jonathan/combine.fm
jonathan/combine.fm
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Update dependency debug to v4.3.1 [SECURITY] #31

Merged
jonathan merged 1 commit from renovate/npm-debug-vulnerability into main 2026-04-20 20:08:14 +00:00
Conversation 0 Commits 1 Files changed 1 +5 -12
renovatebot commented 2026-04-20 18:54:50 +00:00
Contributor
Copy link

This PR contains the following updates:

Package Type Update Change
debug dependencies minor 4.2.04.3.1

Regular Expression Denial of Service in debug

CVE-2017-16137 / GHSA-gxpj-cx7g-858c

More information

Details

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later.
Version 3.1.x: Update to version 3.1.0 or later.
Version 3.2.x: Update to version 3.2.7 or later.
Version 4.x.x: Update to version 4.3.1 or later.

Severity

  • CVSS Score: 3.7 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

debug-js/debug (debug)

v4.3.1

Compare Source

Patch release 4.3.1

v4.3.0

Compare Source

Minor release

  • Deprecated debugInstance.destroy(). Future major versions will not have this method; please remove it from your codebases as it currently does nothing.
  • Fixed quoted percent sign
  • Fixed memory leak within debug instances that are created dynamically

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [debug](https://github.com/debug-js/debug) | dependencies | minor | [`4.2.0` → `4.3.1`](https://renovatebot.com/diffs/npm/debug/4.2.0/4.3.1) | --- ### Regular Expression Denial of Service in debug [CVE-2017-16137](https://nvd.nist.gov/vuln/detail/CVE-2017-16137) / [GHSA-gxpj-cx7g-858c](https://github.com/advisories/GHSA-gxpj-cx7g-858c) <details> <summary>More information</summary> #### Details Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue. This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1. ##### Recommendation Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later. #### Severity - CVSS Score: 3.7 / 10 (Low) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2017-16137](https://nvd.nist.gov/vuln/detail/CVE-2017-16137) - [https://github.com/debug-js/debug/issues/797](https://github.com/debug-js/debug/issues/797) - [https://github.com/visionmedia/debug/issues/501](https://github.com/visionmedia/debug/issues/501) - [https://github.com/visionmedia/debug/pull/504](https://github.com/visionmedia/debug/pull/504) - [https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020](https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020) - [https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290](https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290) - [https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac](https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac) - [https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a](https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a) - [https://github.com/visionmedia/debug](https://github.com/visionmedia/debug) - [https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@&#8203;%3Ccommits.netbeans.apache.org%3E](https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@&#8203;%3Ccommits.netbeans.apache.org%3E) - [https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@&#8203;%3Cnotifications.netbeans.apache.org%3E](https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@&#8203;%3Cnotifications.netbeans.apache.org%3E) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-gxpj-cx7g-858c) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>debug-js/debug (debug)</summary> ### [`v4.3.1`](https://github.com/debug-js/debug/releases/tag/4.3.1) [Compare Source](https://github.com/debug-js/debug/compare/4.3.0...4.3.1) ### Patch release 4.3.1 - Fixes a ReDOS regression ([#&#8203;458](https://github.com/debug-js/debug/issues/458)) - see [#&#8203;797](https://github.com/debug-js/debug/issues/797) for details. ### [`v4.3.0`](https://github.com/debug-js/debug/releases/tag/4.3.0) [Compare Source](https://github.com/debug-js/debug/compare/4.2.0...4.3.0) ### Minor release - **Deprecated `debugInstance.destroy()`**. Future major versions will not have this method; please remove it from your codebases as it currently does nothing. - Fixed quoted percent sign - Fixed memory leak within debug instances that are created dynamically </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMTUiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMTAuMTUiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
Update dependency debug to v4.3.1 [SECURITY]
Some checks failed
ci / build-image (pull_request) Successful in 1m16s
Details
ci / test-image (pull_request) Failing after 8s
Details
1d3797e90b
renovatebot force-pushed renovate/npm-debug-vulnerability from 1d3797e90b
Some checks failed
ci / build-image (pull_request) Successful in 1m16s
Details
ci / test-image (pull_request) Failing after 8s
Details
to 05d610c0c9
Some checks failed
ci / build-image (pull_request) Failing after 58s
Details
ci / test-image (pull_request) Has been skipped
Details
ci / build-image (push) Waiting to run
Details
ci / test-image (push) Blocked by required conditions
Details
2026-04-20 20:00:41 +00:00 Compare
jonathan deleted branch renovate/npm-debug-vulnerability 2026-04-20 20:08:14 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
jonathan/combine.fm!31
No description provided.