Reputation: 105
I'm getting the warning:
npm WARN deprecated [email protected]:
Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity
ReDos regression when used in a Node.js environment.
It is recommended you upgrade to 3.2.7 or 4.3.1.
Versions of npm and node:
npm -v
7.3.0
node -v
v15.5.0
EDIT: package.json
:
{
"name": "example",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"repository": {
"type": "git",
"url":
"git+https://[email protected]/username/example.git"
},
"author": "",
"license": "ISC",
"homepage": "https://bitbucket.org/karenshahmuusernameadyan/example#readme",
"dependencies": {
"socket.io": "^3.0.4"
}
}
Upvotes: 4
Views: 21632
Reputation: 70095
Looking at your package.json, the issue is in the current version of socket.io. Since it looks like you're just getting started developing something, you can ignore the warning for now and keep an eye out for a new release. There is already a pull request open to update the debug
dependency. My guess is that this vulnerability was disclosed only recently and that this will be fixed soon-ish.
Original answer (before the package.json
was added to the question) for people facing similar-but-not-identical issues:
If you want to try the scorched-earth approach: First remove node_modules
and package-lock.json
. Then run npm install
. That will update everything it can while conforming to your package.json
requirements. A potential downside is that it will likely update a lot of other things and you may not want those updates for various reasons.
A more focused approach: It is possible npm
can fix this automatically for you. Run npm audit
and see if it flags the Debug library. If it does, do what it says to try to fix it. (It might just be npm audit fix
but in some cases, the fix is more involved.) Sometimes, you run npm audit fix
and it doesn't fix things. In that case, use one of the other approaches.
A fully manual approach: Use npm ls
to find out where [email protected] is installed. You will then need to figure out if it's a dependency you can update yourself (if it's a direct dependency in your own package.json) or if it's a dependency of a dependency and you are reliant on someone else to have updated. Since the fixed version is 4.x, it's likely that simply reinstalling the dependency using Debug will fix it.
Upvotes: 5
Reputation: 587
Check versions in package-lock.json
file. When you find somewhere 4.1.1
version of debug
dependency then just bump version of that dependency in package.json
.
Upvotes: 0