Giter Club home page Giter Club logo

node-loggly-bulk's Introduction

node-loggly-bulk

Version npmnpm Downloads

NPM

A client implementation for Loggly in node.js. Check out Loggly's Node logging documentation for more.

Usage

The node-loggly-bulk library is compliant with the Loggly API. Using node-loggly-bulk you can send logs to Loggly.

Getting Started

Before we can do anything with Loggly, we have to create a client with valid credentials. We will authenticate for you automatically:

  var loggly = require('node-loggly-bulk');

  var client = loggly.createClient({
    token: "your-really-long-input-token",
    subdomain: "your-subdomain",
    //
    // Optional: Tag to send with EVERY log message
    //
    tags: ['global-tag']
  });

Logging

There are two ways to send log information to Loggly via node-loggly-bulk. The first is to simply call client.log with an appropriate input token:

  client.log('127.0.0.1 - Theres no place like home', function (err, result) {
    // Do something once you've logged
  });

Note that the callback in the above example is optional, if you prefer the 'fire and forget' method of logging:

  client.log('127.0.0.1 - Theres no place like home');

Logging with Tags

If you're using Loggly's tags functionality, simply include an array of tags as the second argument to the log method:

  client.log('127.0.0.1 - Theres no place like home', [ 'dorothy' ], function (err, result) {
    // Do something once you've logged
  });

note Tags passed into the log function will be merged with any global tags you may have defined.

Logging Shallow JSON Objects as a String

In addition to logging pure strings, it is also possible to pass shallow JSON object literals (i.e. no nested objects) to client.log(..) or input.log(..) methods, which will get converted into the Loggly recommended string representation. So

  var source = {
    foo: 1,
    bar: 2,
    buzz: 3
  };

  input.log(source);

will be logged as:

  foo=1,bar=2,buzz=3

Logging JSON Objects

It is also possible to log complex objects using the new JSON capabilities of Loggly. To enable JSON functionality in the client simply add 'json: true' to the configuration:

  var config = {
    token: 'token',
    subdomain: "your-subdomain",
    json: true
  };

When the json flag is enabled, objects will be converted to JSON using JSON.stringify before being transmitted to Loggly. So

  var source = {
    foo: 1,
    bar: 2,
    buzz: {
      sheep: 'jumped',
      times: 10
    }
  };

  input.log(source);

will be logged as:

  { "foo": 1, "bar": 2, "buzz": {"sheep": "jumped", "times": 10 }}

Logging arrays

It is possible to send arrays, which will result in one single request to Loggly.

  input.log([ {iam:'number 1'}, {iam:'number 2'} ])

Installation

Installing npm (node package manager)

  $ curl http://npmjs.org/install.sh | sh

Installing node-loggly-bulk

  $ npm install node-loggly-bulk

Run Tests

  $ npm run test

Author: Charlie Robbins

Contributors: Marak Squires, hij1nx, Kord Campbell, Erik Hedenström,

node-loggly-bulk's People

Contributors

bacchusrx avatar bradfol avatar brandongoode avatar buildmaster avatar capelio avatar coderarity avatar ehedenst avatar freeall avatar indexzero avatar jcrugzz avatar jonastryggvi avatar justinmares avatar kevinegami avatar kordless avatar mafintosh avatar marak avatar martinagold avatar mauricebutler avatar mend-for-github-com[bot] avatar michal-bures avatar mmalecki avatar mostlyjason avatar nagoodman avatar shwetajain148 avatar varshneyjayant avatar viggeh avatar whtswrng avatar zdenek-machek-swi avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

varshneyjayant shwetajain148 benjie bradfol btamayo mdemri mauricebutler hungry-coder-007 marin-liovic blyork sebastianlzy 0xflotus civicteam wapdat serg06 michaelgoff thefirstspine

node-loggly-bulk's Issues

Dependency vulnerability in stringstream v0.0.5

Issue

Snyk has flagged stringstream v0.0.5 as a security vulnerability.

Affected versions of this package are vulnerable to Uninitialized Memory Exposure. An attacker could extract sensitive data from uninitialized memory or to cause a DoS by passing in a large number, in setups where typed user input can be passed to the stream (e.g. from JSON).

https://snyk.io/vuln/npm:stringstream:20180511

Remediation

Upgrade stringstream to version 0.0.6 or higher.

It appears that this vulnerability is pulled in via request v2.83.0. request v2.86.0 and higher do not include this dependency.

Writing to `console` should be optional or not happen at all

Retry logic printouts should be done with a logging library or be optional. Those printouts pollute the general log and are impossible to move somewhere else.

log #218 - failed on error: Error: read ECONNRESET
log #218 - Trying again in 2000[ms], attempt no. 2
log #220 - failed on error: 500 Internal Server Error
log #220 - Trying again in 2000[ms], attempt no. 2
log #218 sent successfully after 2 retries
log #220 sent successfully after 2 retries

isBulk doesn't disable setInterval

Issue

I've been trying to get node-loggly-bulk running on AWS lambda and have been running into timeout issues. One inconsistency I ran into was passing in the isBulk property and expecting it to not do any sort of polling.

Culprit lines:

https://github.com/loggly/node-loggly-bulk/blob/master/lib/loggly/client.js#L79
https://github.com/loggly/node-loggly-bulk/blob/master/lib/loggly/common.js#L317

Proposed Solutions

I think we could change client.js#L79 to something like this

this.isBulk = options.isBulk || false;

 var defaultBufferOptions = this.isBulk
    ? { size: 500, retriesInMilliSeconds: 30 * 1000 }
    : { size: 1, retriesInMilliSeconds: 100 };

this.bufferOptions = options.bufferOptions || defaultBufferOptions

Another solution I could see, but don't completely know the implications of the change, would be to change common.js#317 to:

if (timerFunctionForBufferedLogs === null && isBulk) {
    timerFunctionForBufferedLogs = setInterval(function() {
      ...   
    }, bufferOptions.retriesInMilliSeconds);
  }

Uncaught ECONNREFUSED connection error

Error

Got this error a few times now which crashed my server:

uncaught exception Error: connect ECONNREFUSED 52.21.83.61:443
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1145:16) {
  errno: 'ECONNREFUSED',
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '52.21.83.61',
  port: 443
}

####
...
# same error with IP 75.101.233.97

Found out that the IPs are both of the logs-01.loggly.com server which is used for uploading logs. Obviously some kind of error handling seems to be missing here.

Versions

Node.js: 12.19.1
node-loggly-bulk: 2.2.4

WS-2019-0032 (Medium) detected in js-yaml-3.4.6.tgz

WS-2019-0032 - Medium Severity Vulnerability

Vulnerable Library - js-yaml-3.4.6.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.4.6.tgz

Path to dependency file: node-loggly-bulk/package.json

Path to vulnerable library: node-loggly-bulk/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • common-style-3.1.0.tgz (Root Library)
    • jscs-2.11.0.tgz
      • js-yaml-3.4.6.tgz (Vulnerable Library)

Found in HEAD commit: cfd27fcc7d0cb76d62455da360cf0f9247ff6758

Found in base branch: master

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution: js-yaml - 3.13.0

Multi instances clobber each other

If you create multiple instances with bulk enabled and using two different accounts some logs will not make it to loggly.

Looking through the code, it looks like there are singletons that are created as soon as the module is required under common.js. It would seem there is a bug around how that state is managed when there are two instances manipulating a single array of log messages.

Recommend changing the signature of common.loggly to accept only one callback.

As stated in Issue #31, I recommend changing common.loggy's signature so that it only accepts a single callback function. The first argument will be an error/null and the later arguments will be what is returned. I do not believe this will cause issues to dependent third-party libraries since it is not exported as part of require('node-loggly-bulk'). I believe this will lead to less confusion in the future if this function is modified or used.

Please let me know what you think.

CVE-2022-24785 (High) detected in moment-2.29.1.tgz

CVE-2022-24785 - High Severity Vulnerability

Vulnerable Library - moment-2.29.1.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

  • moment-2.29.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.

Publish Date: 2022-04-04

URL: CVE-2022-24785

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8hfj-j24r-96c4

Release Date: 2022-04-04

Fix Resolution: 2.29.2

  • Check this box to open an automated fix PR

CVE-2018-3721 (Medium) detected in lodash-3.10.1.tgz

CVE-2018-3721 - Medium Severity Vulnerability

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: node-loggly-bulk/package.json

Path to vulnerable library: node-loggly-bulk/node_modules/lodash/package.json

Dependency Hierarchy:

  • nock-7.2.2.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: cfd27fcc7d0cb76d62455da360cf0f9247ff6758

Found in base branch: master

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

common.loggly can now call both the callback and success functions in the same run with loggly error

A behavior change in 14324cf is causing common.loggly to potentially call both the callback and success functions in the event the Loggly servers come back with a error code but later returns a success.

Prior to this commit. Only one or the other function would ever be called.

This behavior is breaking both node-loggly-bulk's own Loggly.prototype.log function as well as winston-loggly-bulk's Loggly.prototype.log function which delegates to it since in both cases the callback passed in is only expected to be called once.

I am currently working on a pull request that modifies common.loggly to ensure that the callback and success functions combined only ever get called once.

I recommend changing common.loggy's signature so that it only accepts a single callback function. I do not believe this will cause issues to dependent third-party libraries since it is not exported as part of require('node-loggly-bulk'). I will create a separate issue for this recommendation for consideration.

Add flushLogs() method

It would be great to add flushLogs() method in case of graceful-shutdown (isBuk: true).

CVE-2022-3517 (High) detected in minimatch-3.0.4.tgz

CVE-2022-3517 - High Severity Vulnerability

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimatch/package.json

Dependency Hierarchy:

  • eslint-8.2.0.tgz (Root Library)
    • minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

Failed on error code undefined

Hi

My loggly account is nolonger active but the code tries to connect, and im getting the error printed to console in this file

it tries to print a statuscode which is unavailable in this function.

I also think the message would be alot better if it didnt just say "failed on error code x", but said "connection failed: code x" or something. the code didnt really fail on the error code lol

CVE-2020-8203 (High) detected in lodash-3.10.1.tgz

CVE-2020-8203 - High Severity Vulnerability

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: node-loggly-bulk/package.json

Path to vulnerable library: node-loggly-bulk/node_modules/lodash/package.json

Dependency Hierarchy:

  • nock-7.2.2.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: cfd27fcc7d0cb76d62455da360cf0f9247ff6758

Found in base branch: master

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-23

Fix Resolution: lodash - 4.17.19

CVE-2021-3918 (High) detected in json-schema-0.2.3.tgz

CVE-2021-3918 - High Severity Vulnerability

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

  • request-2.88.2.tgz (Root Library)
    • http-signature-1.2.0.tgz
      • jsprim-1.4.1.tgz
        • json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 629683dceefd49a342fae2a3130db303042f3ca2

Found in base branch: master

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution: json-schema - 0.4.0

CVE-2019-1010266 (Medium) detected in lodash-3.10.1.tgz

CVE-2019-1010266 - Medium Severity Vulnerability

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: node-loggly-bulk/package.json

Path to vulnerable library: node-loggly-bulk/node_modules/lodash/package.json

Dependency Hierarchy:

  • nock-7.2.2.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: cfd27fcc7d0cb76d62455da360cf0f9247ff6758

Found in base branch: master

Vulnerability Details

lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.

Publish Date: 2019-07-17

URL: CVE-2019-1010266

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

Release Date: 2019-07-17

Fix Resolution: 4.17.11

Broken with Yarn 2 (Berry)

The following will yield TypeError: createClient is not a function with Yarn 2:

import { createClient } from 'node-loggly-bulk';

I was able to circumvent this by using a direct import:

import { createClient } from 'node-loggly-bulk/lib/loggly/client';

Originally reported here: chromaui/chromatic-cli#166

All our logs get truncated after upgrading to 2.1.0

Hello,

We upgraded today from version 2.0.0 to the latest 2.1.0 and all our logs look like this:
{"level":"error","tag":"server","message":"Unhandled promise rejection: socket hang up","meta":{"error":{"message":"socket hang up","stack":"Error: socket hang up\n at createHangUpError (_http_client.js:253:15)\n at TLSSocket.socketOnEnd (_http_client.js:345:23)\n at emitNone (events.js:91:20)\n at TLSSocket.emit (events.js:185:7)\n at endReadableNT (_stream_readable.js:974:12)\n at _combinedTickCallback (internal/process/next_tick.js:80:11)\n at process._tickDomainCallback (inter

They look truncated and we get a lot of them, like 20k/hour.
We were thinking it might be because of this:
4851a17

Reverting to 2.0.0 fixed the problem.
Any ideas on what the problem in this new version is?

Thank you!

Specific time for each log entry

Hi,

i understand that to send requests in bulk the logs must be in array, what if i send the logs every x time and i want to specific the time for each log entry, how this code gonna be

  client.log([ {iam:'number 1'}, {iam:'number 2'} ])

Bulk log sending is broken in v4.0.1

Sending logs in bulk is currently broken in version 4.0.1 of the library, because only one of the logs is sent to Loggly while others are disarded. The http request options contain the wrong data.

Reproduction script:

import loggly from "node-loggly-bulk";

const subdomain = "REPLACE_ME";
const token = "REPLACE_ME"

const client = loggly.createClient({
  subdomain,
  json: true,
  token,
  tags: ["test"],
  isBulk: true,
  useTagHeader: false,
  bufferOptions: {
    size: 2
  },
});

client.log({
  message: "test",
  id: 10091
});
client.log({
  message: "test",
  id: 10091
});

//Wait for request to finish before exiting
console.log("Press any key to exit");

process.stdin.setRawMode(true);
process.stdin.resume();
process.stdin.on("data", process.exit.bind(process, 0));

Sent axios request options

{
  uri: 'https://logs-01.loggly.com/bulk/xxx/tag/test/',
  method: 'POST',
  headers: {},
  proxy: null,
  data: '{"message":"test","id":10091}',
  body: '{"message":"test","id":10091}\n{"message":"test","id":10091}'
}

Expected axios request options

{
  uri: 'https://logs-01.loggly.com/bulk/xxx/tag/test/',
  method: 'POST',
  headers: {},
  proxy: null,
  data: '{"message":"test","id":10091}\n{"message":"test","id":10091}'
}

I think the issue is related to migration from request library to axios library. The data in requestOptions is set to body.

Fix

This issue can be fixed by changing .body to .data in common.js#236. But I'm not sure if this is the correct solution.

https://github.com/loggly/node-loggly-bulk/blob/39163147f9bc028850935a08faa76bbe09cd01f8/lib/loggly/common.js#L236C21-L236C21

WS-2018-0148 (Low) detected in utile-0.2.1.tgz

WS-2018-0148 - Low Severity Vulnerability

Vulnerable Library - utile-0.2.1.tgz

A drop-in replacement for `util` with some additional advantageous functions

Library home page: https://registry.npmjs.org/utile/-/utile-0.2.1.tgz

Path to dependency file: node-loggly-bulk/package.json

Path to vulnerable library: node-loggly-bulk/node_modules/utile/package.json

Dependency Hierarchy:

  • common-style-3.1.0.tgz (Root Library)
    • jscs-2.11.0.tgz
      • prompt-0.2.14.tgz
        • utile-0.2.1.tgz (Vulnerable Library)

Found in HEAD commit: cfd27fcc7d0cb76d62455da360cf0f9247ff6758

Found in base branch: master

Vulnerability Details

utile allocates uninitialized Buffers when number is passed in input.
Before version 0.3.0

Publish Date: 2018-07-16

URL: WS-2018-0148

CVSS 2 Score Details (1.8)

Base Score Metrics not available

CVE-2022-31129 (High) detected in moment-2.29.1.tgz

CVE-2022-31129 - High Severity Vulnerability

Vulnerable Library - moment-2.29.1.tgz

Parse, validate, manipulate, and display dates

Library home page: https://registry.npmjs.org/moment/-/moment-2.29.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/moment/package.json

Dependency Hierarchy:

  • moment-2.29.1.tgz (Vulnerable Library)

Found in HEAD commit: 629683dceefd49a342fae2a3130db303042f3ca2

Found in base branch: master

Vulnerability Details

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

Publish Date: 2022-07-06

URL: CVE-2022-31129

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wc69-rhjr-hc9g

Release Date: 2022-07-06

Fix Resolution: moment - 2.29.4

  • Check this box to open an automated fix PR

Replace the deprecated and vulnerable dependency package `request`

Hi!

The direct dependency package request has been deprecated in Feb 2020 (https://www.npmjs.com/package/request). All versions of request including the latest one are affected by prototype pollution vulnerability (https://sca.analysiscenter.veracode.com/vulnerability-database/security/sca/vulnerability/sid-21913/summary)

Maintainers of the package have composed the list of alternative libraries for replacement: request/request#3143

CVE-2018-16487 (Medium) detected in lodash-3.10.1.tgz

CVE-2018-16487 - Medium Severity Vulnerability

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: node-loggly-bulk/package.json

Path to vulnerable library: node-loggly-bulk/node_modules/lodash/package.json

Dependency Hierarchy:

  • nock-7.2.2.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: cfd27fcc7d0cb76d62455da360cf0f9247ff6758

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Unspecified error from Loggly: SyntaxError: Unexpected token < in JSON at position 0

Hello,

For a few weeks now, we are getting this error. We initially were using the unofficial winston/node-loggly but changed to the oficial one in the hope we get rid of this problem, but it persists.

