darrachequesne
commented
7 years ago It seems the debug dependency is not even used here! Thanks for the pull request.
Closed sam-github closed 7 years ago
darrachequesne
commented
7 years ago It seems the debug dependency is not even used here! Thanks for the pull request.
sam-github
commented
7 years ago Thank you!
Please bump debug to
~2.6.4, the same version used by (almost) all the othergithub.com/socketio/*packages.The current version of debug that was pinned is reported as having a sec vulnerability by snyk via its dependency
ms. It doesn't effect socket.io, but every user of socket.io has to figure that out themselves right now.It allows debug to be de-duplicated and the install tree flattened (a minor convenience).
I would also strongly suggest moving to
^2.x, becausedebugis a very small package, with a small and easy to manage API surface and maintainers who are very, very careful about semver and who will not introduce breaking changes in minors. In this PR, though, I just updated this to use the exact same debug dep spec you use elsewhere.