Package appears to be compromised. #786
Comments
|
Additional context, this does appear to be an issue with oclif as opposed to npx, because I am able to run e.g., |
|
Appears to be related to Marak/colors.js#285 |
|
@christiansmith Thanks for bringing this to our attention I added a I could update our release process to generate a shrinkwrap - but given that it's a Saturday and the bug doesn't appear to be malicious I'd rather wait on that for now. Hopefully the bug gets fixed or they point latest to a working version before then In the meantime, you can install oclif using yarn: |
|
Thanks for the quick response. Nothing urgent for me. Just Saturday morning tinkering :) I'll try the package again once the issue is resolved. |
adding with yarn did not work for me |
|
npx marak-free |
|
@mii9000 I managed to have it working temporally with the following steps:
After that the oclif cli will be available globally in your shell. The dist version should be fixed soon, as @mdonnalley mentioned. I can confirm for now that everything is working fine locally. I use yarn as package manager, btw |
|
I just released v2.1.3 which upgraded all the dependencies that use(d) colors. Fortunately the maintainers of our dependencies jumped on the issue quickly and already pinned Both npm and yarn installs of |
It is. |
Do you want to request a feature or report a bug?
It appears the package is compromised. Bug is a severe understatement.
What is the current behavior?
When running
npx oclif generate mynewclithe command outputs the following:$ oclif generate mycli LIBERTY LIBERTY LIBERTY LIBERTY LIBERTY LIBERTY LIBERTY LIBERTY LIBERTY ! H|H|H|H|H H__________________________________ H|§|§|§|H H|* * * * * *|--------------- ------| H|§|∞|§|H H| * * * * * |---------------------| H|§|§|§|H H|* * * * * *|---------------------| H|H|H|H| H H| * * * * * |---------------------| H|H|H|H|H H|---------------------------------| =============== H|-------------- -------------------| /| _ _ | H|---------------------------------| (| O O |) H|---------------------------------| /| U | H----------------------------------- | =/ | H _..._/ H _|I/|_ H __ _____/| H |/_______ H / / / H | | | / | H | ||o|| | H | | ||o|| | | H | | ||o|| | | H Carl Pilcher ̖ ̭ ̜ ̳ ̺ ̭ ̠ ̸ ͈ ̱ ̻ ̭ ̤ ̼ ̣ ̐ ҉͞ ̰ ̂ͩ̚ ̪ ̻ ͡ ͓ ͡ ̭ ̮ ̭ ̙ ̸ ͈ ̙ ͓ ̼ ̜ ̳ ̪ ̟ ̖ ͖ ̹ ̽̾̍ ҉ ͇ ̲ ͘ ̜ ͌ ͖ ̮ ͓ ͈ ͙ ̬ ̦ ̜ ̘ ͉ ̳ ̳ ̺ ̱ ͙ ͠ ͙ ͔ ̖ ̖ ͔ ̳ ̰ ̢ ͖ ͅ ͍ ̱ ͇ ͓ ̯ ̰ ̲ ̹ ̗ ̣ ͉ ͓ ͍ ͔ ̫ ̄ͦ͌ ҉̨ ͓ ͐ ͟ ̰ ̤ ͓ ͎ ̣ ͈ ͚ ͇ ̻ ̖ ͚ ̓ͮ̒ ̭ ̰ ͅ ̗ ̤ ͡ ̞ ̠ ̩ ̻ ̫ ̫ ̪ ͇ ̹ ͈ ̤ ̹ ̹ ̺ ͉ ͎ ̱ ̬ ̪ ͯ ̦ ̠ ͯ̓ ͎ ̲ ͖ ͇ ͪͧ͐ ͚ ͢ ͉ ͚ ̜ ̬ ̥ ̩ ̖ ̼ ̫ ̹ ̭ ͚ ̠ ̮ ͖ ͙ ͋ ̼ ̪ ͎ ̀ ͎ ̙ ͙ ̩ ̣ ̦ ̖ ̳ ͚ ̛ ͙ ͕ ̖ ̠ ͜ ̺ ͇ ̫ ̻ ̂̅̄ ͚ ̢ ̗ ̰ ͔ ͇ ͉ ̥ ͈ ̀͗ ̬ ̟ ̙ ̩ ͔ ̫ ̱ ̫ ̙ ̫ ͙ ̫ ̮ ͚ ̱ ̫ ͚ ̩ ͖ ̮ ̫ ̺ ̝ ̣ ̙ ̺ ̜ ̖ ̲ ͅ ̙ ̦ ͉ ̳ ̺ ̷ ̩ ͈ ̱ ̞ ̺ ͠ ̘ ̠ ̦ ̺ ̯ ̝ ͎ ͫ ͙ ̺ ͓ ̖ ̱ ̖ ̰ ̯ ͅ ̥ ̤ ͙ ̫ ̙ ̙ ͎ ̼ ̱ ͕ ͆̋͗ ͓ ̯ ͖ ̐ͩ ̝ ̗ ͞ ͚ ͉ ̺ ̩ ̖ ͣͧ̉ ̯ ̨ ̜ ̟ ͕ ̠ ̞ ͨ̔ ҉̸̵̀ ̦ ̺ ̠ ̖ ̝ ̖ ̠ ̬ ̼ ̴ ͇ ̤ ͠ ̻ ̩ ̹ ̥ ̭ ̛ ̺ ̦ ̬ ̱ ̬ ̗ ͈ ̳ ̣ ̼ ͖ ͉ ͙ ̬ ̩ ̠ ̺ ̩ ̫ ͕ ͍ ̻ ̙ ̹ ̣ ̘ ̕ ͅ ̼ ̗ ͙ ̬ ͩ ̩ ̗ ̩ ̴ ͙ ̬ ̩ ̱ ̻ ̘ ̛ ̺ ͉ ̰ ̱ ͓ ̼ ͉ ͕ ͍ ̣ ̷ ̜ ͈ ͢ ̻ ̼ ͠ ͇ ͉ ̻ ̘ ̗ ͜ ͙ ͇ ͍ ͉ ̯ ̪ ̗ ͇ ̮ ̟ ̰ ͇ ͍ ̺ ̞ ̬ ͎ ̣ ͚ ̺ ̼ ̙ ̪ ̷ ̜ ̪ ̼ ̯ ̅̀ ̹ ̮ ̥ ̲ ̞ ̭ ̶ ͙ ̸ ̼ ̵ ̰ ̲ ͉ ͔ ̞ ͖ ̒ ͔ ̥ ̣ ͍ ̠ ̻ ̣ ̯ ͅ ͍ ̗ ̜ ̣ ̣ ̭ ̟ ͕ ̷ ̮ ̦ ̃̀̈ ̝ ̲ ̬ ̭ ͙ ̡ ̮ ̝ ̼ ̿ ҉͝ ͚ ͅ ̗ ͇ ̯ ̧ ͕ ͕ ͕ ͐̓̈ ̯ ̤ ̱ ͎ ͇ ̬ ̀ ͔ ̦ ̠ ̭ ͮͨ ͓ ̅̊ ̯ ̙ ̪ ̭ ͉ ̥ ̫ ̥ ̠ ͚ ̣ ͇ ̥ ͙ ͙ ̦ ͜ ̺ ̝ ̻ ̻ ͍ ̰ ͓ ̦ ̳ ͈ ̩ ͘ ̗ ̖ ͕ ̥ ͙ ̬ ̳ ̭ ̬ ̦ ͉ ͔ ̧ ̹ ͇ ̯ ̸ ͚ ͔ ̯ ̩ ̩ ̯ ̄ ҉̵ ̬ ̪ ͈ ͍ ̻ ̳ ̪ ̲ ̥ ͇ ͍ ̜ ̻ ͅ ̪ ̤ ͧͦ ͎ ̷ ͙ ͙ ͇ ͇ ̯ ̘ ͚ ̳ ̪ ̘ ͚ ͅ ̘ ͇ ̩ ҉ ̯ ̲ ̲ ̬ ͌ ͝ ̝ ̞ ̝ ̙ ̩ ͬ̆̅ ҉ ̟ ͈ ͙ ̮ ̝ ̆ ̞ ̘ ̻ ͚ ̮ ̲ ̸ ͍ ̓ͥ ̼ ̮ ̤ ̺ ͚ ͍ ̲ ͎ ̙ ̗ ̭ ̲ ̬ ͂ͧͧ ̪ ̣ ̛ ͕ ͘ ̹ ̢ ͅ ͅ ̪ ̮ ̩ ͖ ̮ ͅ ̼ ̰ ̦ ̙ ̦ ͎ ̠ ̗ ͇ ̪ ͓ ̈̊̉ ͔ ̦ ̱ ̬ ͠ ̳ ͚ ̒̌ ̜ ̥ ̯ ͎ ͅ ̫ ̭ ͙ ͍ ̩ ̘ ͠ ͈ ̻ ̩ ͟ ̳ ͎ ̩ ͇ ̪ ̹ ̼ ̰ ̪ ͅ ̠ ͉ ̻ ͖ ̳ ͉ ͜ ҉ ̳ ͖ ̠ ̘ ̻ ̮ ̙ ̗ ̘ ̰ ͕ ͚ ̞ ͍ ͅ ̙This gibberish continues to output indefinitely until
Ctrl-C.What is the expected behavior?
The command should generate a new project as advertised.
My oclif version is
oclif/2.1.0 darwin-arm64 node-v16.13.1and my OS isMacOS Big Sur 11.5.2.The text was updated successfully, but these errors were encountered: