Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Old version of debug dependency causes a warning in the npm audit security report #25

Open
twegener-embertec opened this issue Feb 20, 2020 · 0 comments
Open

Old version of debug dependency causes a warning in the npm audit security report #25

twegener-embertec opened this issue Feb 20, 2020 · 0 comments

Comments

@twegener-embertec
Copy link

forecast.io 0.0.11 depends on debug ^0.7.2 (and forecast.io master depends on debug ^0.8.0; note that that has not been released to npm), and those versions include a security vulnerability:

https://npmjs.com/advisories/534

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ forecast.io                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ forecast.io > debug                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/534                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

While the severity is low, it is still worth addressing to avoid generating noise in the npm audit report.

Presumably, addressing this would be a simple matter of updating the forecast.io package.json to point to a recent version of the debug package that does not contain the vulnerability.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@twegener-embertec