/debug-js/debug/compare/4.2.0...4.3.0) ### Minor release - **Deprecated `debugInstance.destroy()`**. Future major versions will not have this method; please remove it from your codebases as it currently does nothing. - Fixed quoted percent sign - Fixed memory leak within debug instances that are created dynamicallyConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.