Security: Pinned colors library to 1.4.0 (#488)

* Security: Pinned colors library to 1.4.0 See https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/ We don't use other libraries mentioned in there, so we're good on those. * Ensure security fix is published to npm * Update our action as depedents need the fix in their json too This won't fix this for all our dependents because most of them don't use the action, but this will fix it for those that use the action. * Update package.json and package-lock.json to match the new version
SuffolkLITLab · Jan 10, 2022 · d1cc76c · d1cc76c
1 parent 4e7cd8d
commit d1cc76c
Show file tree

Hide file tree

Showing 4 changed files with 912 additions and 419 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -39,15 +39,26 @@ Format:
 - 
 -->
 <!-- ## [Unreleased] -->
+## [3.0.9] - 2022-01-10
+### Security
+- Install the security fix in the action's package.json as well. Because dependents have to require cucumber itself, if they're not using our action (if they have their own package.json), they're going to have to implement this fix in their repo too. That's why our fix isn't working. We'll start the process of helping developers update. We also need to deprecate all previous versions of ALKiln. See #489.
+
+## [3.0.8] - 2022-01-10
+### Security
+- Fully publish the security fix in v3.0.7
+
+## [3.0.7] - 2022-01-10
+### Security
+- Pinned colors library to 1.4.0. See https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/. We don't use faker, so we don't need to handle that.
 
-## [3.0.6] - 2021-01-07
+## [3.0.6] - 2022-01-07
 ### Changed
 - See #371
 - Scenario heading tags are now on a second line
 - Artifact filenames use dashes more and are created separately from Scenario headings
 - Scenario ids are separated from filenames and Scenario headings
 
-## [3.0.5] - 2021-01-06
+## [3.0.5] - 2022-01-06
 ### Added
 - Add action.yml that runs most of what users' workflows run now, along with notes for a new user workflow that will take less maintainance. See #420. We need to add documentation on how to write a workflow file as it currently is if they want to take back control. Setup interview has not yet been updated with this workflow.
 - Add package.json creation/overwriting to action.yml. Simplify package.json.

diff --git a/action.yml b/action.yml
@@ -39,7 +39,8 @@ runs:
           },
           "dependencies": {
             "cucumber": "^6.0.5",
-            "docassemble-cucumber": "^3.0.0"
+            "docassemble-cucumber": "^3.0.0",
+            "colors": "1.4.0"
           }
         }
       shell: bash