Vulnerability in debug

[Berkmann18]

There's an RE DoS vulnerability in debug (cf. here) which is flagged through this package and the dependent ones.

[frank-dspeed]

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 2.6.9 < 3.0.0 || >= 3.1.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ testee [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ testee > miner > localtunnel > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘

[frank-dspeed]

same thing #274

[Berkmann18]

@frank-dspeed Indeed, it affects every package that uses localtunnel as a dependency.

[frank-dspeed]

@Berkmann18 can you point out what is blocking to update that?

[andrewmiller1]

Until it's updated, a workaround is npm install --save-dev https://github.com/andrewmiller1/localtunnel.git

[Berkmann18]

@frank-dspeed You mean the affected packages or this issue?

[frank-dspeed]

I mean why don't you release a localtunnel version with a current version of the debug npm dependency?

[Berkmann18]

@frank-dspeed That's what my PR (#273 ) is for, I don't have push rights on the repo so I can't do that.

[javierojeda94]

@andrewmiller1 solution didn't work for me.

Still looking for a solution, this seems to be unsolved

[andrewmiller1]

@javierojeda94 Hmm. I just tried and it worked. What version of node are you using, and have you tried in a fresh directory?

[Berkmann18]

@javierojeda94 I submitted a PR that resolves that issue, just need someone to merge it and release a version which the changes.

[javierojeda94]

@andrewmiller1 here you got:

➜  ~ node -v
v10.9.0
➜  ~ npm -v
6.2.0

I tried in a fresh directory and it seems that it worked fine. The problem I have is probably related to a legacy project i'm working on, the project have that version that is affected and cannot be updated since it would get into breaking changes (you know, it's an old system and probably everything will crash with an update).

@Berkmann18 thanks a lot! But probably that won't fix my situation neither :/

[kylekatarnls]

Hi, debug 3 comes with breaking changes, so it's not safe to upgrade without a deeper check (https://github.com/visionmedia/debug/blob/master/CHANGELOG.md#300--2017-08-08)

Therefore, 2.6.9 is enough to fix the problem, so simply add a ^ in front of the version could fix safely the problem.

Also I recommend to put ^ for each dependency. As long as semver is respected by picked dependencies, it's the best way and avoid each package to take their own particular version of each dependency.

Then if some vulnerability are discovered on a package like this, it will be fixed automatically by a simple update.

[frank-dspeed]

@kylekatarnls
Breaking: Remove DEBUG_FD (#406)
Breaking: Use Date#toISOString() instead to Date#toUTCString() when output is not a TTY (#418)
Breaking: Make millisecond timer namespace specific and allow 'always enabled' output (#408)
what of this applys to this your joking but anyway i forked of this stuff already and marked this package as unmaintained!

[kylekatarnls]

No, I'm not joking, what I call a deeper check is a simple search of each of these point in the localtunnel code. If it uses DEBUG_ID or parse the TTY output, then it first need to adapt localtunnel. If not, fine you can upgrade, but you should care about.

For the third one (https://github.com/visionmedia/debug/pull/408/files) it does not sound like a breaking change to me finally.

[defunctzombie]

Debug is upgraded to v4 in master and released in localtunnel v2.