Debug package version in body parser showing security vulnerability #516
Comments
|
Thanks for reporting @MandeeGit, but I was not able to find this reference. What software do you use? I checked against Snyk and Socket.dev: |
|
@UlisesGascon I am using Check Marx. By default it is listing in my package-lock.json. Unable to override it. |
|
Yes, @MandeeGit.
Same results on Socket.dev. Do you have any CVE associated? AFAIK we are not planning to update to |
|
Please find CWE below @UlisesGascon
|
|
@MandeeGit A screenshot of a page is not enough for us to act on. We don't see any reported CVE's on any of the normal platforms and your screenshot is not enough to understand or remediate the issue. If it is not just a false positive on that platform please have them reach out (or do so yourself) with a security report so we can address it. |
|
false positive with Checkmarx it's referencing: and debug-js/debug#678 (which I can't find any CVE for) edit: the memory leak may be a valid vulnerability... |
|
Ok, I am going to close this |
|
edited my above comment, but the memory leak was patched in |
|
worth noting that express itself pulls in the same version of debug |
|
good news! the memory leak is NOT present in if you run the app there and open up your browser dev tools memory profiler, you'll see that there is no leak. (on my machine total heap was in the 100s of MB) if you want to reproduce the leak there, then |
Debug package version in body parser showing security vulnerability. This need to be updated to latest version of debug package V4.3.4. do we know when this will be updated?
The text was updated successfully, but these errors were encountered: