Debug version 2.6.7 introduces a subtle yet impactful change compared to the previous stable release, 2.6.6. While both versions maintain the core functionality of providing a "small debugging utility" ideal for pinpointing issues in Node.js and browser-based JavaScript applications, the standout difference lies in the updated dependency on the ms package. Version 2.6.7 utilizes ms@2.0.0, a significant jump from ms@0.7.3 employed in version 2.6.6.
This ms package is responsible for converting various time formats (e.g., '2 days', '1h') into milliseconds and vice versa, crucial for setting and interpreting debugging durations. Developers upgrading to 2.6.7 should be aware of potential changes in ms's behavior, although the nature of the change is unlikely to break old calls to the debug utility. The debug library lets you selectively enable tracing parts of your application, filtering by namespace.
Both versions share identical developer dependencies, indicating no alterations in the testing or build infrastructure. Libraries like Chai, Karma, Mocha, and ESLint are consistently used for testing, code quality, and ensuring cross-browser compatibility. For developers, debug still offers the same ease of use. Setting the DEBUG environment variable before running code enables specific debug output. It remains a lightweight and efficient tool for enhancing the visibility of your application's logic. debug remains an essential utility for JavaScript developers.
All the vulnerabilities related to the version 2.6.7 of the package
debug Inefficient Regular Expression Complexity vulnerability
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.
Regular Expression Denial of Service in debug
Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
