(In case others want to run the same command, keep in mind that the path to the matching package-lock.json or yarn.lock comes after the matching lines output by grep.)
I found several projects that depended on colors, including machina. The patch should ensure that no affected version is installed by accident, even when upgrading intermediate dependencies.
After reading https://snyk.io/blog/open-source-npm-packages-colors-faker/ and https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/, I decided to scan all JavaScript repositories on my hard drive for direct and indirect dependencies on the affected packages, using the following terminal command:
(In case others want to run the same command, keep in mind that the path to the matching
package-lock.json
oryarn.lock
comes after the matching lines output bygrep
.)I found several projects that depended on
colors
, including machina. The patch should ensure that no affected version is installed by accident, even when upgrading intermediate dependencies.