-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability in debug #272
Comments
Updated the debug dependency
┌───────────────┬──────────────────────────────────────────────────────────────┐ |
same thing #274 |
@frank-dspeed Indeed, it affects every package that uses localtunnel as a dependency. |
@Berkmann18 can you point out what is blocking to update that? |
Until it's updated, a workaround is |
@frank-dspeed You mean the affected packages or this issue? |
I mean why don't you release a localtunnel version with a current version of the debug npm dependency? |
@frank-dspeed That's what my PR (#273 ) is for, I don't have push rights on the repo so I can't do that. |
@andrewmiller1 solution didn't work for me. Still looking for a solution, this seems to be unsolved |
@javierojeda94 Hmm. I just tried and it worked. What version of node are you using, and have you tried in a fresh directory? |
@javierojeda94 I submitted a PR that resolves that issue, just need someone to merge it and release a version which the changes. |
@andrewmiller1 here you got: ➜ ~ node -v
v10.9.0
➜ ~ npm -v
6.2.0 I tried in a fresh directory and it seems that it worked fine. The problem I have is probably related to a legacy project i'm working on, the project have that version that is affected and cannot be updated since it would get into breaking changes (you know, it's an old system and probably everything will crash with an update). @Berkmann18 thanks a lot! But probably that won't fix my situation neither :/ |
Hi, debug 3 comes with breaking changes, so it's not safe to upgrade without a deeper check (https://github.com/visionmedia/debug/blob/master/CHANGELOG.md#300--2017-08-08) Therefore, 2.6.9 is enough to fix the problem, so simply add a Also I recommend to put Then if some vulnerability are discovered on a package like this, it will be fixed automatically by a simple update. |
@kylekatarnls |
No, I'm not joking, what I call a deeper check is a simple search of each of these point in the localtunnel code. If it uses DEBUG_ID or parse the TTY output, then it first need to adapt localtunnel. If not, fine you can upgrade, but you should care about. For the third one (https://github.com/visionmedia/debug/pull/408/files) it does not sound like a breaking change to me finally. |
Debug is upgraded to v4 in master and released in localtunnel v2. |
There's an RE DoS vulnerability in
debug
(cf. here) which is flagged through this package and the dependent ones.The text was updated successfully, but these errors were encountered: