From 66a20c6376485a6954709d19ef60ac7eb5d42cee Mon Sep 17 00:00:00 2001
From: Andreas Fernandez <a.fernandez@scripting-base.de>
Date: Mon, 10 Jan 2022 22:03:45 +0100
Subject: [PATCH] [BUGFIX] Enforce functional colors package

The maintainer of the `colors` package decided to rampage and released
a bonkers version, see [1] and [2], causing an implosion of the npm eco
system.
Albeit TYPO3 uses this as a transitive dependency only, we're going
to be safe and enforce this package to version 1.4.0, the current known
to-be-stable version.

[1] https://github.com/Marak/colors.js/issues/285
[2] https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

Resolves: #96499
Releases: main, 11.5, 10.4
Change-Id: Ic8ad9105c9a9bc45bb2519547bb044be672db27c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72931
Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
---
 Build/package.json | 3 +++
 Build/yarn.lock    | 7 +------
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/Build/package.json b/Build/package.json
index d75205a577b3..c4baaf22bf67 100644
--- a/Build/package.json
+++ b/Build/package.json
@@ -100,5 +100,8 @@
     "tablesort": "^5.2.1",
     "taboverride": "^4.0.3",
     "tagsort": "^1.4.0"
+  },
+  "resolutions": {
+    "colors": "<1.4.1"
   }
 }
diff --git a/Build/yarn.lock b/Build/yarn.lock
index ea6a8b545056..b7d7fd7f4958 100644
--- a/Build/yarn.lock
+++ b/Build/yarn.lock
@@ -1557,16 +1557,11 @@ colorguard@^1.2.0:
     text-table "^0.2.0"
     yargs "^1.2.6"
 
-colors@^1.1.2, colors@^1.4.0:
+colors@<1.4.1, colors@^1.1.2, colors@^1.4.0, colors@~1.1.2:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/colors/-/colors-1.4.0.tgz#c50491479d4c1bdaed2c9ced32cf7c7dc2360f78"
   integrity sha512-a+UqTh4kgZg/SlGvfbzDHpgRu7AAQOmmqRHJnxhRZICKFUT91brVhNNt58CMWU9PsBbv3PDCZUHbVxuDiH2mtA==
 
-colors@~1.1.2:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/colors/-/colors-1.1.2.tgz#168a4701756b6a7f51a12ce0c97bfa28c084ed63"
-  integrity sha1-FopHAXVran9RoSzgyXv6KMCE7WM=
-
 columnify@~1.5.4:
   version "1.5.4"
   resolved "https://registry.yarnpkg.com/columnify/-/columnify-1.5.4.tgz#4737ddf1c7b69a8a7c340570782e947eec8e78bb"
-- 
GitLab