lock debug to v2.6.9

nfriedly · web-flow · commit 0e5efdbc458e · 2018-10-29T10:09:38.000-04:00
There is a minor security vulnerability in the module `debug`: https://nodesecurity.io/advisories/534 This was resolved in 2.6.9 and 3.1.0. Debug introduced let/const in v3.2.0, breaking compatibility with node.js v4 and older browsers. This was reverted in 3.2.4, then re-released it in 4.0.0 - see debug-js/debug#603 for context around that. In order avoid the vulnerability without loosing any compatibility, this change locks component-cookie to >= 3.2.4 < 4.0.0. Version `^2.6.9` could alternatively be used if desired. This Fixes #16, Fixes #15, and is is part of the fix for matthewmueller/next-cookies#7
diff --git a/package.json b/package.json
@@ -4,7 +4,7 @@
   "version": "1.1.4",
   "license": "MIT",
   "dependencies": {
-    "debug": "2.2.0"
+    "debug": "^3.2.4"
   },
   "devDependencies": {
     "mocha": "*"
