fix(dependency): Use older version of colors package.

[YoniSegal]

Use colors version 1.4.0. Malicious bug has been introduced to colors version 1.4.1

Fixes #3738 (comment)

[YoniSegal]

Karma v4.4.1 currently points to colors ^1.4.0 as a dependency.
There is a bug in 1.4.1. This PR specifies 1.4.0 as the release to be used.

However, because I'm attempting to merge a change into a lower release, I'm not sure how this Pull Request should be made.

It says I'm attempting merge into karma-runner:master, but I want to fix a lower version than the master HEAD and then have you deploy it into a new v4.4 patch. How do I make such a change?

[devoto13]

@YoniSegal We generally only support the latest version of Karma with fixes because of the limited maintenance time, so I don't think we'll be merging and releasing a 4.x branch. The fix will be made on the latest version, so I would suggest to update to it. If you can't updated for some reason, consider using NPM overrides for Yarn resolutions to set colors dependency to 1.4.0 in your project.

[YoniSegal]

@YoniSegal We generally only support the latest version of Karma with fixes because of the limited maintenance time, so I don't think we'll be merging and releasing a 4.x branch. The fix will be made on the latest version, so I would suggest to update to it. If you can't updated for some reason, consider using NPM overrides for Yarn resolutions to set colors dependency to 1.4.0 in your project.

I understand that as a general rule.
But I think this should be an exception as the fix is quite simple.
You just need to go to 4.4.1, pin the dependency and release a patch 4.4.2. Will that really cost so much maintenance time?

[devoto13]

Well, I don't have permissions to release anything myself, so I would let @jginsburgn decide.

But note that it's not that somebody manually publishes to NPM, it's a CI job which does it and getting a CI green on a pretty old branch may actually take quite some effort.

[SerkanSipahi]

@devoto13 what about karma v.5.x.x and v6.x.x ?

[devoto13]

@SerkanSipahi The malicious releases were taken off the NPM registry, so we'll not be releasing 5.x, but we'll pin colors package in the 6.x branch and likely replace it in 7.x line once it is started.

[SerkanSipahi]

@devoto13 sounds good for me 👌

[jginsburgn]

Well, I don't have permissions to release anything myself, so I would let @jginsburgn decide.

But note that it's not that somebody manually publishes to NPM, it's a CI job which does it and getting a CI green on a pretty old branch may actually take quite some effort.

I agree with @devoto13 in that it could be significant to make CI/CD green in an older release. However, I can accept a PR that passes all CI tests to pin colors in older versions. Otherwise, we do not have the time bandwidth for that.