Skip to content

[Snyk] Upgrade winston from 3.2.1 to 3.4.0 #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

[Snyk] Upgrade winston from 3.2.1 to 3.4.0 #24

wants to merge 1 commit into from

Conversation

@snyk-bot
Copy link

@snyk-bot snyk-bot commented Feb 2, 2022

Snyk has created this PR to upgrade winston from 3.2.1 to 3.4.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 6 versions ahead of your current version.
  • The recommended version was released 22 days ago, on 2022-01-10.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Regular Expression Denial of Service (ReDoS)
SNYK-JS-COLORSTRING-1082939		 372/1000
Why? Proof of Concept exploit, CVSS 5.3		 Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: winston
  • 3.4.0 - 2022-01-10

    v3.4.0 / 2022-01-10

    Yesterday's release was done with a higher sense of urgency than usual due to vandalism in the colors package. This release:

    • ties up a loose end by including [#1973] to go with [#1824]
    • adds a missing http property in NpmConfigSetColors [#2004] (thanks @ SimDaSong)
    • fixes a minor issue in the build/release process [#2014]
    • pins the version of the testing framework to avoid an issue with a test incorrectly failing [#2017]

    The biggest change in this release, motivating the feature-level update, is [#2006] Make winston more ESM friendly, thanks to @ miguelcobain.

    Thanks also to @ DABH, @ wbt, and @ fearphage for contributions and reviews!

  • 3.3.4 - 2022-01-10

    Compared to v3.3.3, this version fixes some issues and includes some updates to project infrastructure,
    such as replacing Travis with Github CI and dependabot configuration.
    There have also been several relatively minor improvements to documentation, and incorporation of some updated dependencies.
    Dependency updates include a critical bug fix [#2008] in response to self-vandalism by the author of a dependency.

    • [#1964] Added documentation for how to use a new externally maintained Seq transport.
    • [#1712] Add default metadata when calling log with string level and message.
    • [#1824] Unbind event listeners on close
    • [#1961] Handle undefined rejections
    • [#1878] Correct boolean evaluation of empty-string value for eol option
    • [#1977] Improved consistency of object parameters for better test reliability
  • 3.3.3 - 2020-06-23

    v3.3.2...v3.3.3

  • 3.3.2 - 2020-06-22
    • [#1814] Use fork of diagnostics on NPM to avoid making Docker images require git 0752614

    v3.3.1...v3.3.2

  • 3.3.1 - 2020-06-22
    • Prep for 3.3.1 faac066
    • Add space between info.message and meta.message (#1740) 227ca0a
    • Fix bugs in createLogger type (#1807) ef97171
    • Fix typing for Profile.start (was Date, should be Number) (#1803) 0e1c812
    • Merge branch 'master' of github.com:winstonjs/winston 9e7bd71
    • [#1813] Use fork of diagnostics, avoiding indirect storage-engine dependency 67cd9b5
    • remove emitErrs note from README (its no longer supported) (#1810) 6545a7e

    v3.3.0...v3.3.1

  • 3.3.0 - 2020-06-21
    Read more
  • 3.2.1 - 2019-01-29

    Version 3.2.1

from winston GitHub release notes
Commit messages
Package name: winston
  • c5f6c5c Update package.json version to 3.4.0
  • 6a71cbb Add 3.4.0 release notes
  • 955dffa Pin mocha to v8 as short-term test failure fix
  • 5f38299 Simplify path so that e.g. 'npm run build' can find it more easily
  • 754ca4e More general testing beyond undefined
  • 7ca9e9c Bugfix: copy-paste from referenced source
  • 2206c39 Unhandle exceptions and rejections B4 replacement
  • 2927964 Make winston more ESM friendly (#2006)
  • 8d6e7f2 add http property to NpmConfigSetColors (#2004)
  • 473d391 Fix release notes from yesterday
  • 038ae23 fix all high-severity vulnerabilities from npm audit
  • 7467d0a v3.3.4
  • 05bda20 Pin colors package to 1.4.0 due to Security Vuln (#2008)
  • 65ab472 Update logform in package.json per #1952
  • 36586d3 Bump winston-transport from 4.4.0 to 4.4.1 (#1997)
  • 310de77 Bump @ babel/preset-env from 7.16.4 to 7.16.5 (#1992)
  • de611c1 Bump is-stream from 2.0.0 to 2.0.1 (#1991)
  • b9fbeb2 Bump @ babel/core from 7.16.0 to 7.16.5 (#1990)
  • c4f24e9 Bump @ babel/cli from 7.10.3 to 7.16.0
  • 0f8cf59 Bump through2 from 3.0.1 to 4.0.2 (#1986)
  • 1a3ff33 Remove AppVeyor (#1975)
  • 77ea34c Bump @ babel/preset-env from 7.10.3 to 7.16.4 (#1982)
  • 2a476b0 Bump @ types/node from 14.0.13 to 16.11.12 (#1979)
  • 2b9c32e Bump split2 from 3.1.1 to 4.1.0 (#1980)

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@snyk-bot