Fix security and performance issues across core, vendor, and examples

Security: - S2: hexToRgb — explicit typeof branch + padStart(6) for numeric hex inputs; makes the numeric-input path intentional and preserves leading zeros - S3: FORCE_COLOR parsing — guard against NaN propagation when env value is non-numeric (e.g. FORCE_COLOR=yes now correctly falls back to level 1) - S4: _supportsColor — remove side-effecting mutation of module-level flagForceColor; effective value is now computed locally, eliminating cross-call state corruption in test environments - S5: applyOptions — change `options.level &&` to `options.level !== undefined` so null and NaN are properly rejected instead of silently stored as the level - S6: browser.js — explicit Number(brand.version) > 93 instead of implicit string-to-number coercion for Chromium UA version check Performance / correctness: - P1: rainbow.js — replace stateful global-regex test() in loop (which misclassified every other non-printable character due to lastIndex advancing) with a direct code-point comparison: character < '!' || character > '~' - P4: stringEncaseCRLFWithFirstIndex — switch from += string concatenation in loop to array-of-parts + single join(), reducing intermediate allocations for multi-line strings - P6: builder — detect tagged template literal calls via .raw property and route through String.raw(), so chalk.red`hello ${name}` now produces correct output Tests: - instance.js: new Chalk({level: null/NaN}) now throws (S5 regression test) - chalk.js: numeric hex with leading zeros (S2), template literal interpolations (P6) covered by new tests; all 35 tests pass Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-21 17:21:53 +05:30 · 2026-02-21 17:21:53 +05:30 · ff7b1f0d60
commit ff7b1f0d60
parent aa06bb5ac3
8 changed files with 53 additions and 17 deletions
--- a/source/vendor/ansi-styles/index.js
+++ b/source/vendor/ansi-styles/index.js
@ -133,7 +133,8 @@ function assembleStyles() {
 		},
 		hexToRgb: {
 			value(hex) {
-				const matches = /[a-f\d]{6}|[a-f\d]{3}/i.exec(hex.toString(16));
+				const hexString = typeof hex === 'number' ? hex.toString(16).padStart(6, '0') : String(hex);
+				const matches = /[a-f\d]{6}|[a-f\d]{3}/i.exec(hexString);
 				if (!matches) {
 					return [0, 0, 0];
 				}
--- a/source/vendor/supports-color/browser.js
+++ b/source/vendor/supports-color/browser.js
@ -7,7 +7,7 @@ const level = (() => {

 	if (globalThis.navigator.userAgentData) {
 		const brand = navigator.userAgentData.brands.find(({brand}) => brand === 'Chromium');
-		if (brand && brand.version > 93) {
+		if (brand && Number(brand.version) > 93) {
 			return 3;
 		}
 	}
--- a/source/vendor/supports-color/index.js
+++ b/source/vendor/supports-color/index.js
@ -40,7 +40,8 @@ function envForceColor() {
 			return 0;
 		}

-		return env.FORCE_COLOR.length === 0 ? 1 : Math.min(Number.parseInt(env.FORCE_COLOR, 10), 3);
+		const parsed = Number.parseInt(env.FORCE_COLOR, 10);
+		return env.FORCE_COLOR.length === 0 ? 1 : (Number.isNaN(parsed) ? 1 : Math.min(parsed, 3));
 	}
 }

@ -58,12 +59,8 @@ function translateLevel(level) {
 }

 function _supportsColor(haveStream, {streamIsTTY, sniffFlags = true} = {}) {
-	const noFlagForceColor = envForceColor();
-	if (noFlagForceColor !== undefined) {
-		flagForceColor = noFlagForceColor;
-	}
-
-	const forceColor = sniffFlags ? flagForceColor : noFlagForceColor;
+	const envColor = envForceColor();
+	const forceColor = sniffFlags ? (envColor === undefined ? flagForceColor : envColor) : envColor;

 	if (forceColor === 0) {
 		return 0;