Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade winston from 3.2.1 to 3.13.0 #25

Closed

Conversation

drwho725
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)

Snyk has created this PR to upgrade winston from 3.2.1 to 3.13.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 20 versions ahead of your current version.

  • The recommended version was released on 2 months ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-COLORSTRING-1082939
372 Proof of Concept
Release notes
Package name: winston
  • 3.13.0 - 2024-03-24
    • fix(http): allow passing maximumDepth to prevent big object being stringified (#2425) a237865

    v3.12.1...v3.13.0

  • 3.12.1 - 2024-03-24

    v3.12.0...v3.12.1

  • 3.12.0 - 2024-03-04
    • missing timestamp format in ready-to-use-pattern example (#2421) 9e5b407
    • bump deps (#2422) 4a85e6b
    • [chore] Run coveralls CI check on Node 20 not 16 (#2418) e153c68
    • Bump @ types/node from 20.8.6 to 20.11.19 (#2413) 587f40f
    • Update README.md (#2417) 8e99a00
    • docs: fix anchor in transports docs (#2416) 0bde36b
    • add winston-transport-vscode to transports docs (#2411) 8fb5b41
    • Bump @ babel/cli from 7.23.0 to 7.23.9 (#2406) a326743
    • Add winston-newrelic-agent-transport to transport documentation (#2382) cc731ef
    • Remove newrelic-winston transport entry. (#2405) f077f30
    • Bump eslint from 8.55.0 to 8.56.0 (#2397) 3943c41
    • Bump the npm_and_yarn group group with 1 update (#2391) 8260866
    • Fix unhandled rejection handling (#2390) 333b763
    • Fix all rimraf usages to the best of my ability; glob is not true by default in rimraf; file archive test only passed every other time using async rimraf, could use further investigation c3f3b5b
    • Fix rimraf usage in new test 8f3c653
    • Fix rimraf import in test (why didn't this break in PR CI?) f3836aa
    • Added functionality to long broken zippedArchive option (#2337) 02d4267
    • Bump async from 3.2.4 to 3.2.5 (#2378) 069a40d
    • Bump @ babel/preset-env from 7.23.2 to 7.23.7 (#2384) 79282e1
    • Bump winston-transport; fix test issue (#2386) 05788b9
    • Bump eslint from 8.51.0 to 8.55.0 (#2375) a7c2eec
    • Bump std-mocks from 1.0.1 to 2.0.0 (#2361) 85c336e
    • Bump actions/setup-node from 3 to 4 (#2362) 448d11c
    • chore(README.md): adds documentation around coloring json formatted logs 91ec069
    • Remove nonexistent Logger methods from types c3c3911
    • Update dependencies caf2df6

    v3.11.0...v3.12.0

  • 3.11.0 - 2023-10-07

    v3.10.0...v3.11.0

  • 3.10.0 - 2023-07-10
    • Avoid potential github issues - relax engines node requirement in package.json fc9c83d
    • Export Logger class (#2181) eda40ef
    • Added Lazy option to file transport (#2317) f7e7f2f
    • Bump eslint from 8.32.0 to 8.44.0 (#2321) de2e887
    • docs(#2319): Syntax error on README.md (#2320) fcc69ec
    • fix(types): Allow any object to be passed as meta to logger.profile (#2314) 9d6001a
    • Bump @ types/node from 18.11.18 to 20.3.1 (#2313) 06e3165
    • Update supported Node versions and run npm audit fix (#2315) 61e2f5b
    • Bump @ babel/core from 7.20.12 to 7.22.1 (#2309) 7643ad6

    v3.9.0...v3.10.0

  • 3.9.0 - 2023-05-26

    Functionality changes

    • Handle undefined errors in getAllInfo in exception-handler in #2208; thanks to new contributor @ eivindrs
    • fix: properly allow passing non-array transport in #2256; thanks to new contributor @ Tanuel
    • fix #1732 (Http Transport uses JSON format options as request options) in #2272; thanks to new contributor @ MoritzLoewenstein (minor version bump per comment on the issue)
    • fix: add guard clause to prevent FD leak in #2301; thanks to new contributor @ td-tomasz-joniec

