Update dependency log4js to v6.4.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
log4js (source)	6.1.2 → 6.4.0

GitHub Vulnerability Alerts

CVE-2022-21704

Impact

Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.

Patches

Fixed by:

• https://github.com/log4js-node/log4js-node/pull/1141
• https://github.com/log4js-node/streamroller/pull/87

Released to NPM in log4js@6.4.0

Workarounds

Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.

References

Thanks to ranjit-git for raising the issue, and to @​lamweili for fixing the problem.

For more information

If you have any questions or comments about this advisory:

• Open an issue in logj4s-node
• Ask a question in the slack channel
• Email us at gareth.nomiddlename@gmail.com

---

Release Notes

log4js-node/log4js-node (log4js)

v6.4.0

Compare Source

New default file permissions may cause external applications unable to read logs.
A manual code/configuration change is required.

• feat: added warnings when log() is used with invalid levels before fallbacking to INFO - thanks @​abernh
• feat: exposed Recording - thanks @​polo-language
• fix: default file permission to be 0o600 instead of 0o644 - thanks ranjit-git and @​lamweili
  • docs: updated fileSync.md and misc comments - thanks @​lamweili
• fix: file descriptor leak if repeated configure() - thanks @​lamweili
• fix: MaxListenersExceededWarning from NodeJS - thanks @​lamweili
  • test: added assertion for increase of SIGHUP listeners on log4js.configure() - thanks @​lamweili
• fix: missing TCP appender with Webpack and Typescript - thanks @​techmunk
• fix: dateFile appender exiting NodeJS on error - thanks @​4eb0da
  • refactor: using writer.writable instead of alive for checking - thanks @​lamweili
• fix: TCP appender exiting NodeJS on error - thanks @​jhonatanTeixeira
• fix: multiprocess appender exiting NodeJS on error - thanks @​harlentan
• test: update fakeFS.read as graceful-fs uses it - thanks @​lamweili
• test: update fakeFS.realpath as fs-extra uses it - thanks @​lamweili
• test: added tap.tearDown() to clean up test files
  • test: #​1143 - thanks @​lamweili
  • test: #​1022 - thanks @​abetomo
• type: improved @​types for AppenderModule - thanks @​nicobao
• type: Updated fileSync appender types - thanks @​lamweili
• type: Removed erroneous type in file appender - thanks @​vdmtrv
• type: Updated Logger.log type - thanks @​ZLundqvist
• type: Updated Logger._log type - thanks @​lamweili
• type: Updated Logger.level type - thanks @​lamweili
• type: Updated Levels.getLevel type - thanks @​saulzhong
• chore(deps): bump streamroller from 3.0.1 to 3.0.2 - thanks @​lamweili
• chore(deps): bump date-format from 4.0.2 to 4.0.3 - thanks @​lamweili
• chore(deps-dev): bump eslint from from 8.6.0 to 8.7.0 - thanks @​lamweili
• chore(deps-dev): bump nyc from 14.1.1 to 15.1.0 - thanks @​lamweili
• chore(deps-dev): bump eslint from 5.16.0 to 8.6.0 - thanks @​lamweili
• chore(deps): bump flatted from 2.0.2 to 3.2.4 - thanks @​lamweili
• chore(deps-dev): bump fs-extra from 8.1.0 to 10.0.0 - thanks @​lamweili
• chore(deps): bump streamroller from 2.2.4 to 3.0.1 - thanks @​lamweili
  • fix: compressed file ignores dateFile appender "mode" - thanks @​rnd-debug
  • fix: #​1039 where there is an additional separator in filename (streamroller@3.0.0 changelog)
  • fix: #​1035, #​1080 for daysToKeep naming confusion (streamroller@3.0.0 changelog)
  • refactor: migrated from daysToKeep to numBackups due to streamroller@^3.0.0 - thanks @​lamweili
  • feat: allows for zero backups - thanks @​lamweili
• chore(deps): bump date-format from 3.0.0 to 4.0.2 - thanks @​lamweili
• chore(deps): updated dependencies - thanks @​lamweili
  • chore(deps-dev): bump eslint-config-prettier from 6.15.0 to 8.3.0
  • chore(deps-dev): bump eslint-plugin-prettier from 3.4.1 to 4.0.0
  • chore(deps-dev): bump husky from 3.1.0 to 7.0.4
  • chore(deps-dev): bump prettier from 1.19.0 to 2.5.1
  • chore(deps-dev): bump typescript from 3.9.10 to 4.5.4
• chore(deps-dev): bump eslint-config-prettier from 6.15.0 to 8.3.0 - thanks @​lamweili
• chore(deps): updated dependencies - thanks @​lamweili
  • chore(deps-dev): bump codecov from 3.6.1 to 3.8.3
  • chore(deps-dev): bump eslint-config-prettier from 6.5.0 to 6.15.0
  • chore(deps-dev): bump eslint-import-resolver-node from 0.3.2 to 0.3.6
  • chore(deps-dev): bump eslint-plugin-import" from 2.18.2 to 2.25.4
  • chore(deps-dev): bump eslint-plugin-prettier from 3.1.1 to 3.4.1
  • chore(deps-dev): bump husky from 3.0.9 to 3.1.0
  • chore(deps-dev): bump prettier from 1.18.2 to 1.19.1
  • chore(deps-dev): bump typescript from 3.7.2 to 3.9.10
• chore(deps): bump path-parse from 1.0.6 to 1.0.7 - thanks @​Dependabot
• chore(deps): bump glob-parent from 5.1.1 to 5.1.2 - thanks @​Dependabot
• chore(deps): bump hosted-git-info from 2.7.1 to 2.8.9 - thanks @​Dependabot
• chore(deps): bump lodash from 4.17.14 to 4.17.21 - thanks @​Dependabot
• chore(deps): bump y18n from 4.0.0 to 4.0.1 - thanks @​Dependabot
• chore(deps): bump node-fetch from 2.6.0 to 2.6.1 - thanks @​Dependabot
• chore(deps): bump yargs-parser from 13.1.1 to 13.1.2 - thanks @​Dependabot
• chore(deps-dev): bump codecov from 3.6.5 to 3.7.1 - thanks @​Dependabot

v6.3.0

Compare Source

• Add option to file appender to remove ANSI colours - thanks @​BlueCocoa
• Do not create appender if no categories use it - thanks @​rnd-debug
• Docs: better categories inheritance description - thanks @​rnd-debug
• Better jsdoc docs - thanks @​wataash
• Typescript: access category field in Logger - thanks @​rtvd
• Docs: influxdb appender - thanks @​rnd-debug
• Support for fileSync appender in webpack - thanks @​lauren-li
• Docs: UDP appender - thanks @​iassasin
• Style: spaces and tabs - thanks @​abetomo

v6.2.1

Compare Source

• Update streamroller to 2.2.4 to fix incorrect filename matching during log rotation

v6.2.0

Compare Source

• Add custom message end token to TCP appender - thanks @​rnd-debug
• Update acorn (dev dep of a dep) - thanks Github Robots.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.