feross
commented
9 years ago +1
Closed roderickhsiao closed 8 years ago
feross
commented
9 years ago +1
roderickhsiao
commented
9 years ago @TooTallNate how do you think?
mastilver
commented
8 years ago A dependency of debug: ms is vulnerable to a ReDos attack: https://nodesecurity.io/advisories/46, so this would be a good idea to apply that change
snyamathi
commented
8 years ago +1 We have other dependencies such as babel-traverse which specify a newer version of debug (^2.2.0) which has a newer version of ms.
Having a locked version of debug here means that we have two copies of debug which is wasteful.
@TooTallNate
roderickhsiao
commented
8 years ago Thanks :)
TooTallNate
commented
8 years ago @rauchg @feross If one of you could publish v0.2.1, and/or npm owner add tootallnate jsonp and I can take care of that.
feross
commented
7 years ago @TooTallNate Published 0.2.1 and added you as an npm owner 👍
could we loose the debug version to something like
^2.0.0as we are using webpack, the client side require different version of the package might potentially increase the js size if we cannot dedup by the dedup webpack plugin. (so does the server side package size)Thanks