{"ecosystem":"npm","package":"debug","version":null,"bugs":[{"id":100,"ecosystem":"npm","package_name":"debug","affected_version":"3.0.0","fixed_version":"3.1.0","bug_id":"osv:GHSA-9vvw-cc9w-f27h","title":"debug Inefficient Regular Expression Complexity vulnerability","description":"A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-20165","labels":["CVE-2017-20165"],"created_at":"2026-04-19T04:30:11.880153+00:00","updated_at":"2026-04-19T04:30:11.880153+00:00"},{"id":99,"ecosystem":"npm","package_name":"debug","affected_version":"4.4.2","fixed_version":"4.4.3","bug_id":"osv:GHSA-4x49-vf9v-38px","title":"debug@4.4.2 contains malware after npm account takeover","description":"### Impact\nOn 8 September 2025, the npm publishing account for `debug` was taken over after a phishing attack. Version `4.4.2` was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.\n\nLocal environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct `<script>` inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.\n\nThe malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.\n\n### Patches\nnpm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper.\n\nOn 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. This version is functionally identical to the previously known-good version, published as a patch version bump above the compromised version.\n\nUsers should upgrade to the latest patch version, completely remove their `node_modules` directory, clean their package manager's global cache, and rebuild any browser bundles from scratch.\n\nThose operating private registries or registry mirrors should purge the offending versions from any caches.\n\n### References\n- https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\n- https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack\n- https://www.ox.security/blog/npm-packages-compromised/\n\n### Point of Contact\nIn the event suspicious behavior is still observed for the package listed in this security advisory after performing all of the above cleaning operations (see _Patches_ above), please reach out via one of the following channels of communication:\n\n- Bluesky, package owner: https://bsky.app/profile/bad-at-computer.bsky.social\n- `debug` repository, tracking issue (applies to all packages affected in the breach): https://github.com/debug-js/debug/issues/1005","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/debug-js/debug/security/advisories/GHSA-4x49-vf9v-38px","labels":["CVE-2025-59144","GHSA-8mgj-vmr8-frr6","MAL-2025-46974"],"created_at":"2026-04-19T04:30:11.879125+00:00","updated_at":"2026-04-19T04:30:11.879125+00:00"},{"id":124,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:329","title":"What names are available?","description":"I only get output with the word Chinese in the name, followed by a colon. I don't see anywhere in usage that explains why this would be.\r\n\r\nUsage shows...\r\n`var debug = require('debug')('http')`\r\n`var debug = require('debug')('worker');`\r\n`var error = debug('app:error');`\r\n\r\nLogs correctly for me...\r\n`const debug = require('debug')('Chinese:www')`\r\n`const debug = require('debug')('Chinese:foo')`\r\n\r\nNo logs at all...\r\n`const debug = require('debug')('Foo:www')`\r\n`const debug = require('debug')('Foo')`","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/329","labels":["discussion","bug"],"created_at":"2026-04-19T04:30:13.024364+00:00","updated_at":"2026-04-19T04:30:13.024364+00:00"},{"id":123,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:369","title":"t.useColors is not a function","description":"Your most recent update seems to have broken our build.\r\n\r\nIt is throwing the following error:\r\n`Uncaught TypeError: t.useColors is not a function`","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/369","labels":["bug"],"created_at":"2026-04-19T04:30:13.023418+00:00","updated_at":"2026-04-19T04:30:13.023418+00:00"},{"id":122,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:436","title":"Uncaught Type Error coming from browser.js","description":"TypeError: Cannot read property 'style' of null  happening when document.documentElement is null because there is no null check. Would like to put in a PR to fix it if you guys decide not to.","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/436","labels":["bug","has-pr"],"created_at":"2026-04-19T04:30:13.022687+00:00","updated_at":"2026-04-19T04:30:13.022687+00:00"},{"id":120,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:495","title":"Can't Disable debug","description":"https://runkit.com/ilyaigpetrov/59a6ef385d75ca0011ffb2c3\r\n```js\r\nconst debug = require('debug')\r\nconsole.log('ENABLED_1?', debug.enabled('*'));\r\ndebug.enable('*');\r\ndebug.disable('*');\r\nconsole.log('ENABLED_2?', debug.enabled('*'));\r\n```\r\nOutput:\r\n```js\r\nENABLED_1?