Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

security fix: pin or replace `colors` dependency

See original GitHub issue

https://github.com/foreversd/forever/blob/2211e32a288b97c3c3d1e27f41370a9a489ee833/package.json#L24

colors was intentionally compromised by the author. The latest working version is 1.4.0. So I believe you need to pin that version to 1.4.0 to prevent issues from the next upgrades.

image

image

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:1
  • Comments:14 (5 by maintainers)

github_iconTop GitHub Comments

4reactions
kibertoadcommented, Jan 10, 2022

there is a fixed version of prettyjson coming up, will release new forever when that happens

4reactions
lofairycommented, Jan 10, 2022
rm -rf /usr/lib/node_modules/forever/node_modules/prettyjson/node_modules/colors/
cd /usr/lib/node_modules/forever/node_modules/prettyjson
npm install colors@1.4.0

You can do this as an temporary solution before prettyjson apply rafeca/prettyjson#54.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Open source maintainer pulls the plug on npm packages ...
We highly recommend you revert to colors@1.4.0 , and pin your dependencies' versions to avoid blind upgrades of the offending version. We also ......
Read more >
What NPM should do to stop a new colors attack - Hacker News
Pinning doesn't help here if colors dependency is not your direct dependency. So you can have a pinned library that doesn't pin colors.js....
Read more >
Open Source Developer Sabotages npm Packages 'Colors ...
The developer behind popular npm libraries "Colors" and "Faker" intentionally sabotaged both packages. Here's what to do if your application ...
Read more >
Dev corrupts NPM libs 'colors' and 'faker' breaking thousands ...
4.44-liberty-2 release of colors," mocked the developer. "Please know we are working right now to fix the situation and will have a resolution ......
Read more >
What NPM should do to stop a new colors attack - Brian Lovin
NPM will by default create a lockfile that pins the dependencies. ... generally these critical security fixes shouldn't happen often.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Build this Project's Website: forestryio.github.io/create-static-site

Next page

[node v14.x+] Warning: Accessing non-existent property 'padLevels' of module exports inside circular dependency