Closed briantist closed 2 years ago
Please just pin the colors dependency to 1.4.0, and see the following if you need additional context: https://github.com/Marak/colors.js/issues/285#issuecomment-1008212640
Looking into it. Thanks for reporting this.
Just published a patch release to fix this attack. It is surge@0.23.1
. Install by running npm install -g surge
.
Sorry this issue came up. I will consider pinning ALL dependencies moving forward to prevent an issue like this from happening again.
see: https://github.com/sintaxi/surge/issues/469#issuecomment-1008213809
Sometime within the last 24 hours from this post, it appears as though this package was somehow compromised. Running
surge teardown
from my CI, it spit out some very strange text (link to CI run):https://gist.github.com/briantist/0b9422be100e6fba866e955be5d3da66
It's mostly the word
testing
masked with "zalgo" text.I don't know what it was actually trying to do since it seems to have run out of memory in the github runner and crashed: