Vulnerability in log4js dependency

[ericcornelissen]

Is your maintenance request related to a problem? Please describe.
A CVE was published for log4js, leading npm audit, Snyk, and I'm sure other security tools to raise concerns about it through the Stryker-js core package (and possibly others, I didn't check).

Now, I don't think this vulnerability is a real concern for Stryker users, nevertheless I think it's worth updating - even if just to err on the safe side.

Describe the solution you'd like
Update log4js to a recommended version, i.e. 6.4.0 or higher.

Describe alternatives you've considered
End-users can ignore the CVE, I don't think that's a good idea if it's not necessary. In this case, updating the vulnerable dependency should be straightforward as no major version bump is required for the fix.

Additional context
References:

• CVE-2022-21704
• SNYK-JS-LOG4JS-2348757
• log4js changelog

[nicojs]

Thanks for reaching out. We have been experiencing issues with upgrading log4js for some time, see log4js-node/log4js-node#1037. But this issue bumps the priority to the top (priority of my spare time I can spend on my open source endeavours ;)).

[nicojs]

Fixed in v5.6.1

$ npm i -D @stryker-mutator/core

added 185 packages, and audited 186 packages in 12s

30 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities