mannyluvstacos
commented
2 years ago cc: @sintaxi
when you have a moment to review, this PR switches colors to a safe alternative.
Closed mannyluvstacos closed 2 years ago
mannyluvstacos
commented
2 years ago cc: @sintaxi
when you have a moment to review, this PR switches colors to a safe alternative.
ethnh
commented
2 years ago Hello Manny,
NPM has already removed the offending version ( https://www.npmjs.com/package/colors ) There is no need for this change 👍 This project is not compromised
mannyluvstacos
commented
2 years ago Hi Ethan!
While the offending version has been removed, other projects have shifted to using the package @dabh/colors as there is still the possibility of an update as was seen in 1.4.1, or am I mistaken?
sintaxi
commented
2 years ago Looks good! Thanks!
sintaxi
commented
2 years ago @EthanHindmarsh Thanks for chiming in. You are right that the offending releases have been purged from npm. Although Maraks account has been is disabled I think its best to switch over to @dabh/colors since @dabh has been the maintainer for the last several years anyway.
A Security Vuln was identified in the Colors package for >1.4.0, offending packages being
1.4.1,1.4.44-libertyThis PR updates the color package to using @dabh/colors as stated on this colors issue #317 which is a safe alternative.