dougwilson
commented
1 year ago Hello, and thank you for your report. I took a look at that report, and it looks like this module is already using the patched version, 2.9.6. Take a look at https://nvd.nist.gov/vuln/detail/CVE-2017-20165 which shows it is in reference to the fix listed at https://github.com/debug-js/debug/pull/504 . That fix was backported to 2.x as well as 3.x and released as 2.6.9: https://github.com/debug-js/debug/pull/504#issuecomment-331449019 .
cedricmillet
A vulnerability (CVE-2017-20165) classified as problematic has been found in debug-js debug up to 3.0.x. Upgrading to version 3.1.0 is able to address this issue.
This pull request is just updating debug to 3.1.0. Library tested following this edit, no behavioral change detected.
More details about this CVE here: nvd.nist.gov/vuln/detail/CVE-2017-20165