security fix: pin or replace `colors` dependency

[micalevisk]

forever/package.json

Line 24 in 2211e32

"colors": "^0.6.2",

colors was intentionally compromised by the author. The latest working version is 1.4.0. So I believe you need to pin that version to 1.4.0 to prevent issues from the next upgrades.

[kibertoad]

@micalevisk Could you please send a PR for that?

[micalevisk]

the version used here is 0.6.2. Do you think upgrading it to the latest working major will be fine? I didn't manage to run the tests here.

[kibertoad]

@micalevisk Depends on what Node version they support. What were the breaking changes for 1.0.0?

[micalevisk]

well that will be hard to tell as there's no changelog to look at Marak/colors.js@v0.6.2...v1.0.0

Keeping the current semver range won't cover the latest version of colors.

I didn't really get how colors is being used by forever tbh. I've just found this one

forever/lib/forever/cli.js

Line 629 in 2211e32

colors.mode = 'none';

[kibertoad]

Probably we need to replace it with colorette :)

[jerome-yvan]

Hi, I think the problem is on prettyjson module. It uses the colors.js version 1.4.2. Anyway on how to fix it?

[micalevisk]

oh, yeah

I guess we only need to wait them rafeca/prettyjson#54

[iplanwebsites]

Forever crashing is causing many apps & servers to be offline right now. It'd be great if we could switch to a prettyJson fork temporarily if that PR can't make it shortly.

rm -rf /usr/lib/node_modules/forever/node_modules/prettyjson/node_modules/colors/
cd /usr/lib/node_modules/forever/node_modules/prettyjson
npm install colors@1.4.0

You can do this as an temporary solution before prettyjson apply rafeca/prettyjson#54.

[iplanwebsites]

Had some servers using npx forever in built environments that were particularly complex to patch.

[kibertoad]

there is a fixed version of prettyjson coming up, will release new forever when that happens

[kibertoad]

Fix released in 4.0.2

[jerome-yvan]

Fix released in 4.0.2

Thank you