"Zalgo" bomb from dependency on the "colors" package

[mceachen]

$ docker pull node:16
$ docker run -it node:16 sh
# yarn init
# yarn add cli-progress
yarn add v1.22.15
info No lockfile found.
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
warning Your current version of Yarn is out of date. The latest version is "1.22.17", while you're on "1.22.15".
info To upgrade, run the following command:
$ curl --compressed -o- -L https://yarnpkg.com/install.sh | bash
success Saved 7 new dependencies.
info Direct dependencies
└─ cli-progress@3.9.1
info All dependencies
├─ ansi-regex@5.0.1
├─ cli-progress@3.9.1
├─ colors@1.4.1
├─ emoji-regex@8.0.0
├─ is-fullwidth-code-point@3.0.0
├─ string-width@4.2.3
└─ strip-ansi@6.0.1
Done in 0.55s.
# node
> const {MultiBar} = require("cli-progress")
LIBERTY LIBERTY LIBERTY
LIBERTY LIBERTY LIBERTY
LIBERTY LIBERTY LIBERTY
                                   !             H|H|H|H|H           H__________________________________             H|§|§|§|H           H|* * * * * *|---------------------|             H|§|∞|§|H           H| * * * * * |---------------------|             H|§|§|§|H           H|* * * * * *|---------------------|             H|H|H|H|H           H| * * * * * |---------------------|             H|H|H|H|H           H|---------------------------------|          ===============        H|---------------------------------|            /| _   _ |          H|---------------------------------|            (| O   O |)          H|---------------------------------|            /|   U   |          H-----------------------------------             |  =/  |           H              _..._/            H              _|I/|_            H      _______/| H |/_______    H     /           / /          H    |          | | /         |  H    |          ||o||          |  H    |    |     ||o||     |    |  H    |    |     ||o||     |    |  H   Carl Pilcher  
t̂̇e̔͊sͥͦt̔̂̑ĭ̈̀n̆̐ḡ͆̎ ͌ͥ ҉̵̛t͐ͭ̍eͯ̚ś̑t̑̑ȉͭn͌̌g̾̈ ͬ͆̔ ҉̶̹͠tͨ̍̏eͥ̚sͬ͐̈t̃̅ĭ̌ń̌g͐̋ ͧͪtͬ͒ ҉͉̟̲e̓̒ ҉̸̣sͮ͒ ҉̠̣͓t̂̆i̔ͥnͪ̋̎g̓̈́ ̈̓͂ ҉̡̪t̓͛͊eͫ̾ ҉̷̨̬̠̬s̔̔t̍̓͋i̓ͮ ҉̴̲̣͝nͮ́gͫ̈ ͦ̓ͫt̊̒ͦe̓͒ ҉̡̢̩s̉͆ͪt̓ͤi͑̂ ҉̹̀͢n̍̇g̓̿ ̍͐tͥͨ̿e͊ͩ̈s̆ͣtͨ̃i̾͂ ҉̖͙̞́nͧͬ̍̋ͬg̈̋ ҉̀́
t̓̄̋eͣ̎s̓̍t̔̎̈iͯ̓ ҉̨͇̲n̿̋gͫ͊ ҉͕͍ ̽̂t͊̈ͮěͪs̃̒ͩt̅̌i͐̂n͒̍g͆ͥ ͧ̎ ҉̶̴̻͚̯t̾̎eͦ̓s͐͆ ҉̢̕tͪͣ ҉̴͟iͪ̍n̑̓g̓͆ ͂ͧt̾͛ ҉̧͎e͊ͤs̈̂t͌̐̀i̊́n͑ͦḡ̇́ ͨ̈tͧ̓ȇͧ̓s͊͆t́̏iͧ͗̃̀n̈̓̈gͮ͋̚ ̍͌tͣ̒eͨͯšͫt̉ͫ́ ҉̷̺͡i̔ͧn̈̈ğ̿ ͑̏ͤt̐̀eͦ͌̆͊s̆̒t͒͆i͐͗ ҉̙͎͉ǹͪg̓̈́
t̆ͬe̓̃s̍̆t̉̃ͭi̓̆n͒͆ ҉̻̻ĝͣ ̂ͨt̆͊ẻ̚s̏̃̍tͭ̾̀î̚n͆͊g̈͑ ́̌t̑ͦe̔ͫ ҉̰͇ͅs̄͂̈t̏̆ ҉̢͙̤̱i̽̏nͧ̚g̿ͣ ̅̓ťͤeͩ͌͗s̐͋t͗ͬ͐i̽̔n̔̓gͫ̈͒ ̆̅t̄͆eͩͫs̄̏tͩͤi͌͗̐͋n͒̄̔ĝ͊ͬ ͯ͋t͒̄̓e̿̏̓s̈ͩ ҉̡̹͡t̓ͭǐ̅nͥ ҉̧̠͠g̈̆ ̍̈t͌̚e̓̎s̐̚t͊͛ ҉̭͟i͆̑n̾̋̆ ҉̡̖͞g̿́
t͌̋eͤͬs͒̅tͮ͗iͨͥnͪͣgͦͮ ͆̌tͮͮé͂sͫ̚t͆̾ ҉̭̺i͂̍nͥ͒g̈ͪ ҉͇̯̙ ̌̊t͋ͯẻͯ̉sͣ̈tͪ̒̽ȉ̈ñͤgͭ͋ ͧ͑͊tͦ̋e͂̑sͦ̄tͦ̈i̋̾n̔ͤğ̊ ̅̈t̍̓ ҉̮̥̻̺e͂̄ŝ̋ť̓ ҉̴̝i̇́n̋g͗̓ ͥ͆t͆ͥeͫ̋s͊̌ ҉̴̸tͨ̇ ҉͍͔i͆̒̌n̂̋̃ ҉̶͘g̎ͮ ͭ͗̊t̾̉e̒͌sͬ̄t̍͆iͩ̍n͊͌g͆̌͑

[mceachen]

Ah. It's from colors v1.4.1: Marak/colors.js#285

[DABH]

Please just pin the colors dependency to 1.4.0, and see the following if you need additional context: Marak/colors.js#285 (comment)

[AndiDittrich]

thanks @mceachen and @DABH
a new release of cli-progress will be available asap which drops any kind of color dependencies - the example files are changed to ansi-colors

[AndiDittrich]

v3.10.0 is out