Upgrade Version of debug package

[rodrigoramos]

Hi, there!

IDK if it's the appropriate channel to discuss about that but the package debug in use of this app is on 2.6.9 version. And it has a problem of memory leak as discussed here.

This issue suggests upgrade this package to version 3.7.0 which this problem was already solved.

I can also submit a Pull Request if it would help.

[dpopp07]

This has already been updated in the main branch and released with v5:

express/package.json

Line 41 in e4a61bd

"debug": "4.3.6",

However, v4 is still pulling in the older version:

express/package.json

Line 42 in 2041584

"debug": "2.6.9",

It seems that v4 just needs a backport with this change to address the security concern. Here are the release notes from when that change was made before. I am sure a PR would be welcome - do you want to open one @rodrigoramos ? If not, I'm happy to.

[slagiewka]

It's worth noting that [email protected]+ requires node >= 6. Express v4 set the bar really low on >= 0.10.0. Unfortunately it's not mentioned exactly what was incompatible.

[wesleytodd]

Yep @slagiewka is right about updating to debug@4 in express@4 (its a major driver for us revamping the project). And I am not sure if we can even update to the [email protected] branch without breaking compat (I think this was discussed in a pr in the past, search for it and you should find the context). Ideally if we can this would be the kind of thing we would work with the debug maintainers to backport in the currently depended on major line if it impacted express usage. I don't believe we do the described behavior though. And I am pretty sure if we did it would have come up before now.

I am going to close this unless you can show that express is impacted (which we can then re-open).