Request - please cut a new version with snappy fix

[mattgodbolt]

Hi folks!

I wonder if it's possible you could cut a new release with the 7.* snappy version. Depending on winston-loki with the older snappy has brought in a vulnerable simple-get in our project, and it seems we need a newer version of snappy to avoid it.

The relevant dependency path we see is:

Exposure of Sensitive Information in simple-get - https://github.com/advisories/GHSA-wpg7-2c88-r8xv
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/prebuild-install/node_modules/simple-get
  prebuild-install  <=6.1.4
  Depends on vulnerable versions of simple-get
  node_modules/prebuild-install
    snappy  6.1.0 - 6.3.5
    Depends on vulnerable versions of prebuild-install
    node_modules/snappy
      winston-loki  >=2.0.0
      Depends on vulnerable versions of snappy
      node_modules/winston-loki

(here npm audit fix is suggesting we downgrade to an old version because of the dependency on snappy->prebuild-install.

Thanks!

[JaniAnttonen]

Published – sorry for the delay, will push issue #38 forward this week to tackle human errors like this :)