Update debug to the latest version

[kireerik]

This would fix the following vulnerability: https://snyk.io/test/github/expressjs/compression/1.6.2

[kyrylkov]

Is there a reason to have debug dependency without tilde

[sshen81]

@dougwilson Have experienced the same issue. debug package release >= 2.6.8 has upgraded the ms dependency to address the snyk vulnerability.

[dougwilson]

Hi everyone, is this a false positive for the vulnerability or is there a way you can exploit the compression module though this? The current version published has debug: ~2.2.0, which has the tilde @kyrylkov but it's still a few minor behind, so the tilde doesn't work. I'll publish a new version within like 12 hours or so unless there is an actual exploit here and it's just not a false positive.

[kyrylkov]

@dougwilson ms acknowledged the issue vercel/ms#89 As you see it's been already 9 days so it can wait another 12 hours.

[dougwilson]

Hi @kyrylkov is this a false positive for the vulnerability or is there a way you can exploit the compression module though this?

[kyrylkov]

@dougwilson I don't think compression can be exploited, since compression doesn't depend on ms, while debug uses ms only for microsecond logging. However I am not a security exprert.

[dougwilson]

From my understanding, it only applies when you are using ms(string_var), but the debug module is only calling ms(number_var), so I don't think the vulnerability applies here.

[dougwilson]

Didn't mean to fat finger comment + close; just no longer need more info; there is no rush to update since there is no vulnerability here.