CVE-2017-18214 - Update or replace file-stream-rotator dependency

winstonjs / winston-daily-rotate-file

A transport for winston which logs to a rotating file each day.

MIT License

899 stars 156 forks source link

CVE-2017-18214 - Update or replace file-stream-rotator dependency #328

Closed ddsharpe closed 2 years ago

ddsharpe commented 3 years ago

Update or replace file-stream-rotator dependency to a version that excludes the vulnerable code. CVE-2017-18214, The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055. The file-stream-rotator declares its dependency as "moment": "^2.11.2" making it possible for the vulnerable version to become part of the distribution. The file-stream-rotator project appears to be abandoned.

Means88 commented 2 years ago

There is a race condition in file-stream-rotator when creating log directories https://github.com/rogerc/file-stream-rotator/pull/81, which throws an EEXISTS error. I don't think this pr will be merged because file-stream-rotator is not updated recent two years...

wbt commented 2 years ago

It looks like this is fixed in #332; closing for now. Please comment/reopen if that doesn't cover it!