bunyan - npm Package Compare versions

Comparing version 1.8.12 to 1.8.13

CHANGES.md

@@ -13,2 +13,14 @@ # bunyan Changelog
 
+## 1.8.13
+
+- Fix a vulnerability from a crafted argument to 'bunyan -p ARG'
+
+  This was reported privately as:
+      https://hackerone.com/reports/902739
+      bunyan - RCE via insecure command formatting
+
+  Previous to this version the 'bunyan' CLI was not escaping a given argument
+  to the '-p' option before executing `ps -A -o pid,command | grep '$ARG'`
+  which could lead to unintended execution.
+
 ## 1.8.12
@@ -15,0 +27,0 @@

lib/bunyan.js

@@ -11,3 +11,3 @@ /**
 
-var VERSION = '1.8.12';
+var VERSION = '1.8.13';
 
@@ -14,0 +14,0 @@ /*

package.json

 {
   "name": "bunyan",
-  "version": "1.8.12",
+  "version": "1.8.13",
   "description": "a JSON logging library for node.js services",
@@ -10,3 +10,2 @@ "author": "Trent Mick <trentm@gmail.com> (http://trentm.com)",
   },
-
   "repository": {
@@ -16,6 +15,13 @@ "type": "git",
   },
-  "engines": ["node >=0.10.0"],
-  "keywords": ["log", "logging", "log4j", "json", "bunyan"],
+  "engines": [
+    "node >=0.10.0"
+  ],
+  "keywords": [
+    "log",
+    "logging",
+    "log4j",
+    "json",
+    "bunyan"
+  ],
   "license": "MIT",
-
   "// dtrace-provider": "required for dtrace features",
@@ -37,8 +43,6 @@ "// mv": "required for RotatingFileStream",
   },
-
   "scripts": {
     "test": "make test"
   },
-  "dependencies": {
-  }
+  "dependencies": {}
 }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

446315

increased by0.18%

Worsened metrics

Number of package files

16

decreased by-5.88%

No dependency changes