# Security Trust Report: colors **[colors@1.4.0](https://www.npmjs.com/package/colors): 46/100 | Grade: C | Tier: CAUTION** (confidence: ±3) > Scanned on 2026-04-10 from 8 security databases. [View package on npm →](https://www.npmjs.com/package/colors) ## TL;DR - **2 vulnerabilities found** (0 critical, 2 high) - Consider switching to **chalk** (Most popular terminal color library) - **Action required:** Review flags below and upgrade or replace this package ## ⚠️ Security Incident Background In January 2022, maintainer marak deliberately sabotaged the package by adding an infinite loop, causing applications to print garbage text. This was a protest against large corporations using open-source without compensation. ## Score Breakdown ``` Maintainer Trust: █████████░░░░░░░░░░░ 44/100 Package Health: ██████████████████░░ 88/100 Supply Chain: █░░░░░░░░░░░░░░░░░░░ 5/100 Community: █████████░░░░░░░░░░░ 47/100 ``` ### Why this score? - Maintainer Trust is 44 because: single maintainer (bus factor risk) - Supply Chain is 5 because: 2 known CVEs, in breach database - Community is 47 because: no public GitHub repo linked (may be private or on another platform) ## Vulnerabilities (2 vulnerabilities) | Severity | Count | |----------|-------| | 🟠 High | 2 | - [CVE-2021-23567](https://nvd.nist.gov/vuln/detail/CVE-2021-23567) - [GHSA-gh88-3pxp-6fm8](https://github.com/advisories/GHSA-gh88-3pxp-6fm8) - [GHSA-5rqg-jm4f-cqx7](https://github.com/advisories/GHSA-5rqg-jm4f-cqx7) ## Key Risk Flags - 🔴 **CRITICAL**: Package name "colors" is 2 edit(s) from popular "cors" - 🔴 **CRITICAL**: HISTORICAL BREACH: Maintainer sabotaged with infinite loop (2022) - 🔴 **CRITICAL**: Maintainer "marak" has history of package sabotage - 🟠 **HIGH**: 2 HIGH vulnerabilities detected ## 🛠️ What Should You Do? **Immediate:** - 📌 Pin to known-safe version: **1.4.0 (before sabotage)** - 🔄 Or replace with [chalk](https://nrupak.com/trust/chalk) — Most popular terminal color library - 📖 Review the security incident above **Always:** Pin version, run `pkgtrust scan` in CI, monitor at [nrupak.com/trust/colors](https://nrupak.com/trust/colors) ## 🔄 Safer Alternatives | Package | Why | npm | Trust Score | |---------|-----|-----|-------------| | **chalk** | Most popular terminal color library | [npm](https://www.npmjs.com/package/chalk) | [View score](https://nrupak.com/trust/chalk) | | **picocolors** | Tiny, fast, zero dependencies | [npm](https://www.npmjs.com/package/picocolors) | [View score](https://nrupak.com/trust/picocolors) | | **kleur** | Lightweight alternative | [npm](https://www.npmjs.com/package/kleur) | [View score](https://nrupak.com/trust/kleur) | ## Maintainers (1) - ⛔ **[marak](https://www.npmjs.com/~marak)** — COMPROMISED: Deliberately sabotaged colors and faker (2022) ([Trust profile](https://nrupak.com/trust/maintainer/marak)) **Methodology:** 18+ signals across 4 categories (Maintainer 35%, Package 25%, Supply Chain 25%, Community 15%). [Full scoring docs →](https://nrupak.com/trust) **Check your project:** `npm i -g @cyberhub/pkgtrust && pkgtrust scan colors` — [CLI docs](https://npmjs.com/package/@cyberhub/pkgtrust) **Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev · CISA KEV · Packagephobia · OpenSSF Scorecard · Ecosyste.ms · GitHub Enhanced · Keybase · npm Provenance --- *Report by [pkgtrust](https://nrupak.com/trust/colors) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)* *This is an automated security report. Not affiliated with the colors team. Updated 2026-04-10.*