Impact
This project pinned chalk to version 5.6.0 (no caret), so it never pulled in the compromised chalk@5.6.1. As a result, no versions of generate-react-cli were affected. The malicious payload in 5.6.1 targeted browser/Web3 contexts and does not apply to this CLI tool.
Severity justification: This advisory is marked None (0.0) because generate-react-cli pinned chalk@5.6.0 and never depended on the compromised chalk@5.6.1.
Patches
We updated to chalk@5.6.2, the fixed upstream release. Users of generate-react-cli can safely upgrade to 9.0.1.
Workarounds
No workarounds were required. Since the project was pinned to 5.6.0, users were not impacted. The patch is provided for alignment with upstream.
References
Impact
This project pinned
chalkto version5.6.0(no caret), so it never pulled in the compromisedchalk@5.6.1. As a result, no versions ofgenerate-react-cliwere affected. The malicious payload in5.6.1targeted browser/Web3 contexts and does not apply to this CLI tool.Severity justification: This advisory is marked None (0.0) because generate-react-cli pinned chalk@5.6.0 and never depended on the compromised chalk@5.6.1.
Patches
We updated to
chalk@5.6.2, the fixed upstream release. Users ofgenerate-react-clican safely upgrade to9.0.1.Workarounds
No workarounds were required. Since the project was pinned to
5.6.0, users were not impacted. The patch is provided for alignment with upstream.References