\r\ntrue\r\nENABLED_2?\r\ntrue\r\n```","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/495","labels":["bug"],"created_at":"2026-04-19T04:30:13.021621+00:00","updated_at":"2026-04-19T04:30:13.021621+00:00"},{"id":119,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:515","title":"if you use it from within docker","description":"if you use it from within docker, it does not work as expected, instead of showing default behaviour with colours and milli seconds between messages it shows full time, to make it work as default, you need to add:\r\nDEBUG_COLORS=true\r\nto command line \r\nI had to debug code to make it work, this behaviour could be documented,  added in to readme file\r\n\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/515","labels":["bug","help-wanted"],"created_at":"2026-04-19T04:30:13.021188+00:00","updated_at":"2026-04-19T04:30:13.021188+00:00"},{"id":118,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:533","title":"`enable()` invalidates created loggers that should be enabled","description":"For example, let's say I have the following:\r\n\r\n```\r\nconst debug = require(\"debug\");\r\nconst foobarDebug = debug(\"foo:bar\");\r\n\r\ndebug.enable(\"foo:*\");\r\n\r\nconsole.log(\"debug.enabled('foo:bar')?\", debug.enabled(\"foo:bar\"));\r\nconsole.log(\"foobarDebug enabled?\", foobarDebug.enabled);\r\n```\r\n\r\nwill output\r\n\r\n```\r\ndebug.enabled('foo:bar')? true\r\nfoobarDebug enabled? false\r\n```\r\n\r\nIf you create the debugger after calling `enable()` it works as expected. I understand that `enable()` overrides what was previously enabled, but I would expect that anything that passes the new filters would be enabled.","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/533","labels":["bug","help-wanted"],"created_at":"2026-04-19T04:30:13.020744+00:00","updated_at":"2026-04-19T04:30:13.020744+00:00"},{"id":117,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:550","title":"can't disable namespace","description":"environment: node\r\n\r\nI use same namespace across few files.\r\nWhen I disable namespace in one file\r\n```\r\n    let namespaces = enabledNamespaces()\r\n    const index = namespaces.indexOf(namespace)\r\n    namespaces[index] = `-${namespace}`\r\n    debug.enable(namespaces.join())\r\n```\r\nin other other file I see that debug doesn't have this namespace in the list of names, but the namespace still enabled  and there is an output.\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/550","labels":["bug"],"created_at":"2026-04-19T04:30:13.020309+00:00","updated_at":"2026-04-19T04:30:13.020309+00:00"},{"id":116,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:597","title":"How can I disable formatters?","description":"knex uses debug and it can happen that the message that is printed matches the formatter style-for example:\r\n```\r\nknex:bindings [ 1, 'undefined%' ] +5ms\r\n//when in fact \r\nknex:bindings: [ 1, '%j%' ],\r\n```\r\n\r\nmaybe debug should not even attempt to replace formatter expressions when there is nothing provided?\r\n","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/597","labels":["bug","wont-fix"],"created_at":"2026-04-19T04:30:13.019757+00:00","updated_at":"2026-04-19T04:30:13.019757+00:00"},{"id":115,"ecosystem":"npm","package_name":"debug","affected_version":"3.1.0","fixed_version":null,"bug_id":"github:606","title":"debug no longer works with browserify","description":"Any version of debug that I use past version 3.1.0 gives this error when trying to browserify code that includes this module\r\n\r\n```\r\nCannot find module './common' from '[redacted]/node_modules/debug/dist'\r\n      at FSReqWrap.oncomplete (fs.js:154:21)\r\n```\r\n\r\nThere was a mention in #603 about a browserify incompatibility, but it doesn't appear to be the same issue.","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/606","labels":["bug"],"created_at":"2026-04-19T04:30:13.019269+00:00","updated_at":"2026-04-19T04:30:13.019269+00:00"},{"id":114,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:616","title":"How to Disable debug globally?","description":"I know this isn't an issue with the package so much as it is a personal issue, but I can't seem to find documentation anywhere to disable debug globally for all projects.   Basically whenever I localhost anything my localStorage is automatically is set to {debug: *}.  