fix(deps): pin colors package to 1.4.0 due to security vulnerability

[sergei-startsev]

Another one, hopefully contains all required changes 😩

Pin colors package to 1.4.0 version due to security vulnerability. See details:

• 1.4.0...1.4.2 diff
• Zalgo issue with v1.4.44-liberty-2 release Marak/colors.js#285
• https://www.theverge.com/2022/1/9/22874949/developer-corrupts-open-source-libraries-projects-affected
• https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

[ellyxc]

is it possible if we set in config color:false don't load/require the color to avoid similar issue in the future?

[devoto13]

Thanks for the PR!

[sergei-startsev]

is it possible if we set in config color:false don't load/require the color to avoid similar issue in the future?

I'd rather replace colors with another package (e.g. chalk) in the long run.

[simonl65]

Would be great if you would merge this - if only as a temporary workaround - as it's likely affecting MANY users worldwide ;-)

Happy for you to use an alternative, but delays cost lots of hair pulling.

[SerkanSipahi]

Here is an interim solution nrwl/nx#8450 (comment) !

[nicojs]

Update: NPM has pulled versions 1.4.2 and 1.4.1. Installing the latest colors version will give you 1.4.0. This means that the problem is solved for karma users today, but this PR should still be merged IMO, for the karma users of tomorrow. (and later be replaced with a package that has a responsible maintainer)

[jginsburgn]

@sergei-startsev please fix the CI tests :)

[jginsburgn]

@sergei-startsev please fix the CI tests :)

Sorry, I just realized that CI will turn green after #3742 is merged. Let's just wait for that.

[karmarunnerbot]

🎉 This PR is included in version 6.3.11 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[simonl65]

Thank you