YOU54F
commented
4 days ago Sonatypes rationale of it being unexpected to the end user is fair, as it isn't documented in the readme, and a user would have to go and read issue threads, probably after the fact.
We already use chalk in the pact-js-cli project, so I am happy with that being replaced.
would you be open to proposing a pull request?
mefellows
As a big enterprise organisation we continuously scanning our dependencies for vulnerabilities and other security risks. One of the dependencies of @pact-foundation/pact is 'cli-color' (https://github.com/medikoo/cli-color), this package by itself has not security risk, but it depends on 'es5-ext' (https://github.com/medikoo/es5-ext) that is marked as malicious by sonatype (sonatype-2022-2248) as it contains malware/protestware in a postinstall script since 2022.
The question is can this be replaced by an alternative package?
There are many alternatives that can do console coloring as well, probably the best known one is chalk: https://www.npmjs.com/package/chalk (see npm trends: https://npmtrends.com/chalk-vs-cli-color) And @pact-foundation/pact only uses cli-color once to show a console error in red: https://github.com/pact-foundation/pact-js/blob/d3e24a7d5e44d14ca29f1a512c4da54c03b962c1/src/httpPact/index.ts#L210