Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security fix: pin or replace colors dependency #1124

Closed
micalevisk opened this issue Jan 9, 2022 · 14 comments · Fixed by #1127
Closed

security fix: pin or replace colors dependency #1124

micalevisk opened this issue Jan 9, 2022 · 14 comments · Fixed by #1127

Comments

@micalevisk
Copy link

micalevisk commented Jan 9, 2022
edited

forever/package.json

Line 24 in 2211e32

"colors": "^0.6.2",

colors was intentionally compromised by the author. The latest working version is 1.4.0. So I believe you need to pin that version to 1.4.0 to prevent issues from the next upgrades.

image

image
@kibertoad
Copy link
Contributor

@micalevisk Could you please send a PR for that?

@micalevisk
Copy link
Author

the version used here is 0.6.2. Do you think upgrading it to the latest working major will be fine? I didn't manage to run the tests here.

@kibertoad
Copy link
Contributor

@micalevisk Depends on what Node version they support. What were the breaking changes for 1.0.0?

@micalevisk
Copy link
Author

well that will be hard to tell as there's no changelog to look at Marak/colors.js@v0.6.2...v1.0.0

Keeping the current semver range won't cover the latest version of colors.

I didn't really get how colors is being used by forever tbh. I've just found this one

forever/lib/forever/cli.js

Line 629 in 2211e32

colors.mode = 'none';

@kibertoad
Copy link
Contributor

Probably we need to replace it with colorette :)

@jerome-yvan
Copy link

Hi, I think the problem is on prettyjson module. It uses the colors.js version 1.4.2. Anyway on how to fix it?

@micalevisk
Copy link
Author

oh, yeah

image

I guess we only need to wait them rafeca/prettyjson#54

@iplanwebsites
Copy link

Forever crashing is causing many apps & servers to be offline right now. It'd be great if we could switch to a prettyJson fork temporarily if that PR can't make it shortly.

@ghost
Copy link

ghost commented Jan 10, 2022 

rm -rf /usr/lib/node_modules/forever/node_modules/prettyjson/node_modules/colors/
cd /usr/lib/node_modules/forever/node_modules/prettyjson
npm install colors@1.4.0

You can do this as an temporary solution before prettyjson apply rafeca/prettyjson#54.

@iplanwebsites
Copy link

Had some servers using npx forever in built environments that were particularly complex to patch.

@kibertoad
Copy link
Contributor

there is a fixed version of prettyjson coming up, will release new forever when that happens

@kibertoad kibertoad mentioned this issue Jan 10, 2022
Merged
@kibertoad
Copy link
Contributor

Fix released in 4.0.2

@jerome-yvan
Copy link

Fix released in 4.0.2

Thank you

@iplanwebsites
Copy link

Thanks everyone for that patch!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Pin colors version foreversd/forever
4 participants
@iplanwebsites @kibertoad @micalevisk @jerome-yvan