.github/workflows/ci.yml

@@ -10,17 +10,24 @@ on:
       - main
       - master
 
+permissions:
+  contents: read #  to fetch code (actions/checkout)
+
 jobs:
   Tests:
+    permissions:
+      contents: read #  to fetch code (actions/checkout)
+      checks: write #  to create new checks (coverallsapp/github-action)
+
     runs-on: ubuntu-latest
     strategy:
       matrix:
         node:
-          - 12
-          - 14
           - 16
+          - 18
+          - 20
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node }}

.nycrc.yml

@@ -4,5 +4,5 @@ reporter:
 check-coverage: true
 branches: 61.51
 lines: 70.85
-functions: 73.21
-statements: 70.54
+functions: 70.00
+statements: 70.54

.prettierrc

@@ -0,0 +1,18 @@
+{
+  "arrowParens": "avoid",
+  "bracketSameLine": false,
+  "bracketSpacing": true,
+  "embeddedLanguageFormatting": "auto",
+  "insertPragma": false,
+  "jsxSingleQuote": false,
+  "printWidth": 80,
+  "proseWrap": "preserve",
+  "quoteProps": "as-needed",
+  "requirePragma": false,
+  "semi": true,
+  "singleQuote": true,
+  "tabWidth": 2,
+  "trailingComma": "none",
+  "useTabs": false,
+  "endOfLine": "auto"
+}

CHANGELOG.md

@@ -1,5 +1,72 @@
 # CHANGELOG
 
+## [v3.9.0](https://github.com/winstonjs/winston/compare/v3.8.2...v3.9.0)
+### Functionality changes
+* Handle undefined errors in getAllInfo in exception-handler in https://github.com/winstonjs/winston/pull/2208; thanks to new contributor @eivindrs
+* fix: properly allow passing non-array transport in https://github.com/winstonjs/winston/pull/2256; thanks to new contributor @Tanuel
+* fix #1732 (Http Transport uses JSON format options as request options) in https://github.com/winstonjs/winston/pull/2272; thanks to new contributor @MoritzLoewenstein (minor version bump per comment on the issue)
+* fix: add guard clause to prevent FD leak in https://github.com/winstonjs/winston/pull/2301; thanks to new contributor @td-tomasz-joniec
+
+### Dependency updates by @dependabot + CI autotesting
+* Bump eslint from 8.23.0 to 8.32.0 by @dependabot in https://github.com/winstonjs/winston/pull/2209, https://github.com/winstonjs/winston/pull/2236, https://github.com/winstonjs/winston/pull/2258, & https://github.com/winstonjs/winston/pull/2271
+* Bump @babel/core from 7.19.0 to 7.20.12 by @dependabot in https://github.com/winstonjs/winston/pull/2206, https://github.com/winstonjs/winston/pull/2234, https://github.com/winstonjs/winston/pull/2259, & https://github.com/winstonjs/winston/pull/2275
+* Bump @types/node from 18.0.0 to 18.11.18 by @dependabot in https://github.com/winstonjs/winston/pull/2215, https://github.com/winstonjs/winston/pull/2235, & https://github.com/winstonjs/winston/pull/2264
+* Bump @babel/preset-env from 7.19.0 to 7.20.2 by @dependabot in https://github.com/winstonjs/winston/pull/2218 & https://github.com/winstonjs/winston/pull/2244
+* Bump safe-stable-stringify from 2.3.1 to 2.4.3 by @dependabot in https://github.com/winstonjs/winston/pull/2217 & https://github.com/winstonjs/winston/pull/2292
+* Bump @babel/cli from 7.18.10 to 7.19.3 by @dependabot in https://github.com/winstonjs/winston/pull/2216
+* Bump json5 from 2.2.1 to 2.2.3 by @dependabot in https://github.com/winstonjs/winston/pull/2260
+
+### Documentation changes
+* Fix readme typo in https://github.com/winstonjs/winston/pull/2230; thanks to new contributor @aretecode
+* create new example for ready to use in https://github.com/winstonjs/winston/pull/2240; thanks to new contributor @myagizmaktav
+* minor fixes to publishing.md
+
+### Build Infrastructure changes
+* GitHub Workflows security hardening in https://github.com/winstonjs/winston/pull/2252; thanks to new contributor @sashashura
+
+## [v3.8.2](https://github.com/winstonjs/winston/compare/v3.8.1...v3.8.2)
+### Patch-level changes
+* Add `.js` to main entry point in package.json in https://github.com/winstonjs/winston/pull/2177; thanks to new contributor @rumanbsl
+* Small grammatical fixes in README.md in https://github.com/winstonjs/winston/pull/2183; thanks to new contributor @mikebarr24
+* Move colors to non-dev dependencies by @wbt in https://github.com/winstonjs/winston/pull/2190
+
+### Dependency updates by @dependabot + CI autotesting
+* Bump @babel/preset-env from 7.18.2 to 7.19.0 in https://github.com/winstonjs/winston/pull/2189
+* Bump @babel/cli from 7.17.10 to 7.18.10 in https://github.com/winstonjs/winston/pull/2173
+* Bump eslint from 8.18.0 to 8.23.0 in https://github.com/winstonjs/winston/pull/2184
+* Bump @babel/core from 7.18.5 to 7.19.0 in https://github.com/winstonjs/winston/pull/2192
+* Bump logform from 2.4.1 to 2.4.2 in https://github.com/winstonjs/winston/pull/2191
+
+## [v3.8.1](https://github.com/winstonjs/winston/compare/v3.8.0...v3.8.1)
+
+### Patch-level changes
+* Update types to match in-code definitions in https://github.com/winstonjs/winston/pull/2157; thanks to new contributor @flappyBug
+
+### Dependency updates by @dependabot + CI autotesting
+* Bump logform from 2.4.0 to 2.4.1 in https://github.com/winstonjs/winston/pull/2156
+* Bump async from 3.2.3 to 3.2.4 in https://github.com/winstonjs/winston/pull/2147
+## [v3.8.0](https://github.com/winstonjs/winston/compare/v3.7.2...v3.8.0) / 2022-06-23
+### Added functionality
+* Add the stringify replacer option to the HTTP transport by @domiins in https://github.com/winstonjs/winston/pull/2155
+
+### Dependency updates by @dependabot + CI autotesting
+* Bump @babel/core from 7.17.8 to 7.18.5
+* Bump eslint from 8.12.0 to 8.18.0
+* Bump @types/node from 17.0.23 to 18.0.0
+* Bump @babel/preset-env from 7.16.11 to 7.18.2
+* Bump @babel/cli from 7.17.6 to 7.17.10
+
+### Updates facilitating repo maintenance & enhancing documentation
+* Explicitly note that the Contributing.md file is out of date
+* Add instructions for publishing updated version by @wbt (docs/publishing.md)
+* Prettier Config File by @jeanpierrecarvalho in https://github.com/winstonjs/winston/pull/2092
+* Readme update to explain origin of errors for handling (#2120)
+* update documentation for #2114 by @zizifn in https://github.com/winstonjs/winston/pull/2138
+* enhance message for logs with no transports #2114 by @zizifn in https://github.com/winstonjs/winston/pull/2139
+* Added a new Community Transport option to the list: Worker Thread based async Console Transport by @arpad1337 in https://github.com/winstonjs/winston/pull/2140
+
+Thanks especially to new contributors @zizifn, @arpad1337, @domiins, & @jeanpierrecarvalho!
+
 ## v3.7.2 / 2022-04-04
 This change reverts what should have been the feature-level update in 3.7.0 due to issue #2103 showing this to be breaking, unintentionally.
 

