Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

please release a 1.0.5 that updates ms to v2.0.0 #469

Closed
sam-github opened this issue Jun 14, 2017 · 2 comments
Closed

please release a 1.0.5 that updates ms to v2.0.0 #469

sam-github opened this issue Jun 14, 2017 · 2 comments

Comments

@sam-github
Copy link

sam-github commented Jun 14, 2017
edited
Loading

debug 1.x is widely depended on still, and its getting flagged over and over for bringing in older versions of ms that had security vulnerabilities reported against it.

Its a false positive, but a whole lot of build chains and users of debug, directly or indirectly, would be very, very, appreciative if you release a 1.x update to debug that uses the same version of ms you use in master, 2.0.0. Its API compatible with the ms used now for 1.x, at least for the humanize call debug makes (the incompatibility - and the vulnerability - is around a parse function that debug doesn't use).

I can't PR the change because I'd need a 1.x branch to target, but its this:

debug ((1.0.4) *%) % git diff
diff --git a/package.json b/package.json
index 4ee4dc5..b348b90 100644
--- a/package.json
+++ b/package.json
@@ -16,7 +16,7 @@
     "Nathan Rajlich <nathan@tootallnate.net> (http://n8.io)"
   ],
   "dependencies": {
-    "ms": "0.6.2"
+    "ms": "^2.0.0"
   },
   "devDependencies": {
     "browserify": "4.1.6",
sam-github referenced this issue Jun 14, 2017
@hubdotcom @TooTallNate
Fix Regular Expression Denial of Service (ReDoS)
15850cb 
https://snyk.io/vuln/npm:ms:20170412
TooTallNate added a commit that referenced this issue Jun 15, 2017
@TooTallNate
bump "ms" to v2.0.0
cfb797f 
Closes #469.
@TooTallNate
Copy link
Contributor

Please see v1.0.5.

@sam-github
Copy link
Author

Thank you!

@motss motss mentioned this issue Jun 15, 2017
Open
@sam-github sam-github mentioned this issue Jun 15, 2017
Merged
@shian15810 shian15810 mentioned this issue Sep 3, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sam-github @TooTallNate