(In case others want to run the same command, keep in mind that the path to the matching package-lock.json or yarn.lock comes after the matching lines output by grep.)
I found several projects that depended on colors, including machina. The patch should ensure that no affected version is installed by accident, even when upgrading intermediate dependencies.
After reading https://snyk.io/blog/open-source-npm-packages-colors-faker/ and https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/, I decided to scan all JavaScript repositories on my hard drive for direct and indirect dependencies on the affected packages, using the following terminal command:
(In case others want to run the same command, keep in mind that the path to the matching
package-lock.jsonoryarn.lockcomes after the matching lines output bygrep.)I found several projects that depended on
colors, including machina. The patch should ensure that no affected version is installed by accident, even when upgrading intermediate dependencies.