Security:
- S2: hexToRgb — explicit typeof branch + padStart(6) for numeric hex inputs;
makes the numeric-input path intentional and preserves leading zeros
- S3: FORCE_COLOR parsing — guard against NaN propagation when env value is
non-numeric (e.g. FORCE_COLOR=yes now correctly falls back to level 1)
- S4: _supportsColor — remove side-effecting mutation of module-level
flagForceColor; effective value is now computed locally, eliminating
cross-call state corruption in test environments
- S5: applyOptions — change `options.level &&` to `options.level !== undefined`
so null and NaN are properly rejected instead of silently stored as the level
- S6: browser.js — explicit Number(brand.version) > 93 instead of implicit
string-to-number coercion for Chromium UA version check
Performance / correctness:
- P1: rainbow.js — replace stateful global-regex test() in loop (which
misclassified every other non-printable character due to lastIndex advancing)
with a direct code-point comparison: character < '!' || character > '~'
- P4: stringEncaseCRLFWithFirstIndex — switch from += string concatenation in
loop to array-of-parts + single join(), reducing intermediate allocations for
multi-line strings
- P6: builder — detect tagged template literal calls via .raw property and route
through String.raw(), so chalk.red`hello ${name}` now produces correct output
Tests:
- instance.js: new Chalk({level: null/NaN}) now throws (S5 regression test)
- chalk.js: numeric hex with leading zeros (S2), template literal interpolations
(P6) covered by new tests; all 35 tests pass
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
