theapplefreak / winston-slack-webhook-transport Goto Github PK

I am using "winston": "^3.3.3" and "winston-slack-webhook-transport": "^2.1.0". After your version update today, I had to fix the version to "2.1.0". Otherwise I am getting Cannot read properties of undefined (reading 'create') on PRODUCTION which is really annoying.

TypeError: Cannot read properties of undefined (reading 'create')
    at new SlackHook (/Users/my-path/node_modules/winston-slack-webhook-transport/slackHook.js:24:32)
    at Object.<anonymous> (/Users/my-path/src/utils/helpers/logger.helper.ts:78:5)
    at Module._compile (node:internal/modules/cjs/loader:1105:14)
    at Module.m._compile (/Users/my-path/node_modules/ts-node/src/index.ts:1056:23)
    at Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
    at Object.require.extensions.<computed> [as .ts] (/Users/my-path/node_modules/ts-node/src/index.ts:1059:12)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:827:12)
    at Module.require (node:internal/modules/cjs/loader:1005:19)
    at require (node:internal/modules/cjs/helpers:102:18)

Version: 2.1.0

When i try to only return text for the defined log-level like this:

this.logger.add(
        new SlackHook({
          webhookUrl: slackHookURl,
          level: 'verbose',
          formatter: (info) => {
            if (info.level == 'verbose') {
              return { text: info.message };
            }
          },
        }),
      );

the Hook will not work anymore.
Only if i return something in every other case, it starts working again.

this.logger.add(
        new SlackHook({
          webhookUrl: slackHookURl,
          level: 'verbose',
          formatter: (info) => {
            if (info.level == 'verbose') {
              return { text: info.message };
            }
            return { text: ' ' };
          },
        }),
      );

Getting error when using the suggested code:

const slackLogger = winston.createLogger({
  level: "info", 
  transports: [
    new SlackHook({ 
      webhookUrl: "https://hooks.slack.com/services/xxx/xxx/xxx"
    })
  ]
});

'new' expression, whose target lacks a construct signature, implicitly has an 'any' type.ts(7009)

Probably due to " "noImplicitAny": true, " in tsconfig.json. But I think the types are wrong, no?

Installed withouth issue, added slack webhook URL, tested sending an error via Vitest. Test completes, no message sent to Slack.

Using Winston 3.12.0 on Node 20

What do you think of allowing for an attachment formatter function?
The reason is that having meta information formatted as an attachment is not necessarily great for other transports (file, console, etc ...).
By having an attachmentFormatter (or transformer whatever name you prefer) function, it would be possible to convert the generic meta information into attachment just for slack.

    if (this.attachmentFormatter && typeof this.attachmentFormatter === 'function') {
      payload.attachments = this.attachmentFormatter(info)
    } else {
      // for compatibility with the way it currently works
      let attachments = []
      let attachmentKeys = Object.keys(info).filter(key => !isNaN(parseInt(key)))
      attachmentKeys.forEach(key => attachments.push(info[key]))
      payload.attachments = attachments
    }

Hi,
I need to send warning messages but not error messages to a Slack channel. How can/should I achieve this? I tried to send false in formatter (as suggested here: https://github.com/winstonjs/winston#filtering-info-objects) but it throws:

(node:11417) UnhandledPromiseRejectionWarning: Error: Request failed with status code 400

Thanks!

CVE-2023-45857 - Medium Severity Vulnerability

Vulnerable Library - axios-1.5.1.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.5.1.tgz

Dependency Hierarchy:

• winston-slack-webhook-transport-2.3.2.tgz (Root Library)
  • ❌ axios-1.5.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Publish Date: 2023-11-08

URL: CVE-2023-45857

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: axios/axios#6006

Release Date: 2023-11-08

Fix Resolution: axios - 1.6.0

@jbojbo reached out to me on Twitter with an interesting issue where if for whatever reason Axios throws an error, it'll be treated as an unhandled exception by Node and will cause the entire application to crash. Among other things, this could happen if Slack was to return an API error such as a 429 Too Many Requests. I'd noticed this issue in my own applications in the form of unpredictable and intermittent crashes, but I had never actually identified the issue myself.

The source of the issue boils down to where the post request to the webhook is actually made, but what confuses me is that there is an error handler on that already. Why is Node treating it as an unhandled error?

Hello there! I hope you are having a great day.

I've found this issue (described in the title) while trying to work with the plugin locally.

I use the following simple configuration:

const logger = winston.createLogger({
  level: 'info',
  format: winston.format.json(),
  defaultMeta: { service: 'user-service' },
  transports: [],
});

if (process.env.NODE_ENV !== ENVIRONMENTS.PROD) {
  logger.add(
    new winston.transports.Console({
      level: LEVELS.DEBUG,
      format: winston.format.simple(),
    })
  );

  logger.add(
    new SlackHook({
      level: LEVELS.DEBUG,
      webhookUrl: process.env.NEXT_PUBLIC_SLACK_LOGGING_WEBHOOK_URL,
    })
  );
}

export { logger };

And then try to log a simple message:

logger.error('whats going on here');

I would expect to find the error both in the console and in Slack, however Slack's call fails:

Access to XMLHttpRequest at 'https://hooks.slack.com/services/xxx/xxx/xxx' from origin 'http://localhost:3000' has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

Here you can take a look to the request headers as provided by this plugin:

And here the payload being sent:

{
    "unfurl_links": false,
    "unfurl_media": false,
    "mrkdwn": false,
    "text": "error: whats going on here"
}

Do you know how to fix this? Can I help in any way?

Could the option for overriding the default webhook channel be supported? Slack added this somewhat recently I think in their webhook API options, all you have to do is specify a channel: ${your channel here} in the JSON payload.

If you're accepting PR's, I would be happy to submit one.