New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency log4js to v6 [security] #94

Open

renovate wants to merge 1 commit into master from renovate/npm-log4js-vulnerability

Contributor

renovate bot commented Mar 7, 2022 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
log4js (source)	`1.1.1` -> `6.4.0`

GitHub Vulnerability Alerts

CVE-2022-21704

Impact

Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.

Patches

Fixed by:

Released to NPM in [email protected]

Workarounds

Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.

References

Thanks to ranjit-git for raising the issue, and to @lamweili for fixing the problem.

For more information

If you have any questions or comments about this advisory:

Open an issue in logj4s-node
Ask a question in the slack channel
Email us at [email protected]

Release Notes

log4js-node/log4js-node (log4js)

`v6.4.0`

New default file permissions may cause external applications unable to read logs.
A manual code/configuration change is required.

feat: added warnings when log() is used with invalid levels before fallbacking to INFO - thanks @abernh
feat: exposed Recording - thanks @polo-language
fix: default file permission to be 0o600 instead of 0o644 - thanks ranjit-git and @lamweili
- docs: updated fileSync.md and misc comments - thanks @lamweili
fix: file descriptor leak if repeated configure() - thanks @lamweili
fix: MaxListenersExceededWarning from NodeJS - thanks @lamweili
- test: added assertion for increase of SIGHUP listeners on log4js.configure() - thanks @lamweili
fix: missing TCP appender with Webpack and Typescript - thanks @techmunk
fix: dateFile appender exiting NodeJS on error - thanks @4eb0da
- refactor: using writer.writable instead of alive for checking - thanks @lamweili
fix: TCP appender exiting NodeJS on error - thanks @jhonatanTeixeira
fix: multiprocess appender exiting NodeJS on error - thanks @harlentan
test: update fakeFS.read as graceful-fs uses it - thanks @lamweili
test: update fakeFS.realpath as fs-extra uses it - thanks @lamweili
test: added tap.tearDown() to clean up test files
- test: #1143 - thanks @lamweili
- test: #1022 - thanks @abetomo
type: improved @types for AppenderModule - thanks @nicobao
type: Updated fileSync appender types - thanks @lamweili
type: Removed erroneous type in file appender - thanks @vdmtrv
type: Updated Logger.log type - thanks @ZLundqvist
type: Updated Logger._log type - thanks @lamweili
type: Updated Logger.level type - thanks @lamweili
type: Updated Levels.getLevel type - thanks @saulzhong
chore(deps): bump streamroller from 3.0.1 to 3.0.2 - thanks @lamweili
chore(deps): bump date-format from 4.0.2 to 4.0.3 - thanks @lamweili
chore(deps-dev): bump eslint from from 8.6.0 to 8.7.0 - thanks @lamweili
chore(deps-dev): bump nyc from 14.1.1 to 15.1.0 - thanks @lamweili
chore(deps-dev): bump eslint from 5.16.0 to 8.6.0 - thanks @lamweili
chore(deps): bump flatted from 2.0.2 to 3.2.4 - thanks @lamweili
chore(deps-dev): bump fs-extra from 8.1.0 to 10.0.0 - thanks @lamweili
chore(deps): bump streamroller from 2.2.4 to 3.0.1 - thanks @lamweili
- fix: compressed file ignores dateFile appender "mode" - thanks @rnd-debug
- fix: #1039 where there is an additional separator in filename ([email protected] changelog)
- fix: #1035, #1080 for daysToKeep naming confusion ([email protected] changelog)
- refactor: migrated from daysToKeep to numBackups due to streamroller@^3.0.0 - thanks @lamweili
- feat: allows for zero backups - thanks @lamweili
chore(deps): bump date-format from 3.0.0 to 4.0.2 - thanks @lamweili
chore(deps): updated dependencies - thanks @lamweili
- chore(deps-dev): bump eslint-config-prettier from 6.15.0 to 8.3.0
- chore(deps-dev): bump eslint-plugin-prettier from 3.4.1 to 4.0.0
- chore(deps-dev): bump husky from 3.1.0 to 7.0.4
- chore(deps-dev): bump prettier from 1.19.0 to 2.5.1
- chore(deps-dev): bump typescript from 3.9.10 to 4.5.4
chore(deps-dev): bump eslint-config-prettier from 6.15.0 to 8.3.0 - thanks @lamweili
chore(deps): updated dependencies - thanks @lamweili
- chore(deps-dev): bump codecov from 3.6.1 to 3.8.3
- chore(deps-dev): bump eslint-config-prettier from 6.5.0 to 6.15.0
- chore(deps-dev): bump eslint-import-resolver-node from 0.3.2 to 0.3.6
- chore(deps-dev): bump eslint-plugin-import" from 2.18.2 to 2.25.4
- chore(deps-dev): bump eslint-plugin-prettier from 3.1.1 to 3.4.1
- chore(deps-dev): bump husky from 3.0.9 to 3.1.0
- chore(deps-dev): bump prettier from 1.18.2 to 1.19.1
- chore(deps-dev): bump typescript from 3.7.2 to 3.9.10
chore(deps): bump path-parse from 1.0.6 to 1.0.7 - thanks @Dependabot
chore(deps): bump glob-parent from 5.1.1 to 5.1.2 - thanks @Dependabot
chore(deps): bump hosted-git-info from 2.7.1 to 2.8.9 - thanks @Dependabot
chore(deps): bump lodash from 4.17.14 to 4.17.21 - thanks @Dependabot
chore(deps): bump y18n from 4.0.0 to 4.0.1 - thanks @Dependabot
chore(deps): bump node-fetch from 2.6.0 to 2.6.1 - thanks @Dependabot
chore(deps): bump yargs-parser from 13.1.1 to 13.1.2 - thanks @Dependabot
chore(deps-dev): bump codecov from 3.6.5 to 3.7.1 - thanks @Dependabot

