winston
A logger for just about everything.
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
chjjjcrugzzv1indexzero3rdedendabhw-b-tmaverick18722
Keywords
winstonloggerlogginglogssysadminbunyanpinologleveltoolsjsonstream
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Winston's growth in source files reflects legitimate transport module expansion; consistent with the library's documented architecture and historical release pattern. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is consistent with addition of new transport modules and features in this well-established logging library; no injected or obfuscated code present. | ai | |
| source-diff | obfuscated-file:coverage/lcov-report/prettify.js | AI (source-diff): Google code-prettify minified JS bundled by nyc/Istanbul in lcov HTML coverage reports. Standard coverage tooling artifact, not obfuscated malware. | ai | |
| dependencies | unvetted-dep:request | AI (dependencies): request is a well-known HTTP client legitimately used by winston for HTTP-based transports; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:loggly | AI (dependencies): loggly is a documented transport backend for winston; its inclusion is intentional and expected across all winston versions. | ai | |
| dependencies | unvetted-dep:riak-js | AI (dependencies): riak-js is a documented Riak transport backend for winston; its inclusion is intentional and expected across early winston versions. | ai | |
| phantom-deps | phantom-dep:eyes | AI (phantom-deps): eyes is a legitimate utility declared as a dependency in winston's package.json; its indirect usage is a known artifact of this package's design. No security concern. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in transports.js is an intentional, documented design pattern for lazy-loading named transport modules; not a security risk for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of pose is consistent with maintainer transition, not a takeover signal. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (@dabh/diagnostics, safe-stable-stringify) are established packages aligned with logging functionality. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (dabh, w-b-t) reflect normal handoff; publisher track record is clean. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition to w-b-t (established publisher); canonical repo URL confirms no takeover. | ai | |
| phantom-deps | phantom-dep:@colors/colors | AI (phantom-deps): Phantom dependency is a code organization issue, not a security concern; referenced in config as intended. | ai | |
| dependencies | unvetted-dep:logform | AI (dependencies): logform is the official log formatting library for the winstonjs ecosystem, maintained by the same team. | ai | |
| dependencies | unvetted-dep:one-time | AI (dependencies): one-time is a small, well-known utility and a long-standing legitimate dependency of winston. | ai | |
| dependencies | unvetted-dep:triple-beam | AI (dependencies): triple-beam is part of the official winstonjs ecosystem and a long-standing legitimate dependency. | ai | |
| dependencies | unvetted-dep:@colors/colors | AI (dependencies): @colors/colors is a well-known terminal color library and a legitimate dependency of winston. | ai | |
| dependencies | unvetted-dep:@dabh/diagnostics | AI (dependencies): @dabh/diagnostics is maintained by the same maintainer (dabh) and is a legitimate dependency of winston. | ai | |
| dependencies | unvetted-dep:winston-transport | AI (dependencies): winston-transport is part of the official winstonjs ecosystem and a long-standing legitimate dependency. | ai | |
| dependencies | unvetted-dep:safe-stable-stringify | AI (dependencies): safe-stable-stringify is a well-known serialization utility and a legitimate dependency of winston. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is a best-practice recommendation, not a security blocker for established packages. | ai | |
| dependencies | unvetted-dep:stack-trace | AI (dependencies): stack-trace is a minimal, long-standing utility; appropriate for logging library stack parsing. | ai | |
| dependencies | unvetted-dep:async | AI (dependencies): async is a well-known, widely-used utility library and a long-standing legitimate dependency of winston. | ai |
Versions (showing 51 of 80)
| Version | Deps | Published |
|---|---|---|
| 3.19.0 | 11 / 16 | |
| 3.18.3 | 11 / 17 | |
| 3.18.2 | 11 / 17 | |
| 3.18.1 | 11 / 17 | |
| 3.18.0 | 11 / 17 | |
| 3.17.0 | 11 / 17 | |
| 3.16.0 | 11 / 17 | |
| 3.15.0 | 11 / 17 | |
| 3.14.2 | 11 / 17 | |
| 3.14.1 | 11 / 17 | |
| 3.14.0 | 11 / 17 | |
| 3.13.1 | 11 / 17 | |
| 3.13.0 | 11 / 17 | |
| 3.12.1 | 11 / 17 | |
| 3.12.0 | 11 / 17 | |
| 3.11.0 | 11 / 17 | |
| 3.10.0 | 11 / 17 | |
| 3.9.0 | 11 / 17 | |
| 3.8.2 | 11 / 17 | |
| 3.8.1 | 10 / 18 | |
| 3.8.0 | 10 / 18 | |
| 3.7.2 | 10 / 18 | |
| 3.7.1 | 10 / 18 | |
| 3.6.0 | 10 / 18 | |
| 3.5.1 | 10 / 17 | |
| 3.5.0 | 10 / 17 | |
| 3.4.0 | 9 / 17 | |
| 3.3.4 | 9 / 17 | |
| 3.3.3 | 9 / 17 | |
| 3.3.2 | 9 / 17 | |
| 3.3.1 | 9 / 17 | |
| 3.3.0 | 9 / 17 | |
| 3.2.1 | 9 / 17 | |
| 3.2.0 | 9 / 17 | |
| 3.1.0 | 9 / 14 | |
| 3.0.1 | 9 / 14 | |
| 3.0.0 | 9 / 14 | |
| 2.4.7 | 6 / 4 | |
| 2.4.6 | 6 / 4 | |
| 2.4.5 | 6 / 4 | |
| 2.4.4 | 6 / 4 | |
| 2.4.2 | 6 / 4 | |
| 2.4.1 | 6 / 4 | |
| 2.4.0 | 6 / 4 | |
| 2.3.1 | 6 / 4 | |
| 2.3.0 | 6 / 4 | |
| 2.2.0 | 7 / 4 | |
| 2.1.1 | 7 / 4 | |
| 2.1.0 | 7 / 3 | |
| 2.0.1 | 7 / 3 | |
| 2.0.0 | 7 / 3 |