Fix security and performance issues across core, vendor, and examples

Security: - S2: hexToRgb — explicit typeof branch + padStart(6) for numeric hex inputs; makes the numeric-input path intentional and preserves leading zeros - S3: FORCE_COLOR parsing — guard against NaN propagation when env value is non-numeric (e.g. FORCE_COLOR=yes now correctly falls back to level 1) - S4: _supportsColor — remove side-effecting mutation of module-level flagForceColor; effective value is now computed locally, eliminating cross-call state corruption in test environments - S5: applyOptions — change `options.level &&` to `options.level !== undefined` so null and NaN are properly rejected instead of silently stored as the level - S6: browser.js — explicit Number(brand.version) > 93 instead of implicit string-to-number coercion for Chromium UA version check Performance / correctness: - P1: rainbow.js — replace stateful global-regex test() in loop (which misclassified every other non-printable character due to lastIndex advancing) with a direct code-point comparison: character < '!' || character > '~' - P4: stringEncaseCRLFWithFirstIndex — switch from += string concatenation in loop to array-of-parts + single join(), reducing intermediate allocations for multi-line strings - P6: builder — detect tagged template literal calls via .raw property and route through String.raw(), so chalk.red`hello ${name}` now produces correct output Tests: - instance.js: new Chalk({level: null/NaN}) now throws (S5 regression test) - chalk.js: numeric hex with leading zeros (S2), template literal interpolations (P6) covered by new tests; all 35 tests pass Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-21 17:21:53 +05:30 · 2026-02-21 17:21:53 +05:30 · ff7b1f0d60
commit ff7b1f0d60
parent aa06bb5ac3
8 changed files with 53 additions and 17 deletions
--- a/examples/rainbow.js
+++ b/examples/rainbow.js
@ -15,7 +15,7 @@ function rainbow(string, offset) {
 	let hue = offset % 360;
 	const characters = [];
 	for (const character of string) {
-		if (ignoreChars.test(character)) {
+		if (character < '!' || character > '~') {
 			characters.push(character);
 		} else {
 			characters.push(chalk.hex(convertColor.hsl.hex(hue, 100, 50))(character));
--- a/source/index.js
+++ b/source/index.js
@ -22,7 +22,7 @@ const levelMapping = [
 const styles = Object.create(null);
 const applyOptions = (object, options = {}) => {
-	if (options.level && !(Number.isInteger(options.level) && options.level >= 0 && options.level <= 3)) {
+	if (options.level !== undefined && !(Number.isInteger(options.level) && options.level >= 0 && options.level <= 3)) {
 		throw new Error('The `level` option should be an integer from 0 to 3');
 	}
@ -151,8 +151,15 @@ const createStyler = (open, close, parent) => {
 const createBuilder = (self, _styler, _isEmpty) => {
 	// Single argument is hot path, implicit coercion is faster than anything
-	// eslint-disable-next-line no-implicit-coercion
+	const builder = (...arguments_) => {
-	const builder = (...arguments_) => applyStyle(builder, (arguments_.length === 1) ? ('' + arguments_[0]) : arguments_.join(' '));
+		// Tagged template literal: first argument is a strings array with a `.raw` property
 		if (arguments_.length > 0 && Array.isArray(arguments_[0]) && 'raw' in arguments_[0]) {
 			return applyStyle(builder, String.raw(arguments_[0], ...arguments_.slice(1)));
 		}
 		// eslint-disable-next-line no-implicit-coercion
 		return applyStyle(builder, (arguments_.length === 1) ? ('' + arguments_[0]) : arguments_.join(' '));
 	};
 	// We alter the prototype because we must return a function, but there is
 	// no way to create a function with a different prototype
--- a/source/utilities.js
+++ b/source/utilities.js
@ -20,14 +20,14 @@ export function stringReplaceAll(string, substring, replacer) {
 export function stringEncaseCRLFWithFirstIndex(string, prefix, postfix, index) {
 	let endIndex = 0;
-	let returnValue = '';
+	const parts = [];
 	do {
 		const gotCR = string[index - 1] === '\r';
