Comments (3)
dougwilson
commented on April 27, 2024
1
Hello, and thank you for your report. The redos fix for the issue you linked was backported to debug 2.6.9 which is what we are already using. This was done by the debug project by my request back in 2017, when the fix came out: debug-js/debug#504 (comment) . I took a look at your link and under references it links to that Github PR I liked above where the project states the fix is also in 2.6.9.
If you are using an automated scanning tool that is incorrectly reporting 2.9.6 as vulnerable, you will need to report this to the tool you are using.
from body-parser.
Shereef
commented on April 27, 2024
Thanks so much for the fast response @dougwilson
For future readers I did report it to snyk
from body-parser.
dougwilson
commented on April 27, 2024
No problem, @Shereef ! I did some further digging and it seems like this vulnerability was already listed by Snyk a long time ago as https://security.snyk.io/vuln/npm:debug:20170905 which shows the correct version ranges. Now as on Jan 9 there is a duplicate of this old report as https://security.snyk.io/vuln/SNYK-JS-DEBUG-3227433 which has just one of the two ranges listed. Seems probably they just need to remove the duplicate report or merge them or something 🤷
from body-parser.
Related Issues (20)
- bodyParser is deprecated, error HOT 1
- bodyparser.json() shown as deprecated? (question) HOT 7
- pass options to qs thru urlencoded? HOT 4
- Cannot catch SyntaxError when user provides invalid JSON in body and content-type: application/json HOT 3
- Support for content-encoding: deflate raw HOT 7
- req.body could not be accessed when send as form data, but works fine with JSON HOT 3
- Pass custom parameters to `qs` HOT 3
- Update iconv-lite to latest 0.6.3 HOT 7
- support for ndjson
- Update `debug` dependency (memory leak leading to vulnerability) HOT 1
- api calls made with invalid json HOT 5
- Add support for removing body parser limit HOT 8
- BadRequestError: request size did not match content length HOT 7
- How to handle content-type mismatch? HOT 1
- CVE-2017-20165 - debug HOT 2
- Issue HOT 1
- Debug package version in body parser showing security vulnerability HOT 10
- fails silently if the json has extra whitespace HOT 2
- json middleware does not work on content types with a `+` HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from body-parser.