Update `debug` dependency (memory leak leading to vulnerability)
cmotsn opened this issue · comments
Context: the body-parser lib is included as a nested dependency in our application.
We use Checkmarx to scan for security vulnerabilities, and it indicates a vulnerability due to the usage of a version of the debug
dependency which contains a memory leak.
Updating the debug
package to 4.3.x would remove the vulnerability.
Hi @cmotsn thanks for your report! The memory leak mentioned in there seems to only apply to 3.x and 4.x as stated by the project in the links. The https://checkmarx.com/blog/some-vulnerabilities-dont-have-a-name/ link you provided helpfully provides a POC to check for the issue as well, and following those steps it verifies that 2.6.9 is not vulnerable to the leak. You can verify yourself at https://github.com/MarioTeixeiraCx/POCs and installing debug@2.6.9
.