From 7380bf2c83c2de5fef93b1414ba91e19f910aaed Mon Sep 17 00:00:00 2001 From: Joao Pereira Date: Mon, 8 Sep 2025 17:50:55 -0300 Subject: [PATCH 1/3] chore(security): pin safe versions for chalk/debug supply-chain incident (2025-09-08) - Add overrides/resolutions to prevent installation of compromised packages - Block chalk@5.6.1, debug@4.4.2 and related malicious dependencies - Pin to safe versions: chalk@5.6.2, debug@4.4.1 and updated ANSI packages - Applied to: plugin-NornAI, Plugin-Centaury Contents, Plugin-IconBridge Refs: - https://github.com/chalk/chalk/issues/656 - https://github.com/debug-js/debug/issues/1005 - https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised --- figma/Plugin-Centaury Contents/package.json | 20 ++++++++++++++++++++ figma/Plugin-IconBridge/package.json | 20 ++++++++++++++++++++ figma/plugin-NornAI/package.json | 20 ++++++++++++++++++++ 3 files changed, 60 insertions(+) diff --git a/figma/Plugin-Centaury Contents/package.json b/figma/Plugin-Centaury Contents/package.json index 5f44d42..570be8e 100644 --- a/figma/Plugin-Centaury Contents/package.json +++ b/figma/Plugin-Centaury Contents/package.json @@ -34,5 +34,25 @@ "dependencies": { "react": "^18.2.0", "react-dom": "^18.2.0" + }, + "resolutions": { + "chalk": "5.6.2", + "debug": "4.4.1", + "supports-color": "10.2.2", + "strip-ansi": "7.1.2", + "ansi-regex": "6.2.2", + "wrap-ansi": "9.0.2", + "ansi-styles": "6.2.3", + "slice-ansi": "7.1.2", + "chalk-template": "1.1.2", + "supports-hyperlinks": "4.1.2", + "has-ansi": "6.0.2", + "color-convert": "3.1.0", + "color-name": "2.0.0", + "color-string": "2.1.0", + "is-arrayish": "0.3.2", + "simple-swizzle": "0.2.2", + "error-ex": "1.3.2", + "backslash": "0.2.0" } } diff --git a/figma/Plugin-IconBridge/package.json b/figma/Plugin-IconBridge/package.json index a16e159..eba074f 100644 --- a/figma/Plugin-IconBridge/package.json +++ b/figma/Plugin-IconBridge/package.json @@ -2,5 +2,25 @@ "devDependencies": { "@figma/plugin-typings": "^1.108.0", "typescript": "^5.7.3" + }, + "overrides": { + "chalk": "5.6.2", + "debug": "4.4.1", + "supports-color": "10.2.2", + "strip-ansi": "7.1.2", + "ansi-regex": "6.2.2", + "wrap-ansi": "9.0.2", + "ansi-styles": "6.2.3", + "slice-ansi": "7.1.2", + "chalk-template": "1.1.2", + "supports-hyperlinks": "4.1.2", + "has-ansi": "6.0.2", + "color-convert": "3.1.0", + "color-name": "2.0.0", + "color-string": "2.1.0", + "is-arrayish": "0.3.2", + "simple-swizzle": "0.2.2", + "error-ex": "1.3.2", + "backslash": "0.2.0" } } diff --git a/figma/plugin-NornAI/package.json b/figma/plugin-NornAI/package.json index ebe1f85..a3bcbcd 100644 --- a/figma/plugin-NornAI/package.json +++ b/figma/plugin-NornAI/package.json @@ -13,6 +13,26 @@ "react-masonry-css": "^1.0.16", "react-syntax-highlighter": "^15.5.0" }, + "overrides": { + "chalk": "5.6.2", + "debug": "4.4.1", + "supports-color": "10.2.2", + "strip-ansi": "7.1.2", + "ansi-regex": "6.2.2", + "wrap-ansi": "9.0.2", + "ansi-styles": "6.2.3", + "slice-ansi": "7.1.2", + "chalk-template": "1.1.2", + "supports-hyperlinks": "4.1.2", + "has-ansi": "6.0.2", + "color-convert": "3.1.0", + "color-name": "2.0.0", + "color-string": "2.1.0", + "is-arrayish": "0.3.2", + "simple-swizzle": "0.2.2", + "error-ex": "1.3.2", + "backslash": "0.2.0" + }, "devDependencies": { "@figma/plugin-typings": "^1.50.0", "@tailwindcss/forms": "^0.5.10", From 310a79990934dd9094b36635202554280afd10ba Mon Sep 17 00:00:00 2001 From: Joao Pereira Date: Mon, 8 Sep 2025 17:51:14 -0300 Subject: [PATCH 2/3] chore: add .gitignore to prevent tracking node_modules and build files --- .gitignore | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e5ba337 --- /dev/null +++ b/.gitignore @@ -0,0 +1,68 @@ +# Dependencies +node_modules/ +**/node_modules/ + +# Build outputs +dist/ +build/ +*.tsbuildinfo + +# OS generated files +.DS_Store +Thumbs.db + +# IDE files +.vscode/ +.idea/ +*.swp +*.swo + +# Logs +*.log +npm-debug.log* +yarn-debug.log* +yarn-error.log* + +# Runtime data +pids +*.pid +*.seed +*.pid.lock + +# Coverage directory used by tools like istanbul +coverage/ +*.lcov + +# Optional npm cache directory +.npm + +# Optional REPL history +.node_repl_history + +# Output of 'npm pack' +*.tgz + +# Yarn