-		returnValue += string.slice(endIndex, (gotCR ? index - 1 : index)) + prefix + (gotCR ? '\r\n' : '\n') + postfix;
+		parts.push(string.slice(endIndex, gotCR ? index - 1 : index), prefix, gotCR ? '\r\n' : '\n', postfix);
 		endIndex = index + 1;
 		index = string.indexOf('\n', endIndex);
 	} while (index !== -1);
-	returnValue += string.slice(endIndex);
+	parts.push(string.slice(endIndex));
-	return returnValue;
+	return parts.join('');
 }
--- a/source/vendor/ansi-styles/index.js
+++ b/source/vendor/ansi-styles/index.js
@ -133,7 +133,8 @@ function assembleStyles() {
 		},
 		hexToRgb: {
 			value(hex) {
-				const matches = /[a-f\d]{6}|[a-f\d]{3}/i.exec(hex.toString(16));
+				const hexString = typeof hex === 'number' ? hex.toString(16).padStart(6, '0') : String(hex);
 				const matches = /[a-f\d]{6}|[a-f\d]{3}/i.exec(hexString);
 				if (!matches) {
 					return [0, 0, 0];
 				}
--- a/source/vendor/supports-color/browser.js
+++ b/source/vendor/supports-color/browser.js
@ -7,7 +7,7 @@ const level = (() => {
 	if (globalThis.navigator.userAgentData) {
 		const brand = navigator.userAgentData.brands.find(({brand}) => brand === 'Chromium');
-		if (brand && brand.version > 93) {
+		if (brand && Number(brand.version) > 93) {
 			return 3;
 		}
 	}
--- a/source/vendor/supports-color/index.js
+++ b/source/vendor/supports-color/index.js
@ -40,7 +40,8 @@ function envForceColor() {
 			return 0;
 		}
-		return env.FORCE_COLOR.length === 0 ? 1 : Math.min(Number.parseInt(env.FORCE_COLOR, 10), 3);
+		const parsed = Number.parseInt(env.FORCE_COLOR, 10);
 		return env.FORCE_COLOR.length === 0 ? 1 : (Number.isNaN(parsed) ? 1 : Math.min(parsed, 3));
 	}
 }
@ -58,12 +59,8 @@ function translateLevel(level) {
 }
 function _supportsColor(haveStream, {streamIsTTY, sniffFlags = true} = {}) {
-	const noFlagForceColor = envForceColor();
+	const envColor = envForceColor();
-	if (noFlagForceColor !== undefined) {
+	const forceColor = sniffFlags ? (envColor === undefined ? flagForceColor : envColor) : envColor;
 		flagForceColor = noFlagForceColor;
 	}
 	const forceColor = sniffFlags ? flagForceColor : noFlagForceColor;
 	if (forceColor === 0) {
 		return 0;
--- a/test/chalk.js
+++ b/test/chalk.js
@ -124,3 +124,22 @@ test('keeps function prototype methods', t => {
 	t.is(chalk.bind(chalk, 'foo')(), 'foo');
 	t.is(chalk.call(chalk, 'foo'), 'foo');
 });
 test('accept numeric hex values in .hex() (S2)', t => {
 	// Numeric values should behave identically to their string equivalents
 	t.is(new Chalk({level: 3}).hex(0xFF_00_00)('hello'), new Chalk({level: 3}).hex('#FF0000')('hello'));
 	t.is(new Chalk({level: 3}).bgHex(0xFF_00_FF)('hello'), new Chalk({level: 3}).bgHex('#FF00FF')('hello'));
 	// Leading zeros must be preserved: 0x0000FF is blue, not a garbled 3-char match
 	t.is(new Chalk({level: 3}).hex(0x00_00_FF)('hello'), new Chalk({level: 3}).hex('#0000FF')('hello'));
 	t.is(new Chalk({level: 3}).hex(0x00_FF_00)('hello'), new Chalk({level: 3}).hex('#00FF00')('hello'));
 });
 test('support tagged template literals with interpolations (P6)', t => {
 	const name = 'World';
 	t.is(chalk.red`hello ${name}`, '\u001B[31mhello World\u001B[39m');
 	t.is(chalk.bold`count: ${42}`, '\u001B[1mcount: 42\u001B[22m');
 	// Without interpolations should still work
 	t.is(chalk.red`hello`, '\u001B[31mhello\u001B[39m');
 	// Array arguments (not template literals) must be unaffected
 	t.is(chalk.bold(['foo', 'bar']), '\u001B[1mfoo,bar\u001B[22m');
 });
--- a/test/instance.js
+++ b/test/instance.js
@ -22,3 +22,15 @@ test('the `level` option should be a number from 0 to 3', t => {
 	}, {message: /should be an integer from 0 to 3/});
 	/* eslint-enable no-new */
 });
 test('the `level` option rejects null and NaN (S5)', t => {
 	/* eslint-disable no-new */
 	t.throws(() => {
 		new Chalk({level: null});
 	}, {message: /should be an integer from 0 to 3/});
 	t.throws(() => {
 		new Chalk({level: Number.NaN});
 	}, {message: /should be an integer from 0 to 3/});
 	/* eslint-enable no-new */
 });