SECURITY - Cucumber affected by Marak/colors.js#285

[jan-molak]

Describe the bug
Malicious code introduced in colors version 1.4.1 and 1.4.2 causes Cucumber.js to fall into an infinite loop, printing gibberish to the terminal.

CC: @davidjgoss @aslakhellesoy @jbpros

To Reproduce

Use any feature that prints to the terminal, for example:

npx @cucumber/cucumber --version

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: any
• Browser any
• Version all (Serenity/JS runs tests against Cucumber 1.x to 8.x, the issue is present in all version of Cucumber because of the dependency on cli-table3 and/or colors)

TO FIX

Short term:

• Pin dependency on colors to 1.4.0 - see Zalgo issue with v1.4.44-liberty-2 release Marak/colors.js#285 (comment), or ideally "@dabh/colors": "1.4.0", since there's no guarantee colors 1.4.0 will not get compromised next
• Update cli-table3 to ^0.6.1 - see colors.js has issues cli-table/cli-table3#251

Long term:

• Consider replacing colors with chalk

Additional context
Add any other context about the problem here.

Marak/colors.js#285

[kevin-s-wang]

Due to this incidence, it should raise our concerns of using third-party libraries. Perhaps, a viable and preferable way is to lock down the versions of the dependencies, especially for those being widely used.

[davidjgoss]

An update:

• We've release new versions on the current release streams that pin to the (safe) v1.4.0 of colors
  • 8.0.0-rc.2
  • 7.3.2 (best for most people)
• npm seems to have pulled the offending versions of colors from the registry

So I think the immediate work needed is done, between all of that. I've opened #1888 to deal with switching to chalk.

Thanks again @mannyluvstacos for submitting the critical fix!

[mattwynne]

Yes, big thanks @mannyluvstacos!