Outdated and Vulnerable debug@2.6.9 Dependency in React Native 0.80.0

### Description

### 🛡️ Security Vulnerability in `debug@2.6.9` via React Native CLI dependencies

React Native 0.80.0 still includes a transitive dependency on the `debug` package version `2.6.9`, which is known to have a [CWE-1333: Regular Expression Denial of Service (ReDoS)](https://cwe.mitre.org/data/definitions/1333.html) vulnerability.


### 📦 Affected Version

- `react-native@0.80.0`
- `@react-native-community/cli@19.0.0`
- Transitive dependency: `debug@2.6.9`


### Steps to reproduce

### 🔁 Steps to Reproduce

* Create a new React Native project using version 0.80.0:
  ```bash
  npx react-native init TestVulnApp --version 0.80.0
  cd TestVulnApp
```
Install dependencies:
`npm install`
Run the following to trace the vulnerable debug version:
`npm ls debug`


You'll see debug@2.6.9 as a transitive dependency pulled in via:
`├─┬ @react-native-community/cli@19.0.0
│ └─┬ @react-native-community/cli-server-api@19.0.0
│   ├─┬ body-parser@1.20.3
│   │ └── debug@2.6.9
│   ├─┬ compression@1.8.0
│   │ └── debug@2.6.9
│   ├─┬ connect@3.7.0
│   │ ├── debug@2.6.9
│   │ └─┬ finalhandler@1.1.2
│   │   └── debug@2.6.9
│   └─┬ serve-static@1.16.2
│     └─┬ send@0.19.0
│       └── debug@2.6.9
└─┬ react-native@0.80.0
  └─┬ @react-native/community-cli-plugin@0.80.0
    └─┬ @react-native/dev-middleware@0.80.0
      └─┬ chrome-launcher@0.15.2
        └─┬ lighthouse-logger@1.4.2
          └── debug@2.6.9
`


### React Native Version

0.80.0

### Affected Platforms

Runtime - Android

### Output of `npx @react-native-community/cli info`

```text
na
```

### Stacktrace or Logs

```text
├─┬ @react-native-community/cli@19.0.0
│ └─┬ @react-native-community/cli-server-api@19.0.0
│   ├─┬ body-parser@1.20.3
│   │ └── debug@2.6.9
│   ├─┬ compression@1.8.0
│   │ └── debug@2.6.9
│   ├─┬ connect@3.7.0
│   │ ├── debug@2.6.9
│   │ └─┬ finalhandler@1.1.2
│   │   └── debug@2.6.9
│   └─┬ serve-static@1.16.2
│     └─┬ send@0.19.0
│       └── debug@2.6.9
└─┬ react-native@0.80.0
  └─┬ @react-native/community-cli-plugin@0.80.0
    └─┬ @react-native/dev-middleware@0.80.0
      └─┬ chrome-launcher@0.15.2
        └─┬ lighthouse-logger@1.4.2
          └── debug@2.6.9
```

### MANDATORY Reproducer

https://cwe.mitre.org/data/definitions/1333.html

### Screenshots and Videos

References
CWE: https://cwe.mitre.org/data/definitions/1333.htm

Suggested Solution
Please consider upgrading internal dependencies that rely on debug@2.6.9 or refactor the CLI to use alternatives that depend on debug@^4.3.1.

This will help clean up security audit reports and improve compliance for teams using React Native.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Outdated and Vulnerable [email protected] Dependency in React Native 0.80.0 #2688

Description

🛡️ Security Vulnerability in `[email protected]` via React Native CLI dependencies

📦 Affected Version

Steps to reproduce

🔁 Steps to Reproduce

Stacktrace or Logs

MANDATORY Reproducer

Screenshots and Videos

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Outdated and Vulnerable [email protected] Dependency in React Native 0.80.0 #2688

Description

Description

🛡️ Security Vulnerability in [email protected] via React Native CLI dependencies

📦 Affected Version

Steps to reproduce

🔁 Steps to Reproduce

Stacktrace or Logs

MANDATORY Reproducer

Screenshots and Videos

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

🛡️ Security Vulnerability in `[email protected]` via React Native CLI dependencies