Hi,

When I see an Angular 12.x release dependency tree, I noticed compression is coming up as one among 7-8 users of the 2.6.9 debug library usage. Most of the other packages have moved up to 4.3.2

I searched through the archives and noticed that in 2017, there was a thread around upgrading the debug reference (and it got closed for non exploitability)

Code scanners continue to flag older debug versions as vulnerable on a couple of counts.

The current npm debug library is at 4.3.2 and the 2.6.9/3.1.0 builds are ~4y old.
Can we get to the newer lib series or would that raise some dependencies for users of this package?

// +-- @angular-devkit/build-angular@12.2.13
// | -- webpack-dev-server@3.11.2 // | +-- compression@1.7.4 // | | -- debug@2.6.9
// | +-- debug@4.3.2 deduped

Hello,

The reason the older version is used is because thay is the version that is compatible with the versions of Node.js that this module is compatible with. The current version of debug this module use has no vulnerabilities. If you are having vulnerabilities flagges on it, you need to check with the scanning software you are using; you can confirm on npm audi for example that it is clean.