Require debug ^2.6.9

[nfriedly]

There is a minor security vulnerability in the module debug: https://nodesecurity.io/advisories/534

This was resolved in debug@2.6.9 and 3.1.0.

Debug introduced let/const in v3.2.0, breaking compatibility with node.js v4 and older browsers. This was reverted in 3.2.4, then re-released it in 4.0.0 - see debug-js/debug#603 for context around that.

In order avoid the vulnerability without loosing any compatibility, this change locks component-cookie to ^3.2.4 (>= 3.2.4 and < 4.0.0). (Update: now ^2.6.9)

This Fixes #16, relates to #15, and is is part of the fix for matthewmueller/next-cookies#7

[jescalan]

This is pretty important to get merged and upgraded. This package currently exposes a security vulnerability. Is this package still maintained?

[jescalan]

cc @ucarion

[nfriedly]

BTW, I just locked next-cookies to component-cookie@1.1.3 - it works fine and doesn't have any vulnerabilities.

[Qix-]

debug@3 shows no vulnerabilities. Am I missing something?

[jescalan]

This package does not use debug@3 - https://github.com/component/cookie/blob/master/package.json#L7

[Qix-]

You should be able to upgrade safely, FWIW. The OP was written during one of the first upgrades in over a year, and the subsequent patch fixes.

[RajaBellebon]

Hello, what is the status on this PR? We are also facing some vulnerabilities issues bc of ms 0.7.1

Thank you

[nfriedly]

This PR is still waiting on acceptance, as is my other bug fix, #19.

For next-cookies, I ended up switching to universal-cookie.

[Tenaria]

Hi, is there any update on this? Similarly to the other comments, we are facing vulnerability issues with this as well and was wondering if there will be any movement on this soon 😄

[Tenaria]

cc @ucarion 🥺

[ucarion]

Hi all -- it's been a few years since I've last published this package, but I am going to attempt to merge this PR and cut a new release.

[ucarion]

I believe this PR is now released as part of v1.1.5.