Summary
@tryghost/logging depends on bunyan and a constellation of bunyan-based transports that are all effectively unmaintained:
| Dependency |
Version |
Last Published |
Notes |
bunyan |
1.8.15 |
Jan 2021 |
5+ years inactive |
bunyan-loggly |
2.0.1 |
Aug 2022 |
Pulls in node-loggly-bulk which previously pulled in deprecated request |
@tryghost/bunyan-rotating-filestream |
0.0.7 |
Mar 2021 |
Ghost-owned, unmaintained |
gelf-stream |
1.1.1 |
May 2016 |
10 years inactive |
This dependency chain has already caused a critical Dependabot alert (#22) due to node-loggly-bulk@3.x → request → form-data@2.3.3 (CVE for predictable multipart boundaries). That was mitigated with a yarn resolution forcing node-loggly-bulk@4.x, but the underlying problem is the stale dependency tree.
What GhostLogger actually uses from bunyan
The usage in GhostLogger.js is thin — essentially just bunyan.createLogger() with streams. The substantial logic (serializers, sensitive data redaction, transport routing, child loggers) is all in GhostLogger itself and is framework-agnostic.
Suggested approach
pino is the most natural replacement:
- Actively maintained, high performance
- Has a bunyan compatibility/migration path
- Native support for file rotation, pretty printing, and structured logging
- Rich transport ecosystem (pino-pretty, pino-elasticsearch, etc.)
The migration would involve:
- Replace
bunyan.createLogger() calls with pino() equivalents in GhostLogger.js
- Replace
bunyan-loggly with a pino transport (or direct Loggly HTTP API)
- Replace
gelf-stream with pino-gelf or similar
- Replace
@tryghost/bunyan-rotating-filestream with pino's built-in file rotation
- Remove lodash dependency (only 6 functions used, easily replaced with native JS)
Impact
This would eliminate 5 stale dependencies and reduce future security exposure from the unmaintained bunyan ecosystem.
Summary
@tryghost/loggingdepends on bunyan and a constellation of bunyan-based transports that are all effectively unmaintained:bunyanbunyan-logglynode-loggly-bulkwhich previously pulled in deprecatedrequest@tryghost/bunyan-rotating-filestreamgelf-streamThis dependency chain has already caused a critical Dependabot alert (#22) due to
node-loggly-bulk@3.x→request→form-data@2.3.3(CVE for predictable multipart boundaries). That was mitigated with a yarn resolution forcingnode-loggly-bulk@4.x, but the underlying problem is the stale dependency tree.What GhostLogger actually uses from bunyan
The usage in
GhostLogger.jsis thin — essentially justbunyan.createLogger()with streams. The substantial logic (serializers, sensitive data redaction, transport routing, child loggers) is all in GhostLogger itself and is framework-agnostic.Suggested approach
pino is the most natural replacement:
The migration would involve:
bunyan.createLogger()calls withpino()equivalents inGhostLogger.jsbunyan-logglywith a pino transport (or direct Loggly HTTP API)gelf-streamwithpino-gelfor similar@tryghost/bunyan-rotating-filestreamwith pino's built-in file rotationImpact
This would eliminate 5 stale dependencies and reduce future security exposure from the unmaintained bunyan ecosystem.