CONTRIBUTING.md

@@ -1,4 +1,5 @@
 # CONTRIBUTING
+PLEASE NOTE: This document has not been updated in a while and is out of date, but contents are retained as some may still be useful.
 
 TL;DR? The `winston` project recently shipped `3.0.0` out of RC and is actively
 working towards the next feature release as it continues to triage issues. 

README.md

@@ -78,6 +78,9 @@ if (process.env.NODE_ENV !== 'production') {
 You may also log directly via the default logger exposed by
 `require('winston')`, but this merely intended to be a convenient shared
 logger to use throughout your application if you so choose.
+Note that the default logger doesn't have any transports by default.
+You need add transports by yourself, and leaving the default logger without any
+transports may produce a high memory usage issue.
 
 ## Table of contents
 
@@ -149,7 +152,7 @@ A logger accepts the following parameters:
 
 | Name          | Default                     |  Description    |
 | ------------- | --------------------------- | --------------- |
-| `level`       | `'info'`                    | Log only if [`info.level`](#streams-objectmode-and-info-objects) less than or equal to this level  |
+| `level`       | `'info'`                    | Log only if [`info.level`](#streams-objectmode-and-info-objects) is less than or equal to this level  |
 | `levels`      | `winston.config.npm.levels` | Levels (and colors) representing log priorities            |
 | `format`      | `winston.format.json`       | Formatting for `info` messages  (see: [Formats])           |
 | `transports`  | `[]` _(No transports)_      | Set of logging targets for `info` messages                 |
@@ -223,6 +226,7 @@ const logger = winston.createLogger({
 
 const childLogger = logger.child({ requestId: '451' });
 ```
+> `.child` is likely to be bugged if you're also extending the `Logger` class, due to some implementation details that make `this` keyword to point to unexpected things. Use with caution.
 
 ### Streams, `objectMode`, and `info` objects
 
@@ -453,7 +457,7 @@ considered for future releases.
 caller. (See: [Filtering `info` Objects](#filtering-info-objects)) below.
 
 `winston.format` is designed to be as simple as possible. To define a new
-format simple pass it a `transform(info, opts)` function to get a new
+format, simply pass it a `transform(info, opts)` function to get a new
 `Format`.
 
 The named `Format` returned can be used to create as many copies of the given
@@ -761,11 +765,11 @@ const logger = winston.createLogger({
       level: 'error',
       format: winston.format.json()
     }),
-    new transports.Http({
+    new winston.transports.Http({
       level: 'warn',
       format: winston.format.json()
     }),
-    new transports.Console({
+    new winston.transports.Console({
       level: 'info',
       format: winston.format.combine(
         winston.format.colorize(),
@@ -966,7 +970,7 @@ setTimeout(function () {
 }, 1000);
 ```
 
-Also you can start a timer and keep a reference that you can call `.done()``
+Also you can start a timer and keep a reference that you can call `.done()`
 on:
 
 ``` js
@@ -1091,12 +1095,13 @@ logger.info('CHILL WINSTON!', { seriously: true });
 logger.end();
 ```
 
-It is also worth mentioning that the logger also emits an 'error' event which
+It is also worth mentioning that the logger also emits an 'error' event
+if an error occurs within the logger itself which
 you should handle or suppress if you don't want unhandled exceptions:
 
 ``` js
 //
-// Handle errors
+// Handle errors originating in the logger itself
 //
 logger.on('error', function (err) { /* Do Something */ });
 ```

UPGRADE-3.0.md

@@ -24,6 +24,8 @@
 - `winston.Logger` has been replaced with `winston.createLogger`.
 - `winston.setLevels` has been removed. Levels are frozen at the time of Logger creation.
 - Setting the level on the default `winston` logger no longer sets the level on the transports associated with the default `winston` logger.
+- The default logger exposed by `require('winston')` no longer has default `Console` transports, 
+and leaving it without transports may cause a high memory usage issue.
 
 ### Transports
 - `winston.transports.Memory` was removed. Use any Node.js `stream.Writeable` with a large `highWaterMark` instance instead.
@@ -39,7 +41,8 @@
     - `debugStdout` option has been removed.
 
 ### `winston.Container` and `winston.loggers`
-- `winston.Container` instances no longer have default `Console` transports
+- `winston.Container` instances no longer have default `Console` transports.
+Failing to add any transports may cause a high memory usage issue.
 - `winston.Container.prototype.add` no longer does crazy options parsing. Implementation inspired by [segmentio/winston-logger](https://github.com/segmentio/winston-logger/blob/master/lib/index.js#L20-L43)
 
 ### `winston.Logger`

docs/publishing.md

@@ -0,0 +1,23 @@
+The release process here mostly follows along with the [vbump script](https://github.com/indexzero/vbump) that @indexzero wrote several years ago, but the main steps for a release are as follows:
+
+1. Complete merging in any PRs that should be part of the release.
+1. On the [Releases tab](https://github.com/winstonjs/winston/releases) in the GitHub UI, click 'Draft a new release' in the upper right corner.
+1. Under the 'Choose a tag' dropdown, type the name of the new version starting with a v (e.g. `v3.7.0`) and don't forget to click the 'Create new tag on publish' option below (this step is annoyingly easy to miss):
+![image](https://user-images.githubusercontent.com/563406/160644343-69325988-4ca2-4329-93da-e08266269506.png)
+1. Paste the same version number, with or without the v (with is probably better) in the release title box.
+1. Click 'Generate release notes' and cut & paste the draft contents into the changelog.
+1. Paste the contents of the changelog for this release in the 'Describe this release' box.
+1. Check to make sure you've caught everything (including direct commits) using GitHub's compare tool ([example here](https://github.com/winstonjs/winston/compare/v3.6.0...master)).
+1. Update the changelog. It's nice to thank the contributors here.  It's nice to organize this by which changes would merit which level of semver bump, and especially call out any breaking changes (major-version-number) concisely at the start.
+1. **Update the version number in package.json and package-lock.json**, bumping as appropriate for [semver](https://semver.org/) based on the most significant position change trigger from the changelog you just wrote/reviewed.  Do not miss this step! Also note there are two places in package-lock where this gets updated: at the top level and under the empty-string entry of packages.
+1. Update the tag and version number on the Draft a New Release page, with the same number (which might've changed while drafting changelog notes).
+1. Make sure your local master branch is up to date.
+1. Make sure all the lint checks and tests pass, beyond what the CI might've told you.
+1. Paste the contents of the changelog for this release in the 'Describe this release' box on the Draft a Release page.
+1. Click "Publish release."
+1. Back on the command line, `npm publish` and complete npm 2FA as needed.
+1. Update the distribution tags, for example: `npm dist-tag add winston@3.7.0 3.x-latest`.
+1. Verify the distribution tags look correct under the 'Versions' tab at https://www.npmjs.com/package/winston or with `npm dist-tag ls`.
+1. Keep a closer-than-usual eye on issues in the hours and days that follow, prepared to quickly revert/address anything that might be associated with that release.
+
+A more professional version of this would probably use a release branch off master to make sure no other maintainers merge a PR into master between the loading of a compare view for changelog preparation and completion of the process, but we're such a small team that the extra steps are probably not needed. After release, you can also verify with the compare view between the new and prior release tags to see when the latest change was and verify it was before you started the process.