[FOLIO-3383] avoid sabotaged colors.js > 1.4.0 Created: 10/Jan/22  Updated: 13/Jan/22  Resolved: 13/Jan/22

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P1
Reporter: Zak Burke Assignee: Zak Burke
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Cloners
is cloned by STCLI-188 avoid sabotaged colors.js > 1.4.0 Closed
Sprint: DevOps Sprint 131
Development Team: FOLIO DevOps

 Description   

Summary: The platform's package.json must lock to colors 1.4.0 to avoid sabotaged patch releases.
Details: The author of colors.js, a transitive dependency of stripes-cli, was sabotaged by its owner in several patch releases published directly to NPM including 1.4.2, 1.4.1, and 1.4.44-liberty-2.



 Comments   
Comment by John Malconian [ 10/Jan/22 ]

I went ahead and pinned colors to 1.4.0 on the following branches in platform-complete in addition to the snapshot branch:

  • master
  • R3-2021
  • R2-2021
  • R1-2021

Also did the same for platform-core (snapshot and master) for good measure.

Comment by John Malconian [ 13/Jan/22 ]

As discussed on Slack here: https://folio-project.slack.com/archives/C58TABALV/p1642003556044800, the FOLIO Jenkins CI is still having issues with the bogus colors > 1.4.0 npm dep when invoking stripes-cli to run things like karma unit tests. This is causing an infinite loop, eventual build failure, and a build Jenkins log that can grow to 18-20GB. The latest CI version of stripes-cli has colors 1.4.0 defined as a dev dep, but the bogus version is still slipping in there somehow.

Comment by John Malconian [ 13/Jan/22 ]

Removed the globally installed stripes-cli from the Jenkins CI build image for good measure. Issue still persists.

Comment by John Malconian [ 13/Jan/22 ]

Looks like npmjs.org finally removed colors 1.4.2 from its repo. That means I should be able to remove it from the FOLIO Nexus npmjs.org proxy repo.

Comment by John Malconian [ 13/Jan/22 ]

One thing to note was that when I removed colors 1.4.2 from the Nexus repo, 'yarn install' failed because it couldn't find 1.4.2. This means it was previously still resolving to 1.4.2 even with the dep pinned in stripes-cli.. I think it was likely something else depended on colors as well.

Comment by John Malconian [ 13/Jan/22 ]

Closing.

Generated at Thu Feb 08 23:27:42 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.