Replace bunyan with actively maintained logging library #454
Description
Summary
@tryghost/logging depends on bunyan and a constellation of bunyan-based transports that are all effectively unmaintained:
| Dependency | Version | Last Published | Notes |
|---|---|---|---|
bunyan |
1.8.15 | Jan 2021 | 5+ years inactive |
bunyan-loggly |
2.0.1 | Aug 2022 | Pulls in node-loggly-bulk which previously pulled in deprecated request |
@tryghost/bunyan-rotating-filestream |
0.0.7 | Mar 2021 | Ghost-owned, unmaintained |
gelf-stream |
1.1.1 | May 2016 | 10 years inactive |
This dependency chain has already caused a critical Dependabot alert (#22) due to node-loggly-bulk@3.x → request → form-data@2.3.3 (CVE for predictable multipart boundaries). That was mitigated with a yarn resolution forcing node-loggly-bulk@4.x, but the underlying problem is the stale dependency tree.
What GhostLogger actually uses from bunyan
The usage in GhostLogger.js is thin — essentially just bunyan.createLogger() with streams. The substantial logic (serializers, sensitive data redaction, transport routing, child loggers) is all in GhostLogger itself and is framework-agnostic.
Suggested approach
pino is the most natural replacement:
- Actively maintained, high performance
- Has a bunyan compatibility/migration path
- Native support for file rotation, pretty printing, and structured logging
- Rich transport ecosystem (pino-pretty, pino-elasticsearch, etc.)
The migration would involve:
- Replace
bunyan.createLogger()calls withpino()equivalents inGhostLogger.js - Replace
bunyan-logglywith a pino transport (or direct Loggly HTTP API) - Replace
gelf-streamwithpino-gelfor similar - Replace
@tryghost/bunyan-rotating-filestreamwith pino's built-in file rotation - Remove lodash dependency (only 6 functions used, easily replaced with native JS)
Impact
This would eliminate 5 stale dependencies and reduce future security exposure from the unmaintained bunyan ecosystem.