From 7f1ddf932cddc1dd4981f02bdefe85211f89c037 Mon Sep 17 00:00:00 2001
From: Manny <mannyis@typingona.computer>
Date: Sun, 9 Jan 2022 19:16:04 -0600
Subject: [PATCH] fix: pin colors@1.4.0 to fix security vuln

A Security Vuln was identified in the Colors package for >1.4.0, offending packages being `1.4.1`, `1.4.44-liberty`
- [source1](https://twitter.com/snyksec/status/1480286811482206216?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet)
- [source2](https://twitter.com/snyksec/status/1480286811482206216?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet)
- [source3](https://security.snyk.io/vuln/SNYK-JS-COLORS-2331906)

This PR pins the color package to `1.4.0` as advised on the [snyk page](https://snyk.io/blog/open-source-maintainer-pulls-the-plug-on-npm-packages-colors-and-faker-now-what/)
---
 cli/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cli/package.json b/cli/package.json
index af6d2f7fa6..b7b6dd5db2 100644
--- a/cli/package.json
+++ b/cli/package.json
@@ -29,7 +29,7 @@
   },
   "dependencies": {
     "@octokit/rest": "^18.12.0",
-    "colors": "^1.4.0",
+    "colors": "1.4.0",
     "flowgen": "^1.10.0",
     "fs-extra": "^8.1.0",
     "glob": "^7.1.6",