add comment about why colors/safe is not safe

Co-authored-by: Esben Sparre Andreasen <[email protected]>

Author: erik-krogh

javascript/ql/src/semmle/javascript/frameworks/Logging.qll

@@ -221,7 +221,8 @@ class AnsiColorsStep extends TaintTracking::SharedTaintStep {
 class ColorsStep extends TaintTracking::SharedTaintStep {
   override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {
     exists(API::CallNode call |
-      call = API::moduleImport(["colors", "colors/safe"]).getAMember*().getACall()
+
+      call = API::moduleImport(["colors", "colors/safe" /* this variant avoids modifying the prototype methods */ ]).getAMember*().getACall()
     |
       pred = call.getArgument(0) and
       succ = call