Regular Expression Denial of Service (ReDoS) in debug@2.6.9

[Shereef]

Please Upgrade debug to version 3.1.0 or higher.

https://security.snyk.io/vuln/SNYK-JS-DEBUG-3227433

  ✗ Regular Expression Denial of Service (ReDoS) [Low Severity][https://security.snyk.io/vuln/SNYK-JS-DEBUG-3227433] in debug@2.6.9
    introduced by @nestjs/platform-express@9.2.1 > body-parser@1.20.1 > debug@2.6.9 and 5 other path(s)
  This issue was fixed in versions: 3.1.0

[dougwilson]

Hello, and thank you for your report. The redos fix for the issue you linked was backported to debug 2.6.9 which is what we are already using. This was done by the debug project by my request back in 2017, when the fix came out: https://github.com/debug-js/debug/pull/504#issuecomment-331449019 . I took a look at your link and under references it links to that Github PR I liked above where the project states the fix is also in 2.6.9.

If you are using an automated scanning tool that is incorrectly reporting 2.9.6 as vulnerable, you will need to report this to the tool you are using.

[Shereef]

Thanks so much for the fast response @dougwilson

For future readers I did report it to snyk

[dougwilson]

No problem, @Shereef ! I did some further digging and it seems like this vulnerability was already listed by Snyk a long time ago as https://security.snyk.io/vuln/npm:debug:20170905 which shows the correct version ranges. Now as on Jan 9 there is a duplicate of this old report as https://security.snyk.io/vuln/SNYK-JS-DEBUG-3227433 which has just one of the two ranges listed. Seems probably they just need to remove the duplicate report or merge them or something 🤷