-
Notifications
You must be signed in to change notification settings - Fork 948
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security fix: pin or replace colors
dependency
#1124
Comments
@micalevisk Could you please send a PR for that? |
the version used here is |
@micalevisk Depends on what Node version they support. What were the breaking changes for 1.0.0? |
well that will be hard to tell as there's no changelog to look at Marak/colors.js@v0.6.2...v1.0.0 Keeping the current semver range won't cover the latest version of I didn't really get how Line 629 in 2211e32
|
Probably we need to replace it with colorette :) |
Hi, I think the problem is on prettyjson module. It uses the colors.js version 1.4.2. Anyway on how to fix it? |
oh, yeah I guess we only need to wait them rafeca/prettyjson#54 |
Forever crashing is causing many apps & servers to be offline right now. It'd be great if we could switch to a prettyJson fork temporarily if that PR can't make it shortly. |
rm -rf /usr/lib/node_modules/forever/node_modules/prettyjson/node_modules/colors/
cd /usr/lib/node_modules/forever/node_modules/prettyjson
npm install colors@1.4.0 You can do this as an temporary solution before |
Had some servers using |
there is a fixed version of prettyjson coming up, will release new forever when that happens |
Fix released in 4.0.2 |
Thank you |
Thanks everyone for that patch! |
forever/package.json
Line 24 in 2211e32
colors
was intentionally compromised by the author. The latest working version is1.4.0
. So I believe you need to pin that version to1.4.0
to prevent issues from the next upgrades.The text was updated successfully, but these errors were encountered: