This version of debug is vulnerable to ReDos attacks

[epg323]

This project uses the debug package

Debug has been tagged by the audit package as having low severity vulnerabilities.

Debug should be updated, unless there is a reason not to update it.

https://www.npmjs.com/advisories/534

[derricktang94]

Yes, I'm having the same issue

[iamle0pard]

We are seeing this issue as well because we include 'serverless' which has child dependencies that use this.

yarn audit v1.22.4
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 2.6.9 < 3.0.0 || >= 3.1.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > @serverless/components > │
│ │ @serverless/platform-client-china > @serverless/utils-china │
│ │ > socket.io-stream > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 1652
Severity: 1 Low
Done in 3.22s.

The solution is to update the package.json to a newer version of 'debug' (>= 2.6.9 < 3.0.0 || >= 3.1.0 )

[iamle0pard]

By the way, for anyone who is hitting this issue due to it being a child dependency of serverless, you can update your existing package.json to include this:

"resolutions": {
   "@serverless/utils-china": "^0.1.15"
}

to fix the issue. After doing this the vulnerability goes away.