`v6.3.0`

Add option to file appender to remove ANSI colours - thanks @BlueCocoa
Do not create appender if no categories use it - thanks @rnd-debug
Docs: better categories inheritance description - thanks @rnd-debug
Better jsdoc docs - thanks @wataash
Typescript: access category field in Logger - thanks @rtvd
Docs: influxdb appender - thanks @rnd-debug
Support for fileSync appender in webpack - thanks @lauren-li
Docs: UDP appender - thanks @iassasin
Style: spaces and tabs - thanks @abetomo

`v6.2.1`

Update streamroller to 2.2.4 to fix incorrect filename matching during log rotation

`v6.2.0`

Add custom message end token to TCP appender - thanks @rnd-debug
Update acorn (dev dep of a dep) - thanks Github Robots.

`v6.1.2`

Handle out-of-order appender loading - thanks @mvastola

`v6.1.1`

Add guards for undefined shutdown callback - thanks @aaron-edwards
Ignore .bob files - thanks @cesine
Add mark method to type definitions - thanks @techmunk

`v6.1.0`

Add pause event to dateFile appender - thanks @shayantabatabaee
Add pause event to file appender - thanks @shayantabatabaee
Add pause/resume event to docs

`v6.0.0`

`v5.3.0`

Padding and truncation changes

`v5.2.2`

Update streamroller to fix overwriting old files when using date rolling

`v5.2.1`

Update streamroller to fix numToKeep not working with dateFile pattern that is all digits

`v5.2.0`

Update streamroller to 2.2.0 (copy and truncate when file is busy)

`v5.1.0`

Update streamroller to 2.1.0 (windows fixes)

`v5.0.0`

`v4.5.1`

Update streamroller 1.0.5 -> 1.0.6 (to fix overwriting old backup log files)
Dependency update: lodash 4.17.4 (dependency of a dependency, not log4js) - thanks Github Automated Security Thing.
Dependency update: lodash 4.4.0 -> 4.5.0 (dependency of a dependency, not log4js) - thanks Github Automated Security Thing.

`v4.5.0`

Override call stack parsing - thanks @rommni
patternLayout filename depth token - thanks @rommni

`v4.4.0`

`v4.3.2`

Types for enableCallStack - thanks @citrusjunoss

`v4.3.1`

Fix for maxLogSize in dateFile appender

`v4.3.0`

`v4.2.0`

Feature: add appender and level inheritance - thanks @pharapiak
Feature: add response to context for connectLogger - thanks @leak4mk0
Fix for broken sighup handler
Add missing types for Level - thanks @Ivkaa
Typescript fixes for connect logger context - thanks @leak4mk0
Upgrade to streamroller-1.0.5 to fix log rotation bug

`v4.1.1`

Various test fixes for node v12
Fix layout problem in node v12 - thanks @bjornstar
Add missing types for addLevels - thanks @Ivkaa
Allow any return type for layout function - thanks @xinbenlv

`v4.1.0`

Updated streamroller to 1.0.4, to fix a bug where the inital size of an existing file was ignored when appending
Updated streamroller to 1.0.3, to fix a crash bug if the date pattern was all digits.
Updated dependencies

`v4.0.2`

`v4.0.1`

`v4.0.0`

`v3.0.6`

`v3.0.5`

`v3.0.4`

`v3.0.3`

`v3.0.2`

`v3.0.1`

`v3.0.0`

`v2.11.0`

`v2.10.0`

`v2.9.0`

`v2.8.0`

`v2.7.0`

`v2.6.1`

`v2.6.0`

`v2.5.3`

`v2.5.2`

`v2.5.1`

`v2.5.0`

`v2.4.1`

`v2.3.12`

`v2.3.11`

`v2.3.10`

`v2.3.9`

`v2.3.8`

`v2.3.7`

`v2.3.6`

`v2.3.5`

`v2.3.4`

`v2.3.3`

`v2.3.2`

`v2.3.1`

`v2.3.0`

`v2.2.0`

`v2.1.0`

`v2.0.1`

`v2.0.0`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate bot added the Dependencies label


          fix(deps): update dependency log4js to v6 [security]

