fix(dependency): Use older version of colors package. #3739
Conversation
Use colors version 1.4.0. Malicious bug has been introduced to colors version 1.4.1
|
Karma v4.4.1 currently points to colors ^1.4.0 as a dependency. However, because I'm attempting to merge a change into a lower release, I'm not sure how this Pull Request should be made. It says I'm attempting merge into karma-runner:master, but I want to fix a lower version than the master HEAD and then have you deploy it into a new v4.4 patch. How do I make such a change? |
|
@YoniSegal We generally only support the latest version of Karma with fixes because of the limited maintenance time, so I don't think we'll be merging and releasing a 4.x branch. The fix will be made on the latest version, so I would suggest to update to it. If you can't updated for some reason, consider using NPM overrides for Yarn resolutions to set colors dependency to 1.4.0 in your project. |
I understand that as a general rule. |
|
Well, I don't have permissions to release anything myself, so I would let @jginsburgn decide. But note that it's not that somebody manually publishes to NPM, it's a CI job which does it and getting a CI green on a pretty old branch may actually take quite some effort. |
|
@devoto13 what about karma v.5.x.x and v6.x.x ? |
|
@SerkanSipahi The malicious releases were taken off the NPM registry, so we'll not be releasing 5.x, but we'll pin |
|
@devoto13 sounds good for me 👌 |
I agree with @devoto13 in that it could be significant to make CI/CD green in an older release. However, I can accept a PR that passes all CI tests to pin |
Use colors version 1.4.0. Malicious bug has been introduced to colors version 1.4.1
Fixes #3738 (comment)