tracing-appender 0.2.4

Added

• Prune old files at startup (#2966)
• Add fallback to file creation date (#3000)
• Introduce weekly rotation (#3218)

Fixed

• Fix max_files integer underflow when set to zero (#3348)

Documented

• Update tracing-appender docs link to correct docs.rs URL (#3325)

tracing 0.1.42

Important

The Span::record_all method has been removed from the documented API. It
was always unsuable via the documented API as it requried a ValueSet which
has no publically documented constructors. The method remains, but should not
be used outside of tracing macros.

Added

• attributes: Support constant expressions as instrument field names (#3158)
• Add record_all! macro for recording multiple values in one call (#3227)
• core: Improve code generation at trace points significantly (#3398)

Changed

• tracing-core: updated to 0.1.35 (#3414)
• tracing-attributes: updated to 0.1.31 (#3417)

Fixed

• Fix "name / parent" variant of event! (#2983)
• Remove 'r#' prefix from raw identifiers in field names (#3130)
• Fix perf regression when release_max_level_* not set (#3373)
• Use imported instead of fully qualified path (#3374)
• Make valueset macro sanitary (#3382)

Documented

• core: Add missing dyn keyword in Visit documentation code sample (#3387)

tracing-mock 0.1.0-beta.2

Added

• Add on_register_dispatch expectation for subscriber and layer mocks (#3415)
• Add doctests for on_register_dispatch negative cases (#3416)

Changed

• tracing: updated to 0.1.42 (#3418)

tracing-subscriber 0.3.20

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

• Manipulate terminal title bars
• Clear screens or modify terminal display
• Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

• Logs user-provided input (form data, HTTP headers, query parameters, etc.)
• Runs in environments where terminal output is displayed to users

Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

tracing-attributes 0.1.30

Fixed

• Fix tracing::instrument regression around shadowing (#3311)

tracing-core 0.1.34

Changed

• Bump MSRV to 1.65 (#3033)

Fixed

• Do not compare references to pointers to compare pointers (#3236)

tracing-attributes 0.1.29

Changed

• Bump MSRV to 1.65 (#3033)

Fixed

• Let dead_code lint work on #[instrument]ed functions (#3108)
• Globally qualify attribute paths (#3126)

tracing-subscriber 0.3.19

[ crates.io ] | [ docs.rs ]

This release updates the tracing dependency to v0.1.41 and
the tracing-serde dependency to v0.2.0.

Added

• Add set_span_events to fmt::Subscriber (#2962)
• tracing: Allow &[u8] to be recorded as event/span field (#2954)

Changed

• Set log max level when reloading (#1270)
• Bump MSRV to 1.63 (#2793)
• Use const thread_locals when possible (#2838)
• Don't gate with_ansi() on the "ansi" feature (#3020)
• Updated tracing-serde to 0.2.0 (#3160)

tracing-journald 0.3.1

[ crates.io ] | [ docs.rs ]

Changed

• disable default features of tracing-subscriber (#1476)
• allow custom journal fields (#2708)
• Bump MSRV to 1.63 (#2793)
• make level mappings configurable (#2824)

tracing-error 0.2.1

[ crates.io ] | [ docs.rs ]

Changed

• Bump MSRV to 1.63 (#2793)

Documented

• Use intra-doc links instead of relative file paths (#2068)
• More intra-doc links (#2077)
• Add missing backtick to prelude docs (#2120)