41285d3

renovate bot force-pushed the renovate/npm-log4js-vulnerability branch from 50ac9a7 to 41285d3 Compare

July 4, 2022 05:18

Contributor Author

renovate bot commented Jul 4, 2022

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

installing v2 tool pnpm v7.5.0
npm WARN config global `--global`, `--local` are deprecated. Use `--location=global` instead.

added 1 package in 3s
linking tool pnpm v7.5.0
7.5.0
Scope: all 11 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
.                                        |  WARN  deprecated @types/[email protected]
Progress: resolved 24, reused 0, downloaded 5, added 0
Progress: resolved 38, reused 0, downloaded 22, added 0
Progress: resolved 46, reused 0, downloaded 31, added 0
Progress: resolved 68, reused 0, downloaded 43, added 0
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
nuclide/nuclide-commons                  |  WARN  deprecated [email protected]
nuclide/nuclide-debugger-common          |  WARN  deprecated [email protected]
Progress: resolved 81, reused 0, downloaded 52, added 0
Progress: resolved 92, reused 0, downloaded 56, added 0
Progress: resolved 105, reused 0, downloaded 62, added 0
Progress: resolved 121, reused 0, downloaded 75, added 0
Progress: resolved 129, reused 0, downloaded 85, added 0
Progress: resolved 133, reused 0, downloaded 88, added 0
Progress: resolved 138, reused 0, downloaded 93, added 0
Progress: resolved 140, reused 0, downloaded 97, added 0
Progress: resolved 145, reused 0, downloaded 99, added 0
Progress: resolved 152, reused 0, downloaded 104, added 0
Progress: resolved 159, reused 0, downloaded 111, added 0
Progress: resolved 162, reused 0, downloaded 115, added 0
Progress: resolved 170, reused 0, downloaded 118, added 0
Progress: resolved 179, reused 0, downloaded 126, added 0
Progress: resolved 190, reused 0, downloaded 131, added 0
Progress: resolved 223, reused 0, downloaded 151, added 0
Progress: resolved 244, reused 0, downloaded 170, added 0
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
Progress: resolved 252, reused 0, downloaded 175, added 0
Progress: resolved 256, reused 0, downloaded 180, added 0
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
Progress: resolved 261, reused 0, downloaded 187, added 0
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
Progress: resolved 269, reused 0, downloaded 191, added 0
Progress: resolved 285, reused 0, downloaded 201, added 0
Progress: resolved 298, reused 0, downloaded 212, added 0
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
Progress: resolved 329, reused 0, downloaded 233, added 0
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
Progress: resolved 362, reused 0, downloaded 262, added 0
Progress: resolved 386, reused 0, downloaded 287, added 0
Progress: resolved 410, reused 0, downloaded 305, added 0
Progress: resolved 449, reused 0, downloaded 337, added 0
Progress: resolved 470, reused 0, downloaded 368, added 0
Progress: resolved 482, reused 0, downloaded 372, added 0
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
nuclide/nuclide-node-transpiler          |  WARN  deprecated [email protected]
Progress: resolved 487, reused 0, downloaded 373, added 0
Progress: resolved 502, reused 0, downloaded 374, added 0
Progress: resolved 533, reused 0, downloaded 393, added 0
Progress: resolved 563, reused 0, downloaded 420, added 0
Progress: resolved 619, reused 0, downloaded 444, added 0
Progress: resolved 637, reused 0, downloaded 464, added 0
Progress: resolved 677, reused 0, downloaded 493, added 0
Progress: resolved 710, reused 0, downloaded 525, added 0
Progress: resolved 732, reused 0, downloaded 544, added 0
Progress: resolved 764, reused 0, downloaded 564, added 0
Progress: resolved 785, reused 0, downloaded 586, added 0
Progress: resolved 805, reused 0, downloaded 604, added 0
Progress: resolved 851, reused 0, downloaded 635, added 0
Progress: resolved 896, reused 0, downloaded 658, added 0
Progress: resolved 952, reused 0, downloaded 681, added 0
.                                        |  WARN  deprecated [email protected]
Progress: resolved 1010, reused 0, downloaded 714, added 0
Progress: resolved 1075, reused 0, downloaded 764, added 0
Progress: resolved 1100, reused 0, downloaded 784, added 0
.                                        |  WARN  deprecated [email protected]
Progress: resolved 1122, reused 0, downloaded 805, added 0
Progress: resolved 1136, reused 0, downloaded 813, added 0
Progress: resolved 1156, reused 0, downloaded 832, added 0
Progress: resolved 1196, reused 0, downloaded 853, added 0
Progress: resolved 1211, reused 0, downloaded 870, added 0
Progress: resolved 1244, reused 0, downloaded 890, added 0
Progress: resolved 1276, reused 0, downloaded 912, added 0
Progress: resolved 1288, reused 0, downloaded 926, added 0
.                                        |  WARN  deprecated [email protected]
Progress: resolved 1307, reused 0, downloaded 942, added 0
Progress: resolved 1335, reused 0, downloaded 962, added 0
Progress: resolved 1366, reused 0, downloaded 986, added 0
Progress: resolved 1431, reused 0, downloaded 1003, added 0
Progress: resolved 1477, reused 0, downloaded 1035, added 0
Progress: resolved 1536, reused 0, downloaded 1073, added 0
Progress: resolved 1570, reused 0, downloaded 1094, added 0
.                                        |  WARN  deprecated [email protected]
.                                        |  WARN  deprecated [email protected]
.                                        |  WARN  deprecated [email protected]
Progress: resolved 1605, reused 0, downloaded 1112, added 0
.                                        |  WARN  deprecated [email protected]
.                                        |  WARN  deprecated [email protected]
.                                        |  WARN  deprecated [email protected]
.                                        |  WARN  deprecated [email protected]
Progress: resolved 1657, reused 0, downloaded 1135, added 0
Progress: resolved 1705, reused 0, downloaded 1165, added 0
Progress: resolved 1727, reused 0, downloaded 1179, added 0
Progress: resolved 1765, reused 0, downloaded 1194, added 0
Progress: resolved 1786, reused 0, downloaded 1218, added 0
Progress: resolved 1811, reused 0, downloaded 1238, added 0
Progress: resolved 1860, reused 0, downloaded 1269, added 0
.                                        |  WARN  deprecated [email protected]
Progress: resolved 1934, reused 0, downloaded 1296, added 0
.                                        |  WARN  deprecated [email protected]
Progress: resolved 1970, reused 0, downloaded 1314, added 0
Progress: resolved 2001, reused 0, downloaded 1337, added 0
.                                        |  WARN  deprecated [email protected]
Progress: resolved 2049, reused 0, downloaded 1366, added 0
Progress: resolved 2072, reused 0, downloaded 1393, added 0
Progress: resolved 2080, reused 0, downloaded 1402, added 0
Progress: resolved 2093, reused 0, downloaded 1421, added 0
Progress: resolved 2139, reused 0, downloaded 1456, added 0
Progress: resolved 2180, reused 0, downloaded 1489, added 0
Progress: resolved 2186, reused 0, downloaded 1500, added 0
Progress: resolved 2189, reused 0, downloaded 1502, added 0
Progress: resolved 2216, reused 0, downloaded 1505, added 0
Progress: resolved 2264, reused 0, downloaded 1525, added 0
Progress: resolved 2304, reused 0, downloaded 1542, added 0
Progress: resolved 2305, reused 0, downloaded 1542, added 0
Progress: resolved 2305, reused 0, downloaded 1544, added 0
 ERR_PNPM_PEER_DEP_ISSUES  Unmet peer dependencies