I will delete this issue as soon as I figure it out. ","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/616","labels":["bug"],"created_at":"2026-04-19T04:30:13.018848+00:00","updated_at":"2026-04-19T04:30:13.018848+00:00"},{"id":113,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:646","title":"Extending IDebugger doesn't retain the .log  function","description":"    const debug = require('debug');\r\n    const log = debug('app');\r\n    log.log = console.log.bind(console); //log to stdout\r\n\r\n    log('Stdout test'); //writes \"app Stdout test\" to stdout \r\n    log.extend('extended')('Stdout test'); //writes \"app:extended Stdout test\" to stderr \r\n\r\nBit annoying if i want to have a base IDebugger for stdout and another for stderr, but i have to re-bind console.log whenever i want to extend the stdout debugger.","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/646","labels":["bug","change-patch","help-wanted","pr-welcome"],"created_at":"2026-04-19T04:30:13.017730+00:00","updated_at":"2026-04-19T04:30:13.017730+00:00"},{"id":112,"ecosystem":"npm","package_name":"debug","affected_version":"10.13","fixed_version":null,"bug_id":"github:678","title":"memory leak when instance is created inside a function.","description":"Hi, I just noticed that when you create debug instance in a function, it is starting to leak the memory without freeing. Here's how you can reproduce it:\r\n\r\n```js\r\nconst debug = require('debug');\r\n\r\nconst loop = () => {\r\n  const d = debug('namespace:that:i:want:for:this:function');\r\n  d('hello world');\r\n  setImmediate(loop);\r\n};\r\n\r\nloop();\r\n```\r\n\r\nIf you run this and look at memory, it is leaking a lot without freeing them.\r\nalso does not matter if I set environment to DEBUG=* or not, it still leaks. Any thoughts?\r\n\r\nEDIT: tested on 3.1.1 and 4.1.1 as well (had 3.1.1 version and then I upgraded to latest one to check if it was fixed).\r\n\r\nEDIT2: using node version 10.13 and Windows 10 x64.","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/678","labels":["bug"],"created_at":"2026-04-19T04:30:13.016137+00:00","updated_at":"2026-04-19T04:30:13.016137+00:00"},{"id":111,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:683","title":"supports-color breaks coloring","description":"This line over here defines an ANSI extended color set for bright color which doesn't display correctly: (by incorrectly I mean it's just bold white color)\r\n\r\nhttps://github.com/visionmedia/debug/blob/5c7c61dc0df0db4eb5de25707d8cd1b9be1add4f/src/node.js#L169\r\n\r\nIt shouldn't(?) have a traling `;1` after `${colorCode}`. So the line should like:\r\n\r\n ``const prefix = `  ${colorCode}m${name} \\u001B[0m`; ``\r\n\r\nThis fixes the bug (for me :) )\r\n\r\n\r\nEDIT: This supports my observation [256 colors](http://www.lihaoyi.com/post/BuildyourownCommandLinewithANSIescapecodes.html#256-colors)\r\n\r\nAlso from the article:\r\n\r\n> Note that the bright versions of the background colors do not change the background, but rather make the foreground text brighter. This is unintuitive but that's just the way it works.\r\n\r\nand the `;1` option only applies to `\\u001b[44` ie background colors, while the `\\u001b[38` option for foreground colors does not have such thing","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/683","labels":["bug"],"created_at":"2026-04-19T04:30:13.015421+00:00","updated_at":"2026-04-19T04:30:13.015421+00:00"},{"id":110,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:736","title":"[RFC] support deno","description":"Whether to support running on deno ?\r\n\r\nhttps://github.com/denoland/deno","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/736","labels":["bug","change-patch"],"created_at":"2026-04-19T04:30:13.014955+00:00","updated_at":"2026-04-19T04:30:13.014955+00:00"},{"id":109,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:737","title":"Regex injection in `enable(namespaces)`","description":"<!--\r\n\r\nDO NOT SUBMIT ISSUES ASKING TO REMOVE ES6.\r\n\r\nIT WILL BE CLOSED.\r\nIT WILL BE LOCKED.\r\n\r\nWe use ES2015+ for a reason. Modern best\r\npractices dictate the use of tooling like\r\nBabel and @babel/preset-env in order to\r\ntarget the browsers that make sense for\r\nyour project.\r\n\r\nFor more information, please see:\r\nhttps://github.com/sindresorhus/ama/issues/446#issuecomment-281014491\r\n\r\nPlease keep in mind that `debug` is downloaded,\r\ninstalled, transpiled and used millions of times\r\n*per day*. If you have an error with `debug`, it's\r\nmost likely your own configuration (e.g. with Babel,\r\nWebpack, etc).\r\n\r\nUnless you post ample evidence you have tried\r\nto fix this yourself, it will most likely\r\nbe determined that your issue is localized\r\nto your project - not `debug`.