npm - @meadown/logger - Versions diffs - 1.5.0 → 1.5.2 - Mend

@meadown/logger 1.5.0 → 1.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -14,7 +14,11 @@ No dependencies. No config. Import it and you're done.
 ## Install
 ```bash
+pnpm add @meadown/logger
+# or
 npm install @meadown/logger
+# or
+yarn add @meadown/logger
 ```
 ## Using it
@@ -32,14 +36,15 @@ customLog.error("Something went wrong")
 You'll see something like:
 ```text
-[INFO] 05-30 04:00:00 PM (server.ts:42)
-└── Auth user logged in
+[INFO]
+├── Auth user logged in
+└── 05-30 04:00:00 PM - (server.ts:42)
 ```
-The first line carries the level tag — `[INFO]`, `[WARN]`, or `[ERROR]` — a short
-local timestamp (month-day and 12-hour time), and the source location. Your message
-hangs off a `└──` branch on the line below (colored to match the level), so it's easy
-to scan down a busy terminal.
+Each entry is a little tree: the level tag — `[INFO]`, `[WARN]`, or `[ERROR]` — on
+top, your message hanging off a `├──` branch, and a short local timestamp
+(month-day, 12-hour time) plus the source location on the `└──` branch below.
+Entries are spaced apart by a blank line so they're easy to scan in a busy terminal.
 ### One thing if you re-export it
@@ -59,12 +64,13 @@ export const customLog = (...args) => log(...args)
 ## Color-coded levels
 The level tag is colored so you can spot what matters at a glance — `[INFO]` in
-cyan, `[WARN]` in yellow, `[ERROR]` in red. The `(file:line)` location is dimmed to
-light gray so it stays out of the way, and the timestamp is left plain.
+cyan, `[WARN]` in yellow, `[ERROR]` in red. The timestamp and source location are
+tinted teal, and the tree branches sit in a quiet gray, so the colored level tag is
+what your eye lands on first.
 Colors appear automatically when you're in a terminal. When output is piped to a
-file or another program, the tag prints as plain `[INFO]` text — no stray color
-codes in your log files. Nothing to configure.
+file or another program, everything prints as plain text — no stray color codes in
+your log files. Nothing to configure.
 ## Click to open the source
@@ -108,6 +114,14 @@ developing and go silent in production. The only thing that flips the switch is
 So leave your logs in the code. Once you ship with `NODE_ENV=production`, they just
 quietly step aside.
+## Security
+It's a tiny, zero-dependency package with no file, network, or dynamic-code access.
+See [SECURITY.md](https://github.com/meadown/meadown-logger/blob/main/SECURITY.md)
+for the security model and how to report a vulnerability. One thing to know: like
+`console.log`, log arguments are written to the terminal as-is and are not
+sanitized — don't log untrusted data to a terminal you trust.
 ## License
 MIT © meadown

package/SECURITY.md ADDED Viewed

@@ -0,0 +1,50 @@
+# Security Policy
+## Reporting a vulnerability
+Please report security issues **privately** by email to
+[inbox.meadown@gmail.com](mailto:inbox.meadown@gmail.com).
+Include a description, the affected version, and steps to reproduce. We aim to
+acknowledge reports within a few days and to coordinate a fix and disclosure.
+> Once this repository is public, reports can also be filed via GitHub Security
+> Advisories ("Report a vulnerability" under the Security tab).
+## Supported versions
+Only the latest published `@meadown/logger` release receives security fixes.
+## Security model
+`@meadown/logger` is intentionally minimal, which keeps its attack surface small:
+- **Zero runtime dependencies.** Installing the package pulls in no transitive
+  packages, so there is no third-party supply-chain surface to inherit.
+- **No I/O or dynamic execution.** It does not read or write files, open network
+  connections, spawn processes, or use `eval`/`Function`. It only writes to the
+  console and reads `process.env.NODE_ENV` (to stay quiet in production).
+- **Nothing is persisted.** Log output is never written to disk, so the logger
+  cannot leak logged data to a temp file or similar.
+## Trust boundary: log arguments are output, not input
+Like `console.log` itself, this logger passes the arguments you give it through
+to the terminal as output. **It does not sanitize them.**
+If you log **untrusted data** (user input, third-party API responses, etc.) that
+contains terminal control or escape sequences (ANSI `\x1b[…`, OSC-8 hyperlinks,
+carriage returns), those sequences reach the terminal and can manipulate it —
+e.g. overwrite previously printed text or spoof a clickable link. This is an
+inherent property of writing untrusted text to a terminal, not specific to this
+package.
+Guidance:
+- Treat log output as you would any other untrusted text rendered in a terminal.
+- Do not log raw untrusted input to a terminal or log stream you treat as
+  trusted; sanitize or encode it first if that is a concern in your environment.
+The clickable source link the logger emits is built from the runtime call
+stack's file path (encoded via `node:url`'s `pathToFileURL`), not from your
+arguments, so the logger's own escape sequences are not attacker-influenced.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@meadown/logger",
-  "version": "1.5.0",
+  "version": "1.5.2",
   "description": "A tiny, zero-dependency logger for Node.js and TypeScript that tags each line, timestamps it, shows the source file and line, and goes quiet in production.",
   "keywords": [
     "logger",
@@ -39,7 +39,8 @@
     }
   },
   "files": [
-    "dist"
+    "dist",
+    "SECURITY.md"
   ],
   "engines": {
     "node": ">=18"