.
├─┬ @jest-runner/nuclide-e2e
│ └── ✕ missing peer electron@"*"
├─┬ eslint-config-atomic
│ └─┬ eslint-plugin-coffee
│   ├─┬ eslint-config-airbnb
│   │ └── ✕ missing peer eslint-plugin-react-hooks@"^4 || ^3 || ^2.3.0 || ^1.7.0"
│   └─┬ eslint-plugin-react-native
│     └── ✕ unmet peer eslint@"^3.17.0 || ^4 || ^5 || ^6": found 7.28.0 in eslint-config-atomic
└─┬ rollup-plugin-atomic
  ├─┬ rollup-plugin-assemblyscript
  │ └── ✕ missing peer as-bind@"*"
  └─┬ rollup-plugin-coffee-script
    └── ✕ unmet peer [email protected]: found 1.12.7
Peer dependencies that should be installed:
  as-bind@"*"
  electron@"*"
  eslint-plugin-react-hooks@"^4 || ^3 || ^2.3.0 || ^1.7.0"

nuclide/nuclide-commons-ui
└─┬ react-virtualized
  ├── ✕ unmet peer react@"^15.3.0 || ^16.0.0-alpha": found 17.0.1
  └── ✕ unmet peer react-dom@"^15.3.0 || ^16.0.0-alpha": found 17.0.1

hint: If you want peer dependencies to be automatically installed, add "auto-install-peers=true" to an .npmrc file at the root of your project.
hint: If you don't want pnpm to fail on peer dependency issues, add "strict-peer-dependencies=false" to an .npmrc file at the root of your project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels