Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Loggin (among other issues) has a security vulnerability and hasn't been updated in 3 years. Possibly replace it? #150

Open
mkg20001 opened this issue Oct 18, 2018 · 4 comments
Open

Loggin (among other issues) has a security vulnerability and hasn't been updated in 3 years. Possibly replace it? #150

mkg20001 opened this issue Oct 18, 2018 · 4 comments
Milestone
Logging Module

Comments

@mkg20001
Copy link
Contributor

mkg20001 commented Oct 18, 2018
edited
Loading

There is a security vulnerability in loggin because it uses a vulnerable version of minimatch.
It has not been updated in the last 3 years and still uses gulp for all release tasks so I'm assuming it won't get an update.
Additionally it also uses the now-replaced raven package instead of "@ sentry/node" package

Could this module get replaced with some proper, more common logging library such as pino or bunyan to fix all the problems this rusty thing has?
@mkg20001
Copy link
Contributor Author

I've also created a pr to fix those issues, but depending on something with issues that hasn't been actively maintained in the last 3 years isn't the best idea.
fistlabs/loggin#45

@JKHeadley JKHeadley added this to the Logging Module milestone Oct 18, 2018
@JKHeadley
Copy link
Owner

@mkg20001 Totally agree with this. Loggin served its purpose well but it would be good to replace it with something more supported.

The only issue I see here is that it will be a large undertaking. Unfortunately logging is pretty embedded into the code. Ideally rest-hapi could provide a custom logging module/interface that could support the logging module of choice by the dev. I'll add this as a feature request.

If you feel interested in tackling this please feel free. This is one of the many areas that has plenty of room for improvement.

@mkg20001
Copy link
Contributor Author

Loggin served its purpose well but it would be good to replace it with something more supported.

I've released a quick'n'dirty update of loggin that seems to work fine (only 2 tests broken, mainly because of the switch from raven to sentry-minimal which doesn't have a full SDK). Maybe cherry-picking this commit would be a good idea to fix the vulns for now (after #146 has been merged)

Ideally rest-hapi could provide a custom logging module/interface that could support the logging module of choice by the dev.

This would be great. Another even better idea: Make a very tiny interface that exposes only the basic methods that hapi needs from the logger and then give the user the native logging object. (So all files in api for ex would just get the native logger without any interface wrapping at all)
That way the overhead for adding a new logger module is tiny and you won't get thousands of issues about the interface missing some functionality (ideally this simple interface could expose the same api as logging, just without the stuff rest-hapi doesn't need. that way almost nothing needs to be changed)
(By native logging object I mean the logger just without being wrapped in the interface)

@JKHeadley
Copy link
Owner

@mkg20001 Yes I think that would be the best option.

@JKHeadley JKHeadley mentioned this issue Oct 21, 2018
Open
@JKHeadley JKHeadley mentioned this issue Sep 15, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Logging Module
Development

No branches or pull requests
2 participants
@mkg20001 @JKHeadley