facebook / jscodeshift

A JavaScript codemod toolkit.

https://jscodeshift.com

MIT License

9.31k stars 480 forks source link

Critical: Need to restrict colors.js dependency #474

Closed bodograumann closed 2 years ago

bodograumann commented 2 years ago

You have included colors@^1.1.2 as dependency, which would install version 1.4.1. This dependency contains an intentional DoS. Please pin to version 1.4.0.

For background: https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

bodograumann commented 2 years ago

Seems there are already some pull-requests. Nice :-)

472 for simple fix

473 for replacement of the dependency

mroch commented 2 years ago

i merged #473 to use chalk instead. thanks @bodograumann @yedidyak @imnotjames for your quick response to this issue!

mroch commented 2 years ago

published 0.13.1