Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Pin dependency on `colors` package to version 1.4.0

See original GitHub issue

What is the problem?

The NPM package colors prints to the console in an infinite loop that leads to a crash for any version > 1.4.0.

See https://github.com/Marak/colors.js/issues/285 and https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

What do you expect to happen instead?

No infinite loop. The dependency on colors should be pinned to 1.4.0 exactly instead of: https://github.com/winstonjs/winston/blob/65ab472f54906c72c6c72cffc0a12c9f1d0fe995/package.json#L46

Issue Analytics

State:
Created 2 years ago
Reactions:5
Comments:9 (4 by maintainers)

Top GitHub Comments

9reactions

DABHcommented, Jan 10, 2022

No worries, I accept payment in GitHub follows or something 😅 v3.3.4 is out now which mitigates this. Hopefully doing it as a patch version gets this fix out to as many Winston users as possible asap. I’ll continue working with the appropriate folks for the next couple days about resolving the long-term stewardship of colors, but meanwhile, rest assured Winston is ok.

4reactions

arthurfiorettecommented, Jan 9, 2022

Also, add

{
  "resolution": {
    "colors": "1.4.0"
  }
}

to the package.json to prevent other dependencies from requiring them too.

Top Results From Across the Web

Open source maintainer pulls the plug on npm packages ...

We highly recommend you revert to colors@1.4.0 , and pin your dependencies' versions to avoid blind upgrades of the offending version.

Open Source Developer Sabotages npm Packages 'Colors ...

The developer behind popular npm libraries "Colors" and "Faker" ... and prefer to pin your dependency versions and install plans.

How new version of NPM package "colors" broke ... - Reddit

The code itself doesn't depend on colors , but cli-table3 , which we had a pinned version of did depend on colors ,...

How should you pin dependencies and why? – The Guild

With the term pinning we are referring to the practice of making explicit the version of the libraries your application is depending on....

npm Libraries 'colors' and 'faker' Sabotaged in Protest by their ...

Popular npm open source libraries, colors.js, and faker.js were sabotaged ... to pin your dependency versions to a specific, trusted version ...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

Pin dependency on `colors` package to version 1.4.0

What is the problem?

What do you expect to happen instead?

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

[Bug]: 'level' parameter of winston.createLogger() no longer accepts type 'string', breaks ability to set log level via environment variable

Memory leaks - MaxListenersExceededWarning