Latest version 4.44.15 utilises a compromised colors package #1274
Comments
|
The compromised package version was removed from npmjs many days ago. Version 1.4.0 is not affected. Only clean versions are available. See npkgz/cli-progress@1f0c40e#diff-51e4f558fae534656963876761c95b83b6ef5da5103c4adef6768219ed76c2deL238 and https://www.npmjs.com/package/colors?activeTab=versions Nothing to worry at the moment. cli-progress 3.9.0 and newer (includes 3.10.0, SemVer selector ^) is already used, see https://github.com/vue-styleguidist/vue-styleguidist/blob/dev/packages/vue-styleguidist/package.json#L38 This includes the automatic update to 3.10.0. |
|
It still does not hurt to update but I it is less of an emergency. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 30 days if no further activity occurs. Thank you for your contributions. |
Current behavior
As soon as you bump up and clean the npm packages , the solution adopts a compromised version of
colorsa dependency tocli-progressReference: Marak/colors.js#285
To fix: bump up the version of
cli-progress(npkgz/cli-progress#116)To reproduce
npm run styleguideExpected behavior
The text was updated successfully, but these errors were encountered: