Backporting debug package DDoS Fix to babel 6.xx.x

[dkotin-cs]

Hi,

Nsp check reveals https://nodesecurity.io/advisories/534 for any project using babel-core v6.26.0. Vision media has resolved the issue in v2.6.9 and v.3.1.0 of their package (debug-js/debug#504 )

Is it possible to release a corresponding update to babel core for those of us on 6.xx.x while v7 is getting stabilized?

Thanks

[babel-bot]

Hey @dkotin-cs! We really appreciate you taking the time to report an issue. The collaborators
on this project attempt to help as many people as possible, but we're a limited number of volunteers,
so it's possible this won't be addressed swiftly.

If you need any help, or just have general Babel or JavaScript questions, we have a vibrant Slack
community that typically always has someone willing to help. You can sign-up here
for an invite.

[nicolo-ribaudo]

Hi,
Babel the dependency on the debug package is specified as ^2.6.8, so if you delete the node_modules folder and run npm install, it should download v2.6.9

[dkotin-cs]

Thanks! I'll give that a crack and report on what happens

[dkotin-cs]

It worked! For future readers: I was on an old version of npm so package-lock wasn't being properly updated. Make sure you update node and npm first