lazywithclass / winston-cloudwatch

Send logs to Amazon Cloudwatch using Winston.
MIT License
258 stars 105 forks source link

Remove proxy-agent, not used #219

Closed LoneRifle closed 1 year ago

LoneRifle commented 1 year ago

proxy-agent was made redundant after #172, which introduced v3 of aws-sdk. This meant that any proxy-related config was done on the AWS.CloudwatchLogs instance, rather than on WinstonCloudwatch

Removing this dependency avoids a reported critical vulnerability with vm2, inherited via proxy-agent and its dependencies. Note that this vulnerability can not actually be triggered, given that winston-cloudwatch no longer uses proxy-agent.

Fixes #218 Supersedes #216

Acknowledgements

This PR is submitted as part of work for @opengovsg (Open Government Products, Singapore).

LoneRifle commented 1 year ago

@lazywithclass - thanks for your stewardship of this package over the years. Given the current response to vm2, it would be helpful for us to resolve this false positive soon, so that teams dependent on this package can move on and focus on genuine issues relating to vm2.

Would you be kind enough to either vet this PR and cut a release with it if it passes muster, or grant the needed privileges for me to do so?

Thanks in advance.

lazywithclass commented 1 year ago

winston-cloudwatch@6.2.0 is out. Thank you for your patience and effort helping the project.