[security risk] dependency cli-color depends on es5-ext #1253
Comments
Roozenboom
added
bug
|
Sonatypes rationale of it being unexpected to the end user is fair, as it isn't documented in the readme, and a user would have to go and read issue threads, probably after the fact. We already use chalk in the pact-js-cli project, so I am happy with that being replaced. would you be open to proposing a pull request? |
|
Thanks for the PR! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As a big enterprise organisation we continuously scanning our dependencies for vulnerabilities and other security risks.
One of the dependencies of @pact-foundation/pact is 'cli-color' (https://github.com/medikoo/cli-color), this package by itself has not security risk, but it depends on 'es5-ext' (https://github.com/medikoo/es5-ext) that is marked as malicious by sonatype (sonatype-2022-2248) as it contains malware/protestware in a postinstall script since 2022.
The question is can this be replaced by an alternative package?
There are many alternatives that can do console coloring as well, probably the best known one is chalk: https://www.npmjs.com/package/chalk (see npm trends: https://npmtrends.com/chalk-vs-cli-color)
And @pact-foundation/pact only uses cli-color once to show a console error in red:
pact-js/src/httpPact/index.ts
Line 210 in d3e24a7
The text was updated successfully, but these errors were encountered: