feat: add chalk chalk-template supports-hyperlinks

[fengmk2]

https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

Summary by CodeRabbit

• Chores
  • Updated dependency vulnerability redirect configuration for select packages to align patched versions (e.g., chalk 5.6.1→5.6.0, chalk-template 1.1.1→1.1.0, supports-hyperlinks 4.1.1→4.1.0).
  • Streamlines security reporting in tooling and maintains consistency across vulnerability references.
  • No changes to features, performance, or behavior; installation and usage remain unaffected.
  • Intended to improve maintenance and audit clarity without impacting end-user workflows.

[coderabbitai]

Walkthrough

Added three vulnerability-redirect entries in package.json mapping: chalk 5.6.1→5.6.0, chalk-template 1.1.1→1.1.0, and supports-hyperlinks 4.1.1→4.1.0, all referencing the same debug issue URL. No existing entries were changed. No code or control flow modifications.

Changes

Cohort / File(s)	Summary
Vulnerability redirect data updates package.json	Added three new redirect mappings: chalk 5.6.1→5.6.0, chalk-template 1.1.1→1.1.0, supports-hyperlinks 4.1.1→4.1.0, all citing the same debug issue URL. No deletions or edits to existing entries.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Pre-merge checks (2 passed, 1 inconclusive)

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description Check	❓ Inconclusive	The description only provides a single URL without any summary of what changes were made, making it too vague to convey the intent or content of this pull request.	Please include a brief summary of the changes, for example noting that you’ve added three new vulnerability-redirect entries for the compromised packages chalk, chalk-template, and supports-hyperlinks.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title clearly names the three packages being added, directly reflecting the primary change of the pull request and remaining concise without unrelated details.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

Poem

I nudge the JSON, hop—no fuss,
Three tiny trails to safer bus.
Chalked paths drawn, hyperlinks tame,
Templates trimmed—same bug, same name.
Ears up, whiskers twirl with glee,
Config carrots set—ship it, whee! 🥕🐇

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
		  - name: "Undocumented Breaking Changes"
			  mode: "warning"
			  instructions: |
				  Flag potential breaking changes that are not documented:
				  1. Identify changes to public APIs/exports, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints (including removed/renamed items and changes to types, required params, return values, defaults, or behavior).
				  2. Ignore purely internal/private changes (e.g., code not exported from package entry points or marked internal).
				  3. Verify documentation exists: a "Breaking Change" section in the PR description and updates to CHANGELOG.md.

Please share your feedback with us on this Discord post.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch more-compromise-pkgs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @fengmk2, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical security concern by implementing specific dependency version overrides. It ensures that the project uses known safe versions of certain packages, thereby protecting against vulnerabilities identified in recent compromises.

Highlights

• Dependency Version Pinning: Introduced version overrides for chalk, chalk-template, and supports-hyperlinks in package.json.
• Security Vulnerability Mitigation: These overrides are implemented to mitigate potential security risks associated with compromised versions of the mentioned packages, as detailed in the linked issue.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull Request Overview

This PR adds package overrides for three npm packages (chalk, chalk-template, and supports-hyperlinks) to pin them to specific versions due to security concerns related to compromised packages.

• Adds version overrides to downgrade chalk from 5.6.1 to 5.6.0
• Adds version overrides to downgrade chalk-template from 1.1.1 to 1.1.0
• Adds version overrides to downgrade supports-hyperlinks from 4.1.1 to 4.1.0

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[gemini-code-assist]

Code Review

This pull request adds definitions for several compromised package versions related to a recent supply chain attack affecting chalk, debug, and related packages. The additions are correct and follow the existing format. However, the update appears to be incomplete, as several other compromised versions from the same security incident have not been included. I have added a comment with a list of the missing versions to help ensure the bug-versions list is comprehensive.

[fengmk2]

{
  "debug":               "4.4.2",
  "chalk":               "5.6.1",
  "ansi-styles":         "6.2.2",
  "supports-color":      "10.2.1",
  "strip-ansi":          "7.1.1",
  "ansi-regex":          "6.2.1",
  "wrap-ansi":           "9.0.1",
  "color-convert":       "3.1.1",
  "color-name":          "2.0.1",
  "is-arrayish":         "0.3.3",
  "slice-ansi":          "7.1.1",
  "color":               "5.0.1",
  "color-string":        "2.1.1",
  "simple-swizzle":      "0.2.3",
  "supports-hyperlinks": "4.1.1",
  "has-ansi":            "6.0.1",
  "chalk-template":      "1.1.1",
  "backslash":           "0.2.1",
}

[github-actions]

🎉 This PR is included in version 1.116.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[coderabbitai]

Actionable comments posted: 4

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fb6ffb8 and 90ce220.

