Regular Expression Denial of Service (component-cookie) #7
Comments
|
@nfriedly unfortunately it's fix 1.1.4 |
nfriedly
added a commit
to nfriedly/cookie-1
that referenced
this issue
Oct 29, 2018
There is a minor security vulnerability in the module `debug`: https://nodesecurity.io/advisories/534 This was resolved in 2.6.9 and 3.1.0. Debug introduced let/const in v3.2.0, breaking compatibility with node.js v4 and older browsers. This was reverted in 3.2.4, then re-released it in 4.0.0 - see debug-js/debug#603 for context around that. In order avoid the vulnerability without loosing any compatibility, this change locks component-cookie to >= 3.2.4 < 4.0.0. Version `^2.6.9` could alternatively be used if desired. This Fixes component#16, Fixes component#15, and is is part of the fix for matthewmueller/next-cookies#7
nfriedly
added a commit
to nfriedly/cookie-1
that referenced
this issue
Oct 29, 2018
There is a minor security vulnerability in the module `debug`: https://nodesecurity.io/advisories/534 This was resolved in 2.6.9 and 3.1.0. Debug introduced let/const in v3.2.0, breaking compatibility with node.js v4 and older browsers. This was reverted in 3.2.4, then re-released it in 4.0.0 - see debug-js/debug#603 for context around that. In order avoid the vulnerability without loosing any compatibility, this change locks component-cookie to >= 3.2.4 < 4.0.0. Version `^2.6.9` could alternatively be used if desired. This Fixes component#16, Fixes component#15, and is is part of the fix for matthewmueller/next-cookies#7
|
what about return to version 1.1.3? |
|
Yea, lets try that for now. Or else find an alternative... |
|
I just published next-cookies v1.0.4 with component-cookie locked to v1.1.3. |
|
@nfriedly component-cookie it's simple lib you can copy source code;) |
ucarion
pushed a commit
to component/cookie
that referenced
this issue
Apr 14, 2021
* Require debug ^3.2.4 There is a minor security vulnerability in the module `debug`: https://nodesecurity.io/advisories/534 This was resolved in 2.6.9 and 3.1.0. Debug introduced let/const in v3.2.0, breaking compatibility with node.js v4 and older browsers. This was reverted in 3.2.4, then re-released it in 4.0.0 - see debug-js/debug#603 for context around that. In order avoid the vulnerability without loosing any compatibility, this change locks component-cookie to >= 3.2.4 < 4.0.0. Version `^2.6.9` could alternatively be used if desired. This Fixes #16, Fixes #15, and is is part of the fix for matthewmueller/next-cookies#7 * switch to ^2.6.9 based on feedback from @f2prateek
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
component-cookie Locks debug to 2.2.0
what about use something else without bug?
The text was updated successfully, but these errors were encountered: