Victor Adossi (Sep 09 2025 at 19:27): Victor Adossi (Sep 09 2025 at 19:27):Hey all, I think many may have seen this floating around the internet lately -- the vulnerabilities snuck into chalk and related packages:
https://github.com/chalk/chalk/issues/656
https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf2c
Jco wasn't affected by this update, though we use chalk-template mostly because we don't update that dependency that frequently (see the pacakge-lock.json in the repo). It's technically possible that someone updated their versions as a requirement of another unrelated package, but at least due to the use of jco itself there is no spreading of the compromise.
I've taken the initiative to remove chalk-template at this point while we're here:
https://github.com/bytecodealliance/jco/pull/1010
I've been meaning to do this for a while as node:util's styleText exists (though it's only for node 20.x and above). At this point I've added a polyfill that is kind of a breaking change (Node 18.x will lose some colored output), but I think that's a worthwhile tradeoff.
Will be releasing a new Jco version this week along with other changes that have gone in during the meantime!
Last updated: Dec 06 2025 at 07:03 UTC