-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(cli): liberty liberty liberty? #18323
Comments
These are my global modules:
|
Duplicate of #18322 |
Please check open issues before creating new ones. I guess this one here can be closed. |
My bad. I did only a brief look. I'll close it. |
|
Fixes #18322 and #18323 Clarifying question: I'm not sure if the `yarn.lock` file should have automatically updated itself to only refer to `colors@1.4.0` when I set the dependency within the workspace _and_ added the resolution for child dependencies. If it's expected behavior for it _not_ to update the `yarn.lock` file after adding `resolutions`, great! If I need to do something else for that to happen, let me know! ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fixes #18322 and #18323 Clarifying question: I'm not sure if the `yarn.lock` file should have automatically updated itself to only refer to `colors@1.4.0` when I set the dependency within the workspace _and_ added the resolution for child dependencies. If it's expected behavior for it _not_ to update the `yarn.lock` file after adding `resolutions`, great! If I need to do something else for that to happen, let me know! ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fixes #18322 and #18323 Clarifying question: I'm not sure if the `yarn.lock` file should have automatically updated itself to only refer to `colors@1.4.0` when I set the dependency within the workspace _and_ added the resolution for child dependencies. If it's expected behavior for it _not_ to update the `yarn.lock` file after adding `resolutions`, great! If I need to do something else for that to happen, let me know! ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
npx marak-free |
How many projects are affected? Damn I came across two in the last 5 min |
@ondbyte Ours too. Building the product just prints rubbish on the console. |
Literally everything that uses colors.js is affected |
Does this mean Amazon is including code from external sources without reviewing it? |
The CDK is for local development and does not run on their servers afaik. These are completely different things. The CDK is a tool to build products. Provisioning is not done with this and the projects also do not run with this in production. Like any SDK, a CDK is a development tool, nothing more. |
More on why the developer has done it here. https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/ |
Check the link. |
The solution can be to lock the version in package.json |
Ars Technica is covering this issue too. |
What's ironic is, the developer has been locked out of his/her account and npm has reverted to last working version of these packages. |
What the heck, I also found a tweet from the developer if this package. |
Fixes aws#18322 and aws#18323 Clarifying question: I'm not sure if the `yarn.lock` file should have automatically updated itself to only refer to `colors@1.4.0` when I set the dependency within the workspace _and_ added the resolution for child dependencies. If it's expected behavior for it _not_ to update the `yarn.lock` file after adding `resolutions`, great! If I need to do something else for that to happen, let me know! ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
What is the problem?
Installing cdk with pnpm:
Causes weird output due to faker.js (I presume) :
colors.js is having the same issue..
Reproduction Steps
What did you expect to happen?
cdk help...any sane/normal output.
What actually happened?
Insane output.
CDK CLI Version
2.4.0
Framework Version
No response
Node.js Version
16.3.0
OS
Arch Linux x86_64 (up to date)
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: