Use of Insecure Tinycolor within vscode-mssql

[adamreisberg-acn]

The devDependencies on package.json lists the following dependency:

vscode-mssql/package.json

Lines 83 to 85 in ea10207

	"devDependencies": {
	"@azure/core-paging": "^1.6.2",
	"@ctrl/tinycolor": "^4.1.0",

Given the following supply chain attack as noted here...

• https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages

... plus the recommendations in the following issue, as quoted below

Recommend pinning to 4.1.0 or updating to ^4.2.0

scttcper/tinycolor#257

... there are a few questions:

1. Did the tinycolor supply chain attack impact vscode-mssql?
2. Is the team planning on pinning to @ctrl/tinycolor to 4.1.0 or ^4.2.0?

[kburtram]

We bumped to 4.2.0 with #20230. The yarn.lock was pinned to 4.1.0 so there should not have been an impacted version of tinycolor in the supply chain as far as I know.