A dependency of the surge package was vandalized

[briantist]

See:

• ⚠please pin colors to 1.4.0 sintaxi/surge#469
• Zalgo issue with v1.4.44-liberty-2 release Marak/colors.js#285

This makes surge useless at the moment, but looking at the offending commit, it's not actually dangerous: Marak/colors.js@074a0f8#diff-92bbac9a308cd5fcf9db165841f2d90ce981baddcb2b1e26cfff170929af3bd1R18 just runs an infinite loop.

Note that the surge workflow drops all permissions except for contents: read, so it has no access to change anything it runs in, and can't read anything sensitive except the surge token passed into the workflow.

[DABH]

Please just pin the colors dependency to 1.4.0, and see the following if you need additional context: Marak/colors.js#285 (comment)