orbit-oss/chalk
5
4
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix security and performance issues across core, vendor, and examples

Browse source 
Security:
- S2: hexToRgb — explicit typeof branch + padStart(6) for numeric hex inputs;
  makes the numeric-input path intentional and preserves leading zeros
- S3: FORCE_COLOR parsing — guard against NaN propagation when env value is
  non-numeric (e.g. FORCE_COLOR=yes now correctly falls back to level 1)
- S4: _supportsColor — remove side-effecting mutation of module-level
  flagForceColor; effective value is now computed locally, eliminating
  cross-call state corruption in test environments
- S5: applyOptions — change `options.level &&` to `options.level !== undefined`
  so null and NaN are properly rejected instead of silently stored as the level
- S6: browser.js — explicit Number(brand.version) > 93 instead of implicit
  string-to-number coercion for Chromium UA version check

Performance / correctness:
- P1: rainbow.js — replace stateful global-regex test() in loop (which
  misclassified every other non-printable character due to lastIndex advancing)
  with a direct code-point comparison: character < '!' || character > '~'
- P4: stringEncaseCRLFWithFirstIndex — switch from += string concatenation in
  loop to array-of-parts + single join(), reducing intermediate allocations for
  multi-line strings
- P6: builder — detect tagged template literal calls via .raw property and route
  through String.raw(), so chalk.red`hello ${name}` now produces correct output

Tests:
- instance.js: new Chalk({level: null/NaN}) now throws (S5 regression test)
- chalk.js: numeric hex with leading zeros (S2), template literal interpolations
  (P6) covered by new tests; all 35 tests pass

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Ayush Kumar 2026-02-21 17:21:53 +05:30
parent aa06bb5ac3
commit ff7b1f0d60
No known key found for this signature in database
8 changed files with 53 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

8
source/utilities.js
View file

@ -20,14 +20,14 @@ export function stringReplaceAll(string, substring, replacer) {
export function stringEncaseCRLFWithFirstIndex(string, prefix, postfix, index) {
let endIndex = 0;
let returnValue = '';
const parts = [];
do {
const gotCR = string[index - 1] === '\r';
returnValue += string.slice(endIndex, (gotCR ? index - 1 : index)) + prefix + (gotCR ? '\r\n' : '\n') + postfix;
parts.push(string.slice(endIndex, gotCR ? index - 1 : index), prefix, gotCR ? '\r\n' : '\n', postfix);
endIndex = index + 1;
index = string.indexOf('\n', endIndex);
} while (index !== -1);
returnValue += string.slice(endIndex);
return returnValue;
parts.push(string.slice(endIndex));
return parts.join('');
}