As you can see in the image the problem originates in the node loggly bulk library.
node-loggly-bulk

It seems that we get an error response that is probably HTML and not JSON so it breaks because it can't handle this. Any idea on why this happens?

Thank you,
Nick

WS-2019-0063 (High) detected in js-yaml-3.4.6.tgz

WS-2019-0063 - High Severity Vulnerability

Vulnerable Library - js-yaml-3.4.6.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.4.6.tgz

Path to dependency file: node-loggly-bulk/package.json

Path to vulnerable library: node-loggly-bulk/node_modules/js-yaml/package.json

Dependency Hierarchy:

  • common-style-3.1.0.tgz (Root Library)
    • jscs-2.11.0.tgz
      • js-yaml-3.4.6.tgz (Vulnerable Library)

Found in HEAD commit: cfd27fcc7d0cb76d62455da360cf0f9247ff6758

Found in base branch: master

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution: js-yaml - 3.13.1

CVE-2020-7751 (High) detected in pathval-0.1.1.tgz

CVE-2020-7751 - High Severity Vulnerability

Vulnerable Library - pathval-0.1.1.tgz

Object value retrieval given a string path

Library home page: https://registry.npmjs.org/pathval/-/pathval-0.1.1.tgz

Path to dependency file: node-loggly-bulk/package.json

Path to vulnerable library: node-loggly-bulk/node_modules/pathval/package.json

Dependency Hierarchy:

  • common-style-3.1.0.tgz (Root Library)
    • jscs-2.11.0.tgz
      • pathval-0.1.1.tgz (Vulnerable Library)

Found in HEAD commit: cfd27fcc7d0cb76d62455da360cf0f9247ff6758

Found in base branch: master

Vulnerability Details

This affects all versions of package pathval.

Publish Date: 2020-10-26

URL: CVE-2020-7751

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2016-10540 (High) detected in minimatch-2.0.10.tgz

CVE-2016-10540 - High Severity Vulnerability

Vulnerable Library - minimatch-2.0.10.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz

Path to dependency file: node-loggly-bulk/package.json

Path to vulnerable library: node-loggly-bulk/node_modules/babel-core/node_modules/minimatch/package.json

Dependency Hierarchy:

  • common-style-3.1.0.tgz (Root Library)
    • jscs-2.11.0.tgz
      • babel-jscs-2.0.5.tgz
        • babel-core-5.8.38.tgz
          • minimatch-2.0.10.tgz (Vulnerable Library)

Found in HEAD commit: cfd27fcc7d0cb76d62455da360cf0f9247ff6758

Found in base branch: master

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

WS-2018-0625 (High) detected in xmlbuilder-3.1.0.tgz

WS-2018-0625 - High Severity Vulnerability

Vulnerable Library - xmlbuilder-3.1.0.tgz

An XML builder for node.js

Library home page: https://registry.npmjs.org/xmlbuilder/-/xmlbuilder-3.1.0.tgz

Path to dependency file: node-loggly-bulk/package.json

Path to vulnerable library: node-loggly-bulk/node_modules/xmlbuilder/package.json

Dependency Hierarchy:

  • common-style-3.1.0.tgz (Root Library)
    • jscs-2.11.0.tgz
      • xmlbuilder-3.1.0.tgz (Vulnerable Library)

Found in HEAD commit: cfd27fcc7d0cb76d62455da360cf0f9247ff6758

Found in base branch: master

Vulnerability Details

The package xmlbuilder-js before 9.0.5 is vulnerable to denial of service due to a regular expression issue.

Publish Date: 2018-02-08

URL: WS-2018-0625

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: oozcitak/xmlbuilder-js@bbf929a

Release Date: 2020-03-23

Fix Resolution: 9.0.5

CVE-2019-10744 (High) detected in lodash-3.10.1.tgz

CVE-2019-10744 - High Severity Vulnerability

Vulnerable Library - lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: node-loggly-bulk/package.json

Path to vulnerable library: node-loggly-bulk/node_modules/lodash/package.json

Dependency Hierarchy:

  • nock-7.2.2.tgz (Root Library)
    • lodash-3.10.1.tgz (Vulnerable Library)

Found in HEAD commit: cfd27fcc7d0cb76d62455da360cf0f9247ff6758

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-08

Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.