Closed LoneRifle closed 1 year ago
@lazywithclass - thanks for your stewardship of this package over the years. Given the current response to vm2, it would be helpful for us to resolve this false positive soon, so that teams dependent on this package can move on and focus on genuine issues relating to vm2.
Would you be kind enough to either vet this PR and cut a release with it if it passes muster, or grant the needed privileges for me to do so?
Thanks in advance.
winston-cloudwatch@6.2.0 is out. Thank you for your patience and effort helping the project.
proxy-agent was made redundant after #172, which introduced v3 of aws-sdk. This meant that any proxy-related config was done on the
AWS.CloudwatchLogs
instance, rather than onWinstonCloudwatch
Removing this dependency avoids a reported critical vulnerability with vm2, inherited via proxy-agent and its dependencies. Note that this vulnerability can not actually be triggered, given that winston-cloudwatch no longer uses proxy-agent.
Fixes #218 Supersedes #216
Acknowledgements
This PR is submitted as part of work for @opengovsg (Open Government Products, Singapore).