\r\n\r\n-->\r\n\r\nCoverity static analysis is complaining that `enable(namespaces)` uses an unescaped user input as the basis for a regular expression.\r\n\r\nIt follows the path from the user-defined `window.localStorage.debug` value through the `load()` function in [browser.js](https://github.com/visionmedia/debug/blob/master/src/browser.js) into the `enable(namespaces)` function in [common.js](https://github.com/visionmedia/debug/blob/master/src/common.js#L177).\r\n\r\nI understand that this debug input is used to control what is logged or not -- but it leaves the library (and any dependent ones) open to receiving crafted input that could cause a denial of service attack on the user's browser (ReDoS attack). I don't believe this is an issue for a server-side DoS attack -- as the input on the server comes from an environment variable rather than the less-protected browser context.\r\n\r\nOne solution might be to look at something like https://github.com/davisjam/safe-regex to defend against some types of problematic regexes -- there are other suggestions in that repo's readme as well.","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/737","labels":["bug"],"created_at":"2026-04-19T04:30:13.014284+00:00","updated_at":"2026-04-19T04:30:13.014284+00:00"},{"id":108,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:741","title":"`.enabled()` logic incorrectly returns true when namespace contains asterisk","description":"```javascript\r\ndebug.disable('*');\r\ndebug.enable('foo');\r\nassert.not(debug.enabled('bar'));\r\nassert.not(debug.enabled('bar*')); // throws; returns true\r\n```\r\n\r\nHas to be solved in two ways:\r\n\r\n- More stringent checks on namespaces (as they shouldn't contain asterisks)\r\n- Remove the check for `ns[ns.length-1]==='*'`, which makes absolutely no sense","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/741","labels":["bug","invalid"],"created_at":"2026-04-19T04:30:13.013729+00:00","updated_at":"2026-04-19T04:30:13.013729+00:00"},{"id":107,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:746","title":"DEBUG_DEPTH not working","description":"`DEBUG_DEPTH` env var has no effect. I tried values of `10`, `100`, `null`. No matter what I always get the following display:\r\n\r\n```\r\n2020-02-08T22:17:01.423Z SCOPE STRING [ { email: 'xxx@yyy.com', vars: [ [Object] ] } ]\r\n```\r\n\r\nMy invocation: \r\n```\r\ndebug('STRING', targetObj);\r\n```","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/746","labels":["bug"],"created_at":"2026-04-19T04:30:13.013278+00:00","updated_at":"2026-04-19T04:30:13.013278+00:00"},{"id":106,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:747","title":"Unable to take control over selectColor","description":"There is possible to reassign `createDebug.selectColor()` method but is not used. Instead that is used directly default definition based on hash calculation.\r\nI would like to have possibility to customise color selection per namespace.","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/747","labels":["bug","change-patch"],"created_at":"2026-04-19T04:30:13.012796+00:00","updated_at":"2026-04-19T04:30:13.012796+00:00"},{"id":105,"ecosystem":"npm","package_name":"debug","affected_version":"4.3.2","fixed_version":null,"bug_id":"github:837","title":"not getting any output","description":"We upgraded to `4.3.2` and are all of a sudden not getting logs in stderr (using in a node script).\r\nThe regressions seems to have been caused by #799\r\n\r\nAdmittedly we're perhaps using the library not _exactly_ in a way that it was intended to be used. We aren't setting `DEBUG` environment variable, so `process.env.DEBUG` is `undefined`, but our namespaces are named `example-namespace*` with a trailing `*`. These were previously logging, now they're not.","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/837","labels":["bug"],"created_at":"2026-04-19T04:30:13.012210+00:00","updated_at":"2026-04-19T04:30:13.012210+00:00"},{"id":104,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:927","title":"Links to example on readme returning 404 pages","description":"![Screenshot 2023-03-06 at 12 31 14 PM](https://user-images.githubusercontent.com/88355936/223098645-413160f9-447c-4378-914c-0de08b5759ba.jpg)\r\nPlease review or remove links to examples in your readme. Links such as the [stdout.js](https://github.com/debug-js/debug/blob/HEAD/examples/node/stdout.js) in the screenshot above return a 404 page.","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/927","labels":["bug","change-patch","needs-documentation"],"created_at":"2026-04-19T04:30:13.011548+00:00","updated_at":"2026-04-19T04:30:13.011548+00:00"},{"id":103,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:961","title":"How to set max array length (`maxArrayLength`)?","description":"# Description\r\nHow to set max array length (`maxArrayLength`)?