yamlinc icon indicating copy to clipboard operation
yamlinc copied to clipboard

Published 20 hours ago verified publisher icon javanile

yamlinc depend on corrupts npm libs 'colors'

Open unidevel opened this issue 3 years ago • 3 comments

Run yamlinc with mess output after using npm install -g yamlinc to install globally

unidevel avatar Jan 10 '22 13:01 unidevel

The infinite loop introduced in the code will keep running indefinitely; printing the gibberish non-ASCII character sequence endlessly on the console for any applications that use 'colors.'

More info about colors package issue is here: https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

Temporary solution is to define exact version of package colors, i.e. 1.3.3 or 1.4.0 instead of ^1.3.3 (which install last minor/patch (compromised) version 1.4.2.

novalu avatar Jan 10 '22 16:01 novalu

I've pushed pull request which fix this issue: https://github.com/javanile/yamlinc/pull/32

novalu avatar Jan 10 '22 16:01 novalu

The compromised versions are deleted from npm.

There is no need to publish a new version of this library. Versions 1.4.1 and 1.4.2 are deleted, so this library uses last working colors package 1.4.0.

More info is here for example: https://github.com/Marak/colors.js/issues/317

novalu avatar Jan 11 '22 09:01 novalu