📒 Files selected for processing (1)

• package.json (1 hunks)

🔇 Additional comments (1)

package.json (1)

1369-1386: LGTM on coverage of the broader family

Good call including related chalk/debug dependency family members (ansi-, color-, strip-ansi, wrap-ansi, etc.) tied to the same incident. (aikido.dev)

[coderabbitai]

🛠️ Refactor suggestion

Add a redirect entry for debug 4.4.2 → 4.4.1

The compromised debug 4.4.2 was published and then pulled; npm shows 4.4.1 as the latest, and the incident is tracked in issue #1005. Add a mapping to steer consumers off 4.4.2. (npmjs.com, github.com)

Add under "bug-versions":

"debug": {
  "4.4.2": {
    "version": "4.4.1",
    "reason": "https://github.com/debug-js/debug/issues/1005"
  }
}

🤖 Prompt for AI Agents

In package.json around lines 1369 to 1386, there is no redirect entry for the
compromised debug 4.4.2; add a mapping under the existing "bug-versions" object
that redirects "debug": { "4.4.2": { "version": "4.4.1", "reason":
"https://github.com/debug-js/debug/issues/1005" } } so consumers are steered off
4.4.2; insert the JSON entry with correct commas and object syntax consistent
with surrounding entries and include the referenced issue URL as the reason.

[coderabbitai]

🛠️ Refactor suggestion

Prefer redirecting to the fixed 5.6.2 instead of downgrading to 5.6.0

Chalk 5.6.2 was published today and 5.6.1 appears to have been yanked. Redirecting to 5.6.2 avoids unnecessary downgrades. (npmjs.com)

Apply this diff:

       "chalk": {
-        "5.6.1": {
-          "version": "5.6.0",
+        "5.6.1": {
+          "version": "5.6.2",
           "reason": "https://github.com/debug-js/debug/issues/1005"
         }
       },

Context: compromise documented on Sep 8, 2025. (aikido.dev)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"chalk": {
	"5.6.1": {
	"version": "5.6.0",
	"reason": "https://github.com/debug-js/debug/issues/1005"
	}
	},
	"chalk": {
	"5.6.1": {
	"version": "5.6.2",
	"reason": "https://github.com/debug-js/debug/issues/1005"
	}
	},

🤖 Prompt for AI Agents

In package.json around lines 1370 to 1375, the lock/resolution entry for "chalk"
points the 5.6.1 key to version "5.6.0"; update that entry to point to the fixed
published version "5.6.2" instead of downgrading to 5.6.0 (i.e., change the
"version" value to "5.6.2") and preserve or update the reason field as needed to
reference the advisory/compromise context.

[coderabbitai]

🛠️ Refactor suggestion

Use chalk-template 1.1.2 (safe) rather than 1.1.0

A clean 1.1.2 was published today; prefer upgrading the redirect target to 1.1.2. (npmjs.com)

       "chalk-template": {
-        "1.1.1": {
-          "version": "1.1.0",
+        "1.1.1": {
+          "version": "1.1.2",
           "reason": "https://github.com/debug-js/debug/issues/1005"
         }
       },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"chalk-template": {
	"1.1.1": {
	"version": "1.1.0",
	"reason": "https://github.com/debug-js/debug/issues/1005"
	}
	},
	"chalk-template": {
	"1.1.1": {
	"version": "1.1.2",
	"reason": "https://github.com/debug-js/debug/issues/1005"
	}
	},

🤖 Prompt for AI Agents

package.json lines 1376-1381: the shrinkwrap/lock redirect currently maps
"chalk-template" entry "1.1.1" to version "1.1.0"; update that mapping to point
to the safe published version "1.1.2" (i.e., change the "version" value to
"1.1.2") and keep or update the reason field as needed.

[coderabbitai]

🛠️ Refactor suggestion

Use supports-hyperlinks 4.1.2 (safe) rather than 4.1.0

A clean 4.1.2 was published today; update the redirect accordingly. (npmjs.com)

       "supports-hyperlinks": {
-        "4.1.1": {
-          "version": "4.1.0",
+        "4.1.1": {
+          "version": "4.1.2",
           "reason": "https://github.com/debug-js/debug/issues/1005"
         }
       }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"supports-hyperlinks": {
	"4.1.1": {
	"version": "4.1.0",
	"reason": "https://github.com/debug-js/debug/issues/1005"
	}
	"supports-hyperlinks": {
	"4.1.1": {
	"version": "4.1.2",
	"reason": "https://github.com/debug-js/debug/issues/1005"
	}
	}

🤖 Prompt for AI Agents

package.json around lines 1382 to 1386: the supports-hyperlinks entry currently
points to version "4.1.0" but a clean 4.1.2 is available; update the nested
"version" value from "4.1.0" to "4.1.2" so the redirect uses the safe release
(leave the "reason" field as-is).