\r\n\r\n# Code I run\r\n```ts\r\nimport debug from 'debug'\r\nconst log = debug('myApp');\r\n\r\nconst justArray = new Array(10_000).fill(0);\r\nlog({justArray})\r\n\r\nconst objWithNestedLongArray = {\r\n  nestedArray: justArray\r\n}\r\n\r\nlog({ objWithNestedLongArray})\r\n```\r\n\r\n# How I have tried to set max array length\r\n```\r\nDEBUG=\"myApp\" DEPTH_MAX_ARRAY_LENGTH=\"30000\" bun run index.ts \r\n```\r\n```\r\nDEBUG=\"myApp\" DEPTH_MAXARRAYLENGTH=\"30000\" bun run index.ts\r\n```\r\n```\r\nDEBUG=\"myApp\" DEPTH_maxArrayLength=\"30000\" bun run index.ts\r\n```\r\n\r\n# Result\r\nDespite all the 3 methods I have tried to set max array length I get the same result:\r\n```\r\n  myApp {\r\n  myApp   objWithNestedLongArray: {\r\n  myApp     nestedArray: [\r\n  myApp       0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp       0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp       0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp       0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp       0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp       0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp       0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp       0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp       0, 0, 0, 0,\r\n  myApp       ... 9900 more items\r\n  myApp     ]\r\n  myApp   }\r\n  myApp } +0ms\r\n  myApp {\r\n  myApp   justArray: [\r\n  myApp     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n  myApp     0, 0, 0, 0,\r\n  myApp     ... 9900 more items\r\n  myApp   ]\r\n  myApp } +15ms\r\n```\r\n# Additional Info\r\nhttps://www.npmjs.com/package/debug#environment-variables chapter in documentation tells that by using DEBUG_ I can set Options object that gets used with %o/%O formatters like DEBUG_DEPTH, do I misunderstand that part?","severity":"medium","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/961","labels":["bug"],"created_at":"2026-04-19T04:30:13.010539+00:00","updated_at":"2026-04-19T04:30:13.010539+00:00"},{"id":102,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"osv:MAL-2025-46974","title":"Malicious code in debug (npm)","description":"The package was compromised and malicious code added.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ghsa-malware (558d1dda312e85212121f4ed15340349f780f5e40d6685c3687648bbb2924381)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n","severity":"medium","status":"open","source":"osv","source_url":"https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised","labels":["CVE-2025-59144","GHSA-4x49-vf9v-38px","GHSA-8mgj-vmr8-frr6"],"created_at":"2026-04-19T04:30:11.881099+00:00","updated_at":"2026-04-19T04:30:11.881099+00:00"},{"id":121,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":null,"bug_id":"github:451","title":"Namespace conflicts","description":"Namespaces would conflict and only the latest namespace would be activated at the same time.\r\n\r\nTest case:\r\n```\r\nlet debug = require('debug');\r\n\r\ndebug.enable('test1*');\r\ndebug.enable('test2*');\r\n\r\nlet log_1 = debug('test1');\r\nlet log_2 = debug('test2');\r\n\r\nconsole.log(1, log_1.enabled);\r\nconsole.log(2, log_2.enabled);\r\n```\r\n\r\nResults:\r\n```\r\n1 false\r\n2 true\r\n```\r\n\r\nExpected:\r\n```\r\n1 true\r\n2 true\r\n```","severity":"low","status":"fixed","source":"github_issues","source_url":"https://github.com/debug-js/debug/issues/451","labels":["discussion","bug","change-minor"],"created_at":"2026-04-19T04:30:13.022049+00:00","updated_at":"2026-04-19T04:30:13.022049+00:00"},{"id":101,"ecosystem":"npm","package_name":"debug","affected_version":null,"fixed_version":"2.6.9","bug_id":"osv:GHSA-gxpj-cx7g-858c","title":"Regular Expression Denial of Service in debug","description":"Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.\n\nThis was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.\n\n## Recommendation\n\nVersion 2.x.x: Update to version 2.6.9 or later.\nVersion 3.1.x: Update to version 3.1.0 or later.\nVersion 3.2.x: Update to version 3.2.7 or later.\nVersion 4.x.x: Update to version 4.3.1 or later.","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16137","labels":["CVE-2017-16137"],"created_at":"2026-04-19T04:30:11.880630+00:00","updated_at":"2026-04-19T04:30:11.880630+00:00"}],"total":26,"_cache":"miss"}