search

untu / comedy

Node.js actor framework.
Eclipse Public License 1.0
653 stars 36 forks source link

[Snyk] Security upgrade winston from 2.4.5 to 3.3.0 #75

Open snyk-bot opened 2 years ago

snyk-bot commented 2 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
high severity 768/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5		 Prototype Pollution
SNYK-JS-ASYNC-2441827		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages
Package name: winston The new version differs by 250 commits.
  • b47d5d5 3.3.0
  • b6bc918 Prepare for v3.3.0
  • 9354721 doc: fix whitespace and trailing comma. (#1778)
  • 3d07a80 docs: add example of uncaughtRejections logging (#1780)
  • df25fa2 fix: change property of handleRejections (#1779)
  • 950cbcd Add options to request (#1777)
  • 1c75292 Update package-lock.json (#1772)
  • e7d13d5 Exclude unnecessary files from npm package (#1768)
  • 75f7edf Fix removes a logger when pass undefined transport (#1785)
  • 4b571ba This adds Node.js 14 and removes Node.js 8 as: (#1793)
  • 73ae01f Update Sentry transport `require` change (#1754)
  • 7b67eb0 Fix typo (#1750)
  • 1679c49 Fix Issue where winston removes transport on error (#1364) (#1714)
  • 0e0cf14 Fix #1690 (#1691)
  • 85a250a Node 12 is LTS now
  • bea9c34 Update README.md (#1743)
  • 319abf1 Add defaultMeta to Logger index.d.ts (#1736)
  • c719706 (typo) Missing label import in example (#1733)
  • 8944598 Update index.d.ts (#1729)
  • 7bb258c Fix `npm` logging levels on README.md (#1737)
  • 64744d7 #1567: document common transport options (#1723)
  • ae2335b Add Humio transport link to docs (#1705)
  • 785bd9e UPDATE levels on readme (http added) (#1650)
  • 4f44acb Add PostgresQL transport to list of community transports (#1697)
See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

farnk05 commented 2 years ago

Is it possible to merge in master and push this security fix after the tests?

weekens commented 2 years ago

Is it possible to merge in master and push this security fix after the tests?

The tests fail, I'll need to fix that.