feat: add @ctrl/tinycolor and 40+ packages

[BlackHole1]

Ref: https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages

Summary by CodeRabbit

• Chores
  • Updated dependency security metadata to record downgraded package versions in response to recent advisories across multiple ecosystems.
  • Improves vulnerability tracking and future dependency hygiene; no functional, UI, API, or performance changes visible to users.
  • No user action required.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Added a large block of vulnerability/version mappings to package.json linking many package names to downgraded versions with identical TinyColor advisory reason URLs; this is a data-only update with no code or API changes.

Changes

Cohort / File(s)	Summary
Vulnerability mapping updates package.json	Inserted many vulnerability/version entries mapping package names to specific downgraded versions and a reason field referencing TinyColor supply-chain advisories. Data-only changes, no executable logic modified.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10–15 minutes

Possibly related PRs

• feat: add @ctrl/tinycolor and 40+ packages #277 — Modifies the same package.json vulnerability mappings and adds the same TinyColor-related downgraded entries.
• feat: add chalk chalk-template supports-hyperlinks #276 — Adds vulnerability redirect entries in the same package.json mapping area (different packages/advisories).

Suggested reviewers

• elrrrrrrr

Poem

A rabbit taps keys in the midnight glow,
Listing bad versions, entry by row.
One tidy block now marks the trail,
No code was harmed, just data's tale.
Carrots safe, the registry hums low. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "feat: add @ctrl/tinycolor and 40+ packages" accurately and concisely summarizes the main change in the changeset: adding @ctrl/tinycolor and a large set of package entries to package.json to address TinyColor-related vulnerabilities, which matches the raw_summary and PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5bfd66b and 7127e32.

📒 Files selected for processing (1)

• package.json (1 hunks)

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @BlackHole1, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request proactively addresses the recent tinycolor supply chain attack by updating the package.json to include explicit references and reasons for over 40 packages. This change ensures that the project maintains a clear record of dependencies impacted by the vulnerability, facilitating better security posture and dependency management.

Highlights

• Security Vulnerability Tracking: This pull request introduces explicit tracking for numerous packages affected by or related to the tinycolor supply chain attack, as detailed in the referenced socket.dev blog post.
• Package Additions: Over 40 new package entries have been added to package.json, including @ctrl/tinycolor and a wide range of other @ctrl and @nativescript-community packages, each with a specific version and a direct link to the security incident.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds over 40 packages to the bug-versions list that were affected by the @ctrl/tinycolor supply chain attack. While adding these is important for security, there is a critical issue with the data provided. The 'safe' version specified for each buggy package version is the same as the buggy version itself without any other remediation, which is incorrect and could cause problems for tools that consume this data. This needs to be corrected for all new entries.

[fengmk2]

version field should point to 14.1.0

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 186583f and 83e8499.

📒 Files selected for processing (1)

• package.json (1 hunks)

🔇 Additional comments (2)

package.json (2)

1455-1463: Pin @ctrl/tinycolor to a confirmed-safe release (package.json lines 1455–1463).
No authoritative GHSA/CVE or maintainer advisory listing exact affected versions was found as of Sep 16, 2025; Socket.dev and community reports describe a malicious postinstall but do not name precise tags. Confirm the first clean published version (or roll back to the last-known-good), update package.json to pin that safe version instead of leaving 4.1.1/4.1.2 mapped to themselves, and replace the reason fields with per-version GHSA/CVE/maintainer/npm advisory links for traceability.

---

1388-1627: Cite package‑specific advisories (GHSA/CVE) or confirm none exist

Searched GHSA/OSV/Snyk/npm for the top‑10 packages you listed (angulartics2, ngx-color, ngx-toastr, koa2-swagger-ui, json-rules-engine-simplified, @ctrl/ngx-emoji-mart, @ctrl/qbittorrent, @nativescript-community/ui-image, react-complaint-image, swc-plugin-component-annotate) — no official advisories or impacted/patched version ranges found as of Sep 16, 2025. Keep the blog post link for context, but either: (a) add package‑level GHSA/CVE links per affected version when available, or (b) annotate each package.json entry with a link to the package’s Snyk/npm/OSV page and a short “no advisories found” note for auditability.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

package.json (1)

1388-1393: angulartics2: correct remediation to 14.1.0.

This addresses the prior reviewer’s note to point to 14.1.0. (socket.dev)

🧹 Nitpick comments (1)

package.json (1)

1388-1635: Keep bug-versions keys alphabetized for maintainability.

New entries are appended after “supports-hyperlinks” instead of being placed alphabetically (e.g., angulartics2 should be under “a”). Consider reordering in a follow‑up.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 83e8499 and 5bfd66b.

📒 Files selected for processing (1)

• package.json (1 hunks)

🔇 Additional comments (2)

package.json (2)

1454-1463: Good pin: @ctrl/tinycolor 4.1.1/4.1.2 → 4.1.0 aligns with the published compromised versions.

This matches Socket’s list of affected versions and reverts to the last known‑good 4.1.0. (socket.dev)

---

1506-1515: Sanity check: these packages/versions are listed as compromised; remediations look consistent.

The added set mirrors Socket’s compromised list (koa2-swagger-ui, Nativescript Community packages, ngx-, rxnt-, swc-plugin-component-annotate, ts-gaussian, etc.) and pins to the immediately prior versions.

If you want an automated cross-check, I can generate a scraper to compare our set against the blog’s “Compromised Packages and Versions” list. (socket.dev)

Also applies to: 1528-1569, 1570-1587, 1606-1623, 1624-1635

[coderabbitai]

⚠️ Potential issue

🧩 Analysis chain

Guard against future “identity mappings.”

Add a CI check that rejects entries where “version” equals the vulnerable key without script overrides.

---

🏁 Script executed:

#!/bin/bash
# Fail if any mapping is an identity (no-op remediation)
set -euo pipefail
bad=$(jq -r '
  .config["bug-versions"] | to_entries[] |
  .key as $pkg | .value |
  to_entries[] |
  select(.value | type=="object") |
  select(.value.version == .key and (.value.scripts | not)) |
  "\($pkg)@\(.key)"
' package.json)
if [[ -n "$bad" ]]; then
  echo "Identity mappings detected (no remediation):"
  echo "$bad"
  exit 1
fi
echo "OK: no identity mappings"

Length of output: 58

---

Reject identity mappings in CI — fix accord@0.28.0

Identity mapping found: package.json → .config["bug-versions"]["accord"]["0.28.0"] (version == key, no scripts). Add the CI check and either add a remediation script or update/remove this mapping.

🤖 Prompt for AI Agents

In package.json around lines 1388 to 1635 there is an identity mapping for
accord@0.28.0 (key == version) flagged by CI; implement the CI rule to reject
identity mappings and fix this mapping by either removing or changing the
.config["bug-versions"]["accord"]["0.28.0"] entry (so the key differs from the
version) or add a remediation script under "scripts" that explicitly
updates/remediates this mapping (and reference it in the CI check). Ensure the
CI job fails on identity mappings and that package.json includes either the
remediation script or the corrected mapping entry before re-running CI.

---

⚠️ Potential issue

🧩 Analysis chain

Verify all target versions exist on the npm registry (and are installable).

Quick check script to fail fast if any mapped “version” doesn’t exist (HTTP ≠ 200).

---

🏁 Script executed:

#!/bin/bash
# Verify each {pkg, version} target in config.bug-versions exists on registry.npmjs.org
set -euo pipefail

jq -r '
  .config["bug-versions"] | to_entries[] |
  .key as $pkg | .value |
  to_entries[] |
  select(.value.version? and (.value.version | type=="string")) |
  [$pkg, .value.version] | @tsv
' package.json | while IFS=$'\t' read -r pkg ver; do
  enc_pkg="$(python - <<PY
import sys, urllib.parse as u; print(u.quote(sys.argv[1], safe=""))
PY
"$pkg")"
  url="https://registry.npmjs.org/${enc_pkg}/${ver}"
  code=$(curl -s -o /dev/null -w '%{http_code}' "$url")
  if [[ "$code" != "200" ]]; then
    echo "ERROR: $pkg target version $ver not found ($code) -> $url"
    exit 1
  fi
done
echo "OK: all target versions exist"

Length of output: 60

---

🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

jq -r '
  .config["bug-versions"] | to_entries[] |
  .key as $pkg | .value |
  to_entries[] |
  select(.value.version? and (.value.version | type=="string")) |
  "\($pkg)\t\(.value.version)"
' package.json > /tmp/bug_versions.tsv

if [ ! -s /tmp/bug_versions.tsv ]; then
  echo "ERROR: no entries found in package.json .config[\"bug-versions\"]" >&2
  exit 1
fi

while IFS=$'\t' read -r pkg ver; do
  enc_pkg="${pkg//@/%40}"
  enc_pkg="${enc_pkg//\//%2F}"
  url="https://registry.npmjs.org/${enc_pkg}/${ver}"
  code=$(curl -s -o /dev/null -w '%{http_code}' "$url" || echo "000")
  case "$code" in
    200) ;;
    *)
      echo "ERROR: $pkg target version $ver not found ($code) -> $url"
      exit 1
      ;;
  esac
done < /tmp/bug_versions.tsv

echo "OK: all target versions exist"

Length of output: 95

---

Fix missing npm target synk@1.1044.0

Validation failed — npm registry returned 404 for synk@1.1044.0 (registry.npmjs.org/synk/1.1044.0). Update .config["bug-versions"].synk in package.json (lines 1388–1635) to a published version, correct the package name, or remove the entry.

🤖 Prompt for AI Agents

In package.json around lines 1388–1635, the .config["bug-versions"].synk entry
references a non-existent npm version synk@1.1044.0 causing a 404; fix it by
either correcting the package name to the intended package (e.g., "snyk" if that
was intended), updating the synk version to a published one, or removing the
synk entry entirely from .config["bug-versions"]; after updating, run a quick
npm pack or npm view <package> to verify the chosen package/version exists and
commit the change.

[github-actions]

🎉 This PR is included in version 1.117.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