Update package-lock.json #17
Conversation
![semgrep-shichao-sms-private[bot]](https://avatars.githubusercontent.com/u/197742515?s=60&v=4){kind=small}
| "node": ">=18" | ||
| } | ||
| }, | ||
| "node_modules/color-convert": { |
There was a problem hiding this comment.
Critical severity vulnerability introduced by a package you're using:
Line 1291 lists a dependency (color-convert) with a known Critical severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of @duckdb/node-api, @duckdb/node-bindings, ansi-regex, ansi-styles, backslash, chalk, chalk-template, color-convert, color-name, color-string, debug, duckdb, error-ex, has-ansi, is-arrayish, proto-tinker-wc, simple-swizzle, slice-ansi, strip-ansi, supports-color, supports-hyperlinks, and wrap-ansi are vulnerable to Embedded Malicious Code.
References: GHSA, https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the, https://semgrep.dev/blog/2025/chalk-debug-and-color-on-npm-compromised-in-new-supply-chain-attack
To resolve this comment:
Upgrade this dependency as soon as a patched version is available.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
No description provided.