Snyk has created this PR to upgrade winston from 3.3.3 to 3.4.0.
:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 2 versions ahead of your current version.
The recommended version was released 21 days ago, on 2022-01-10.
Compared to v3.3.3, this version fixes some issues and includes some updates to project infrastructure,
such as replacing Travis with Github CI and dependabot configuration.
There have also been several relatively minor improvements to documentation, and incorporation of some updated dependencies.
Dependency updates include a critical bug fix [#2008] in response to self-vandalism by the author of a dependency.
[#1964] Added documentation for how to use a new externally maintained Seq transport.
[#1712] Add default metadata when calling log with string level and message.
Snyk has created this PR to upgrade winston from 3.3.3 to 3.4.0.
:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version fixes:
SNYK-JS-COLORSTRING-1082939
Why? Proof of Concept exploit, CVSS 5.3
(*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: winston
v3.4.0 / 2022-01-10
Yesterday's release was done with a higher sense of urgency than usual due to vandalism in the
colors
package. This release:The biggest change in this release, motivating the feature-level update, is [#2006] Make winston more ESM friendly, thanks to @ miguelcobain.
Thanks also to @ DABH, @ wbt, and @ fearphage for contributions and reviews!
Compared to v3.3.3, this version fixes some issues and includes some updates to project infrastructure,
such as replacing Travis with Github CI and dependabot configuration.
There have also been several relatively minor improvements to documentation, and incorporation of some updated dependencies.
Dependency updates include a critical bug fix [#2008] in response to self-vandalism by the author of a dependency.
v3.3.2...v3.3.3
Commit messages
Package name: winston
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs