Log4js, a popular logging library for Node.js, had a minor version bump from 0.6.37 to 0.6.38. Both versions maintain the same core dependencies, relying on readable-stream and semver for stream handling and version management respectively. The development dependencies also remain consistent, utilizing jshint, sandboxed-module, and vows for code quality checks and testing. This suggests a focus on internal improvements or bug fixes rather than significant feature additions.
The key difference lies in the release date. Version 0.6.38 was published on July 17, 2016, roughly a month after version 0.6.37, which was released on June 14, 2016. For developers, this short interval might signify a critical bug fix or a minor enhancement that warranted a quick release. While the provided data doesn't detail the specific changes, users of 0.6.37 should consider upgrading to 0.6.38 to benefit from any potential stability improvements or resolved issues.
Log4js is designed to be easily configurable and is commonly used by developers to manage application logs, providing different appenders for various output destinations like the console, files, or databases. Given its mature state, evident from the library's continuous but incremental updates, it likely offers a dependable and robust solution for most logging needs in Node.js projects. It is under active development, so it is important to keep track of it and update it regularly.
All the vulnerabilities related to the version 0.6.38 of the package
Incorrect Default Permissions in log4js
Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.
Fixed by:
Released to NPM in log4js@6.4.0
Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.
Thanks to ranjit-git for raising the issue, and to @lamweili for fixing the problem.
If you have any questions or comments about this advisory:
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
