[Snyk] Upgrade winston from 3.2.1 to 3.5.1 #24

snyk-bot · 2022-02-22T01:51:57Z

Snyk has created this PR to upgrade winston from 3.2.1 to 3.5.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 8 versions ahead of your current version.
The recommended version was released 21 days ago, on 2022-01-31.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-COLORSTRING-1082939	372/1000 Why? Proof of Concept exploit, CVSS 5.3	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: winston

3.5.1 - 2022-01-31
This release reverts the changes made in PR #1896 which added stricter typing to the available log levels,
and inadvertently broke use of custom levels with TypeScript (Issue #2047). Apologies for that!
3.5.0 - 2022-01-27
This release includes the following, in sequence by first merge in group:

Feature updates:
- Support batch mode in HTTP Transport (Issue #1970, PR #1998, thanks @ BBE78!)
Patch-level updates:
- Bump dependency versions (thanks @ dependabot & @ DABH!)
  - Bump @ types/node from 16.11.12 to 17.0.8 (PR #2009)
  - Bump @ babel/preset-env from 7.16.7 to 7.16.8 (#2036)
  - Bump @ types/node from 17.0.8 to 17.0.9 (#2035)
  - Bump @ babel/cli from 7.16.7 to 7.16.8 (#2034)
  - Bump @ types/node from 17.0.9 to 17.0.10 (#2042)
  - Bump @ babel/core from 7.16.7 to 7.16.12 (#2041)
  - Bump @ babel/preset-env from 7.16.8 to 7.16.11 (#2040)
- Fixing documentation syntax errors in transports code examples (#1916; thanks @ romanzaycev!)
- Fix missing type declarations, especially for .rejections (#1842, #1929, #2021; thanks @ vanflux, @ svaj, @ glensc, & others!)
- More narrowly typing the “level” string (#1896, thanks @ yonas-g!)
- Using a safer stringify, e.g. to avoid issues from circular structures, in the http transport (#2043, thanks @ karlwir!)
Updates to the repo & project which don’t actually affect the running code:
- Add a channel for reporting security vulnerabilities (#2024, thanks @ JamieSlome!)
- Add coverage tracking in CI & documentation (#2025 and #2028, thanks @ fearphage!)
- Update issue templates (#2030 and #2031, thanks @ maverick1872!)
- Remove gitter link from README.md (#2027, thanks @ DABH!)
Thanks also to maintainers @ DABH, @ fearphage, @ maverick1872, and @ wbt for issue/PR shepherding and help across multiple parts of the release!

If somebody got missed in the list of thanks, please forgive the accidental oversight and/or feel free to open a PR on the changelog.
3.4.0 - 2022-01-10
v3.4.0 / 2022-01-10

Yesterday's release was done with a higher sense of urgency than usual due to vandalism in the colors package. This release:
- ties up a loose end by including [#1973] to go with [#1824]
- adds a missing http property in NpmConfigSetColors [#2004] (thanks @ SimDaSong)
- fixes a minor issue in the build/release process [#2014]
- pins the version of the testing framework to avoid an issue with a test incorrectly failing [#2017]
The biggest change in this release, motivating the feature-level update, is [#2006] Make winston more ESM friendly, thanks to @ miguelcobain.

Thanks also to @ DABH, @ wbt, and @ fearphage for contributions and reviews!
3.3.4 - 2022-01-10
Version 3.3.4
3.3.3 - 2020-06-23
- Prepare for 3.3.3 c416e3a
- revert Fix bugs in type (#1807) (#1820) 35b0774
- Fix issue #1817 (#1819) bc6f681
v3.3.2...v3.3.3
3.3.2 - 2020-06-22
- [#1814] Use fork of diagnostics on NPM to avoid making Docker images require git 0752614
v3.3.1...v3.3.2
3.3.1 - 2020-06-22
Read more
3.3.0 - 2020-06-21
Read more
3.2.1 - 2019-01-29