Old version of `debug` dependency introduces `CVE-2017-16137` vulnerability

remy / nodemon

Monitor for any changes in your node.js application and automatically restart the server - perfect for development

http://nodemon.io/

MIT License

26.26k stars 1.72k forks source link

Old version of `debug` dependency introduces `CVE-2017-16137` vulnerability #2146

Closed amin-kchaou closed 10 months ago

amin-kchaou commented 10 months ago

Versions: node@v16.20.2, linux@6.2.0-37-generic
nodemon: 3.0.1

Issue

nodemon uses debug@^3.2.7 which contains the CVE-2017-16137 vulnerability. The earliest fix for this vulnerability is in debug@4.3.1. It would be appreciated it you could update nodemon's debug to that or higher.

github-actions[bot] commented 10 months ago

:tada: This issue has been resolved in version 3.0.2 :tada:

The release is available on:

npm package (@latest dist-tag)
GitHub release

Your semantic-release bot :package::rocket: