Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Recommendation
Version 2.x.x: Update to version 2.6.9 or later.
Version 3.1.x: Update to version 3.1.0 or later.
Version 3.2.x: Update to version 3.2.7 or later.
Version 4.x.x: Update to version 4.3.1 or later.
Release Notes
debug-js/debug (debug)
### [`v4.3.1`](https://togithub.com/debug-js/debug/releases/tag/4.3.1)
[Compare Source](https://togithub.com/debug-js/debug/compare/4.3.0...4.3.1)
### Patch release 4.3.1
- Fixes a ReDOS regression ([#458](https://togithub.com/debug-js/debug/issues/458)) - see [#797](https://togithub.com/debug-js/debug/issues/797) for details.
### [`v4.3.0`](https://togithub.com/debug-js/debug/releases/tag/4.3.0)
[Compare Source](https://togithub.com/debug-js/debug/compare/4.2.0...4.3.0)
### Minor release
- **Deprecated `debugInstance.destroy()`**. Future major versions will not have this method; please remove it from your codebases as it currently does nothing.
- Fixed quoted percent sign
- Fixed memory leak within debug instances that are created dynamically
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
4.2.0
->4.3.1
GitHub Vulnerability Alerts
CVE-2017-16137
Affected versions of
debug
are vulnerable to regular expression denial of service when untrusted user input is passed into theo
formatter.As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Recommendation
Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
Release Notes
debug-js/debug (debug)
### [`v4.3.1`](https://togithub.com/debug-js/debug/releases/tag/4.3.1) [Compare Source](https://togithub.com/debug-js/debug/compare/4.3.0...4.3.1) ### Patch release 4.3.1 - Fixes a ReDOS regression ([#458](https://togithub.com/debug-js/debug/issues/458)) - see [#797](https://togithub.com/debug-js/debug/issues/797) for details. ### [`v4.3.0`](https://togithub.com/debug-js/debug/releases/tag/4.3.0) [Compare Source](https://togithub.com/debug-js/debug/compare/4.2.0...4.3.0) ### Minor release - **Deprecated `debugInstance.destroy()`**. Future major versions will not have this method; please remove it from your codebases as it currently does nothing. - Fixed quoted percent sign - Fixed memory leak within debug instances that are created dynamicallyConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.