orbit-oss/chalk
5
4
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix security and performance issues across core, vendor, and examples

Browse source 
Security:
- S2: hexToRgb — explicit typeof branch + padStart(6) for numeric hex inputs;
  makes the numeric-input path intentional and preserves leading zeros
- S3: FORCE_COLOR parsing — guard against NaN propagation when env value is
  non-numeric (e.g. FORCE_COLOR=yes now correctly falls back to level 1)
- S4: _supportsColor — remove side-effecting mutation of module-level
  flagForceColor; effective value is now computed locally, eliminating
  cross-call state corruption in test environments
- S5: applyOptions — change `options.level &&` to `options.level !== undefined`
  so null and NaN are properly rejected instead of silently stored as the level
- S6: browser.js — explicit Number(brand.version) > 93 instead of implicit
  string-to-number coercion for Chromium UA version check

Performance / correctness:
- P1: rainbow.js — replace stateful global-regex test() in loop (which
  misclassified every other non-printable character due to lastIndex advancing)
  with a direct code-point comparison: character < '!' || character > '~'
- P4: stringEncaseCRLFWithFirstIndex — switch from += string concatenation in
  loop to array-of-parts + single join(), reducing intermediate allocations for
  multi-line strings
- P6: builder — detect tagged template literal calls via .raw property and route
  through String.raw(), so chalk.red`hello ${name}` now produces correct output

Tests:
- instance.js: new Chalk({level: null/NaN}) now throws (S5 regression test)
- chalk.js: numeric hex with leading zeros (S2), template literal interpolations
  (P6) covered by new tests; all 35 tests pass

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Ayush Kumar 2026-02-21 17:21:53 +05:30
parent aa06bb5ac3
commit ff7b1f0d60
No known key found for this signature in database
8 changed files with 53 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

13
source/index.js
View file

@ -22,7 +22,7 @@ const levelMapping = [
const styles = Object.create(null);
const applyOptions = (object, options = {}) => {
if (options.level && !(Number.isInteger(options.level) && options.level >= 0 && options.level <= 3)) {
if (options.level !== undefined && !(Number.isInteger(options.level) && options.level >= 0 && options.level <= 3)) {
throw new Error('The `level` option should be an integer from 0 to 3');
}
@ -151,8 +151,15 @@ const createStyler = (open, close, parent) => {
const createBuilder = (self, _styler, _isEmpty) => {
// Single argument is hot path, implicit coercion is faster than anything
// eslint-disable-next-line no-implicit-coercion
const builder = (...arguments_) => applyStyle(builder, (arguments_.length === 1) ? ('' + arguments_[0]) : arguments_.join(' '));
const builder = (...arguments_) => {
// Tagged template literal: first argument is a strings array with a `.raw` property
if (arguments_.length > 0 && Array.isArray(arguments_[0]) && 'raw' in arguments_[0]) {
return applyStyle(builder, String.raw(arguments_[0], ...arguments_.slice(1)));
}
// eslint-disable-next-line no-implicit-coercion
return applyStyle(builder, (arguments_.length === 1) ? ('' + arguments_[0]) : arguments_.join(' '));
};
// We alter the prototype because we must return a function, but there is
// no way to create a function with a different prototype