security fix: pin or replace `colors` dependency

foreversd / forever

A simple CLI tool for ensuring that a given script runs continuously (i.e. forever)

http://github.com/foreverjs/forever

MIT License

13.87k stars 946 forks source link

security fix: pin or replace `colors` dependency #1124

Closed micalevisk closed 2 years ago

micalevisk commented 2 years ago

https://github.com/foreversd/forever/blob/2211e32a288b97c3c3d1e27f41370a9a489ee833/package.json#L24

colors was intentionally compromised by the author. The latest working version is 1.4.0. So I believe you need to pin that version to 1.4.0 to prevent issues from the next upgrades.

kibertoad commented 2 years ago

@micalevisk Could you please send a PR for that?

micalevisk commented 2 years ago

the version used here is 0.6.2. Do you think upgrading it to the latest working major will be fine? I didn't manage to run the tests here.

kibertoad commented 2 years ago

@micalevisk Depends on what Node version they support. What were the breaking changes for 1.0.0?

micalevisk commented 2 years ago

well that will be hard to tell as there's no changelog to look at https://github.com/Marak/colors.js/compare/v0.6.2...v1.0.0

Keeping the current semver range won't cover the latest version of colors.

I didn't really get how colors is being used by forever tbh. I've just found this one https://github.com/foreversd/forever/blob/2211e32a288b97c3c3d1e27f41370a9a489ee833/lib/forever/cli.js#L629

kibertoad commented 2 years ago

Probably we need to replace it with colorette :)

jerome-yvan commented 2 years ago

Hi, I think the problem is on prettyjson module. It uses the colors.js version 1.4.2. Anyway on how to fix it?

micalevisk commented 2 years ago

oh, yeah

I guess we only need to wait them https://github.com/rafeca/prettyjson/pull/54

iplanwebsites commented 2 years ago

Forever crashing is causing many apps & servers to be offline right now. It'd be great if we could switch to a prettyJson fork temporarily if that PR can't make it shortly.

ghost commented 2 years ago

rm -rf /usr/lib/node_modules/forever/node_modules/prettyjson/node_modules/colors/
cd /usr/lib/node_modules/forever/node_modules/prettyjson
npm install colors@1.4.0

You can do this as an temporary solution before prettyjson apply rafeca/prettyjson#54.

iplanwebsites commented 2 years ago

Had some servers using npx forever in built environments that were particularly complex to patch.

kibertoad commented 2 years ago

there is a fixed version of prettyjson coming up, will release new forever when that happens

kibertoad commented 2 years ago

Fix released in 4.0.2

jerome-yvan commented 2 years ago

Fix released in 4.0.2

Thank you

iplanwebsites commented 2 years ago

Thanks everyone for that patch!