How new version of NPM package "colors" broke millions of installs

• colors.js

  52 5,159 0.0 JavaScript

  get colors in your node.js console

I started with the first most obvious `colors` (https://www.npmjs.com/package/colors). It was recently updated from 1.4.0 to 1.4.2, but there is catch. The code for 1.4.2 is not published on official github page. There no tag or release with 1.4.2 (https://github.com/Marak/colors.js). So I installed and saved both version and did a diff on them, and here is the difference:

• nest-cli

  2 1,896 9.6 TypeScript

  CLI tool for Nest applications 🍹

  

We ran into this last night with the @nestjs/cli. The code itself doesn't depend on colors, but cli-table3, which we had a pinned version of did depend on colors, and didn't have the dependency pinned. So when 1.4.2 was released, introducing the bug, we go flooded with reports that nest new and nest help started failing all of a sudden. Fortunately, cli-table3 had a patch to downgrade the colors dependency, and are looking at removing it altogether, but the cascading effect was quite annoying to deal with.

• SurveyJS

  surveyjs.io featured

  Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.

  

• berry

  188 7,174 9.2 TypeScript

  📦🐈 Active development trunk for Yarn ⚒

  

Depends on your package manager then. pnpm and yarn both support the resolutions property in the package.json so you can do

Suggest a related project