Morgan is a popular Node.js middleware for logging HTTP requests, providing developers with valuable insights into their application's traffic. Examining versions 1.3.1 and 1.3.2 reveals their similarities and subtle differences that might influence a developer's decision to upgrade.
Both versions share identical dependencies: depd, basic-auth, and on-finished, which handle deprecation warnings, basic authentication, and request completion events, respectively. They also use the same development dependencies, including mocha and should for testing, istanbul for code coverage, and supertest for HTTP request testing. This consistency indicates a stable core functionality and testing methodology. The license remains MIT, underscoring its permissive usage. The repository and author details are identical, indicating that the project's origin and maintainership didn't change over these versions.
The key difference lies in the version number and the releaseDate. Version 1.3.2 was released on September 28, 2014, approximately two weeks after version 1.3.1, which was released on September 14, 2014. While seemingly minor, this version bump suggests a patch or minor enhancement. Developers should investigate the changelog between these dates to determine the specific changes. It is generally recommended to upgrade to the latest patch version within the same minor version, as these updates often include bug fixes and minor improvements without introducing breaking changes. Therefore, using version 1.3.2 is likely preferable unless there are specific compatibility concerns. The URL to download the package (dist.tarball) is also different, and reflects the version change.
All the vulnerabilities related to the version 1.3.2 of the package
Code Injection in morgan
Verisons of morgan before 1.9.1 are vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack.
Update to version 1.9.1 or later.
