search

nsimmons / koa-better-http-proxy

Proxy middleware for Koa. Based on villadora/express-http-proxy
Other
119 stars 42 forks source link

Old version of Winston includes vulnerabilities #45

Closed skubot closed 2 years ago

skubot commented 2 years ago

Hi there

tldr; Actually it seems winston is not used, I think we should remove it.

I have the following Dependabot alert;

Prototype Pollution in async Upgrade async to version 2.6.4 or later

The old version of winston in package.json is the issue;

$ npm ls async
└─┬ koa-better-http-proxy@0.2.9
  └─┬ winston@2.4.5
    └── async@1.0.0
gustavkj commented 2 years ago

Yeah, express-http-proxy that this package is based upon (and the addition of winston originate from) has removed winston due to not being used: https://github.com/villadora/express-http-proxy/pull/241

skubot commented 2 years ago

Thanks guys!