    Dependency updates by @ dependabot + CI autotesting

    Documentation changes

    • Fix readme typo in #2230; thanks to new contributor @ aretecode
    • create new example for ready to use in #2240; thanks to new contributor @ myagizmaktav
    • minor fixes to publishing.md

    Build Infrastructure changes

    • GitHub Workflows security hardening in #2252; thanks to new contributor @ sashashura
  • 3.8.2 - 2022-09-07

    Patch-level changes

    • Add .js to main entry point in package.json in #2177; thanks to new contributor @ rumanbsl
    • Small grammatical fixes in README.md in #2183; thanks to new contributor @ mikebarr24
    • Move colors to non-dev dependencies by @ wbt in #2190

    Dependency updates by @ dependabot + CI autotesting

    • Bump @ babel/preset-env from 7.18.2 to 7.19.0 in #2189
    • Bump @ babel/cli from 7.17.10 to 7.18.10 in #2173
    • Bump eslint from 8.18.0 to 8.23.0 in #2184
    • Bump @ babel/core from 7.18.5 to 7.19.0 in #2192
    • Bump logform from 2.4.1 to 2.4.2 in #2191
  • 3.8.1 - 2022-06-30

    Patch-level changes

    • Update types to match in-code definitions in #2157; thanks to new contributor @ flappyBug

    Dependency updates by @ dependabot + CI autotesting

    • Bump logform from 2.4.0 to 2.4.1 in #2156
    • Bump async from 3.2.3 to 3.2.4 in #2147

    Full Changelog: v3.8.0...v3.8.1

  • 3.8.0 - 2022-06-23

    Added functionality

    • Add the stringify replacer option to the HTTP transport by @ domiins in #2155

    Dependency updates by @ dependabot + CI autotesting

    • Bump @ babel/core from 7.17.8 to 7.18.5
    • Bump eslint from 8.12.0 to 8.18.0
    • Bump @ types/node from 17.0.23 to 18.0.0
    • Bump @ babel/preset-env from 7.16.11 to 7.18.2
    • Bump @ babel/cli from 7.17.6 to 7.17.10

    Updates facilitating repo maintenance & enhancing documentation

    • Explicitly note that the Contirbuting.md file is out of date
    • Add instructions for publishing updated version by @ wbt (docs/publishing.md)
    • Prettier Config File by @ jeanpierrecarvalho in #2092
    • Readme update to explain origin of errors for handling (#2120)
    • update documentation for #2114 by @ zizifn in #2138
    • enhance message for logs with no transports #2114 by @ zizifn in #2139
    • Added a new Community Transport option to the list: Worker Thread based async Console Transport by @ arpad1337 in #2140

    New Contributors

    Full Changelog: v3.7.2...v3.8.0

  • 3.7.2 - 2022-04-04
  • 3.7.1 - 2022-04-04
  • 3.6.0 - 2022-02-12
  • 3.5.1 - 2022-01-31
  • 3.5.0 - 2022-01-27
  • 3.4.0 - 2022-01-10
  • 3.3.4 - 2022-01-10
  • 3.3.3 - 2020-06-23
  • 3.3.2 - 2020-06-22
  • 3.3.1 - 2020-06-22
  • 3.3.0 - 2020-06-21
  • 3.2.1 - 2019-01-29
from winston GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

Snyk has created this PR to upgrade winston from 3.2.1 to 3.13.0.

See this package in npm:
winston

See this project in Snyk:
https://app.snyk.io/org/drwho725/project/e7f15940-4f79-48bd-9b39-c73cb7a2af8b?utm_source=github&utm_medium=referral&page=upgrade-pr
@drwho725 drwho725 closed this May 26, 2024
@drwho725 drwho725 deleted the snyk-upgrade-a96fde4c2150df9a3c03a8619c3c4506 branch May 26, 2024 12:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Http Transport uses JSON format options as request options
2 participants