Morgan, a popular HTTP request logger middleware for Node.js applications, saw a small but potentially impactful update moving from version 1.0.0 to 1.0.1. While both versions share the same core functionality – providing concise and customizable logging of incoming requests – several key differences emerge upon closer inspection.
The primary change lies in the updated dependencies. Version 1.0.1 upgraded the bytes dependency from ~0.2.0 to 0.3.0. This likely reflects improvements or bug fixes within the bytes library itself, which is used for formatting byte sizes in the logs. Developers using Morgan should be aware of this updated dependency and consult the bytes changelog for details regarding any potential compatibility issues or new features.
Another subtle difference is in the specified versions for devDependencies. Version 1.0.0 uses wildcards (*) for specifying versions of mocha, should, connect, and supertest. This allows for the latest available versions during development and testing. Version 1.0.1, however, is more specific, pinning mocha to ~1.18.2 and should to ~3.3.1, while connect is fully removed. While less critical for end-users, this change suggests a move towards more controlled testing and development environment.
Beyond these differences, both versions maintain the core functionalities that make Morgan a valuable tool in Node.js development, simplifying request logging and providing valuable performance insights. Remember to consult the official GitHub repository for the packages, for full changelogs and detailed information.
All the vulnerabilities related to the version 1.0.1 of the package
Code Injection in morgan
Verisons of morgan before 1.9.1 are vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack.
Update to version 1.9.1 or later.
