Skip to content

Locks debug to 2.2.0#15

Merged
ucarion merged 1 commit intocomponent:masterfrom
eastwood:master
Sep 28, 2018
Merged

Locks debug to 2.2.0#15
ucarion merged 1 commit intocomponent:masterfrom
eastwood:master

Conversation

@eastwood
Copy link
Contributor

@eastwood eastwood commented Sep 12, 2018

Recent changes to debug has introduced some breaking changes in their new 4.x branch. For upstream consumers of component-cookie, these breaking changes have made their way into builds, especially those using older versions of node/npm etc.

This PR addresses this issue and locks the debug version to 2.2.0 similarly to the component.json change made in 91cb083

@f2prateek
Copy link

f2prateek commented Sep 28, 2018
edited
Loading

LGTM! We just ran into this issue with our integrations https://circleci.com/gh/segment-integrations/analytics.js-integration-mixpanel/495

f2prateek
f2prateek reviewed Sep 28, 2018
View reviewed changes
package.json
"debug": "2.2.0"
},
"devDependencies": {
"mocha": "*"
Copy link

@f2prateek f2prateek Sep 28, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Separately - we should pin this as well.

@ucarion ucarion merged commit 2f4f00e into component:master Sep 28, 2018
@ucarion
Copy link
Collaborator

ucarion commented Sep 28, 2018

Thanks for the contribution @eastwood ! It's much appreciated. :)

This was referenced Oct 1, 2018
Merged
Merged
@hsvtslv hsvtslv mentioned this pull request Oct 28, 2018
Closed
@hsvtslv
Copy link

hsvtslv commented Oct 28, 2018

bad solution
matthewmueller/next-cookies#7

@nfriedly
Copy link
Contributor

nfriedly commented Oct 28, 2018
edited
Loading

Would ^2.6.9 or ^3.1.0 be acceptable here? That would resolve the security issue that #16 and matthewmueller/next-cookies#7 are hitting.

nfriedly added a commit to nfriedly/cookie-1 that referenced this pull request Oct 29, 2018
@nfriedly
lock debug to v2.6.9
0e5efdb 
There is a minor security vulnerability in the module `debug`: https://nodesecurity.io/advisories/534

This was resolved in 2.6.9 and 3.1.0.

Debug introduced let/const in v3.2.0, breaking compatibility with node.js v4 and older browsers. This was reverted in 3.2.4, then re-released it in 4.0.0 - see debug-js/debug#603 for context around that.

In order avoid the vulnerability without loosing any compatibility, this change locks component-cookie to >= 3.2.4 < 4.0.0.

Version `^2.6.9` could alternatively be used if desired.

This Fixes component#16, Fixes component#15, and is is part of the fix for matthewmueller/next-cookies#7
@nfriedly nfriedly mentioned this pull request Oct 29, 2018
Merged
nfriedly added a commit to nfriedly/cookie-1 that referenced this pull request Oct 29, 2018
@nfriedly
Require debug ^3.2.4
a7c9f9b 
There is a minor security vulnerability in the module `debug`: https://nodesecurity.io/advisories/534

This was resolved in 2.6.9 and 3.1.0.

Debug introduced let/const in v3.2.0, breaking compatibility with node.js v4 and older browsers. This was reverted in 3.2.4, then re-released it in 4.0.0 - see debug-js/debug#603 for context around that.

In order avoid the vulnerability without loosing any compatibility, this change locks component-cookie to >= 3.2.4 < 4.0.0.

Version `^2.6.9` could alternatively be used if desired.

This Fixes component#16, Fixes component#15, and is is part of the fix for matthewmueller/next-cookies#7
@f2prateek
Copy link

f2prateek commented Oct 29, 2018

I think 2.6.9 would likely be safest.

@nfriedly
Copy link
Contributor

nfriedly commented Oct 29, 2018

Fair enough. PR with 2.6.9 (now) at #17

ucarion pushed a commit that referenced this pull request Apr 14, 2021
@nfriedly
Require debug ^2.6.9 (#17)
5a2ee85 
* Require debug ^3.2.4

There is a minor security vulnerability in the module `debug`: https://nodesecurity.io/advisories/534

This was resolved in 2.6.9 and 3.1.0.

Debug introduced let/const in v3.2.0, breaking compatibility with node.js v4 and older browsers. This was reverted in 3.2.4, then re-released it in 4.0.0 - see debug-js/debug#603 for context around that.

In order avoid the vulnerability without loosing any compatibility, this change locks component-cookie to >= 3.2.4 < 4.0.0.

Version `^2.6.9` could alternatively be used if desired.

This Fixes #16, Fixes #15, and is is part of the fix for matthewmueller/next-cookies#7

* switch to ^2.6.9

based on feedback from @f2prateek
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@f2prateek f2prateek f2prateek approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@eastwood @f2prateek @ucarion @hsvtslv @nfriedly