Morgan is a popular HTTP request logger middleware for Node.js, designed to simplify the process of logging HTTP requests within your applications. Comparing versions 1.6.0 and 1.6.1, developers will find subtle but important differences. Both versions share the same core functionality and description as a request logger. Examining the dependencies, both rely on 'depd', 'debug', 'on-headers', and 'on-finished' with identical versions. However, 'basic-auth' sees an upgrade from version 1.0.2 to 1.0.3 in the newer 1.6.1 release. For developers using basic authentication, this could represent a critical security or bug fix. On the development dependency side, the only difference is that version 1.6.1 uses Istanbul version 0.3.17 instead of 0.3.15.
While the core functionality remains consistent, the upgrade in 'basic-auth' suggests a potential fix or enhancement related to handling HTTP Basic authentication credentials, indirectly impacting how user authentication details are handled in logged requests. Additionally, the move to Istanbul 0.3.17 likely incorporates improvements in code coverage reporting and testing during the development process, leading to a more robust library. Developers should evaluate the specific changes in 'basic-auth' 1.0.3 to determine if the update addresses any pre-existing concerns or vulnerabilities within their application stack. This iterative evolution ensures ongoing stability and security for those leveraging Morgan in their Node.js projects.
All the vulnerabilities related to the version 1.6.1 of the package
Code Injection in morgan
Verisons of morgan before 1.9.1 are vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack.
Update to version 1.9.1 or later.
debug Inefficient Regular Expression Complexity vulnerability
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.
Regular Expression Denial of Service in debug
Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
Vercel ms Inefficient Regular Expression Complexity vulnerability
A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.
on-headers is vulnerable to http response header manipulation
A bug in on-headers versions < 1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead()
Users should upgrade to 1.1.0
Uses are encouraged to upgrade to 1.1.0, but this issue can be worked around by passing an object to response.writeHead() rather than an array.