Integrity file +.yarn-integrity + +# parcel-bundler cache (https://parceljs.org/) +.cache +.parcel-cache + +# next.js build output +.next + +# nuxt.js build output +.nuxt + +# vuepress build output +.vuepress/dist + +# Serverless directories +.serverless + +# FuseBox cache +.fusebox/ + +# DynamoDB Local files +.dynamodb/ From 5f21f67561bd37ba40fde9372c82e5c9d7a4facf Mon Sep 17 00:00:00 2001 From: Joao Pereira Date: Mon, 8 Sep 2025 18:37:18 -0300 Subject: [PATCH 3/3] fix: correct package versions to match company security guidelines - Update chalk from 5.6.2 to 5.6.0 (company standard) - Update all ANSI/color packages to exact versions per guidelines - Add missing 'color': '5.0.0' package override - Add 'save-exact': true to prevent floating version ranges - Applied to: plugin-NornAI, Plugin-Centaury Contents, Plugin-IconBridge Following exact company security specifications for chalk@5.6.1 debug@4.4.2 incident --- figma/Plugin-Centaury Contents/package.json | 28 +++++++++++---------- figma/Plugin-IconBridge/package.json | 28 +++++++++++---------- figma/plugin-NornAI/package.json | 28 +++++++++++---------- 3 files changed, 45 insertions(+), 39 deletions(-) diff --git a/figma/Plugin-Centaury Contents/package.json b/figma/Plugin-Centaury Contents/package.json index 570be8e..b06efa7 100644 --- a/figma/Plugin-Centaury Contents/package.json +++ b/figma/Plugin-Centaury Contents/package.json @@ -10,6 +10,7 @@ }, "author": "", "license": "", + "save-exact": true, "devDependencies": { "@figma/plugin-typings": "*", "@types/figma": "^1.0.8", @@ -36,23 +37,24 @@ "react-dom": "^18.2.0" }, "resolutions": { - "chalk": "5.6.2", + "chalk": "5.6.0", "debug": "4.4.1", - "supports-color": "10.2.2", - "strip-ansi": "7.1.2", - "ansi-regex": "6.2.2", - "wrap-ansi": "9.0.2", - "ansi-styles": "6.2.3", - "slice-ansi": "7.1.2", - "chalk-template": "1.1.2", - "supports-hyperlinks": "4.1.2", - "has-ansi": "6.0.2", + "supports-color": "10.2.0", + "strip-ansi": "7.1.0", + "color": "5.0.0", + "ansi-regex": "6.2.0", + "wrap-ansi": "9.0.0", + "ansi-styles": "6.2.1", "color-convert": "3.1.0", "color-name": "2.0.0", - "color-string": "2.1.0", "is-arrayish": "0.3.2", + "slice-ansi": "7.1.0", + "color-string": "2.1.0", "simple-swizzle": "0.2.2", - "error-ex": "1.3.2", - "backslash": "0.2.0" + "supports-hyperlinks": "4.1.0", + "has-ansi": "6.0.0", + "chalk-template": "1.1.0", + "backslash": "0.2.0", + "error-ex": "1.3.2" } } diff --git a/figma/Plugin-IconBridge/package.json b/figma/Plugin-IconBridge/package.json index eba074f..cecfabb 100644 --- a/figma/Plugin-IconBridge/package.json +++ b/figma/Plugin-IconBridge/package.json @@ -1,26 +1,28 @@ { + "save-exact": true, "devDependencies": { "@figma/plugin-typings": "^1.108.0", "typescript": "^5.7.3" }, "overrides": { - "chalk": "5.6.2", + "chalk": "5.6.0", "debug": "4.4.1", - "supports-color": "10.2.2", - "strip-ansi": "7.1.2", - "ansi-regex": "6.2.2", - "wrap-ansi": "9.0.2", - "ansi-styles": "6.2.3", - "slice-ansi": "7.1.2", - "chalk-template": "1.1.2", - "supports-hyperlinks": "4.1.2", - "has-ansi": "6.0.2", + "color": "5.0.0", + "supports-color": "10.2.0", + "strip-ansi": "7.1.0", + "ansi-regex": "6.2.0", + "wrap-ansi": "9.0.0", + "ansi-styles": "6.2.1", "color-convert": "3.1.0", "color-name": "2.0.0", - "color-string": "2.1.0", "is-arrayish": "0.3.2", + "slice-ansi": "7.1.0", + "color-string": "2.1.0", "simple-swizzle": "0.2.2", - "error-ex": "1.3.2", - "backslash": "0.2.0" + "supports-hyperlinks": "4.1.0", + "has-ansi": "6.0.0", + "chalk-template": "1.1.0", + "backslash": "0.2.0", + "error-ex": "1.3.2" } } diff --git a/figma/plugin-NornAI/package.json b/figma/plugin-NornAI/package.json index a3bcbcd..a12e887 100644 --- a/figma/plugin-NornAI/package.json +++ b/figma/plugin-NornAI/package.json @@ -3,6 +3,7 @@ "version": "1.0.0", "description": "This plugin template uses Typescript. If you are familiar with Javascript, Typescript will look very familiar. In fact, valid Javascript code is already valid Typescript code.", "license": "ISC", + "save-exact": true, "scripts": { "build": "webpack --mode=production", "build:watch": "webpack --mode=development --watch" @@ -14,24 +15,25 @@ "react-syntax-highlighter": "^15.5.0" }, "overrides": { - "chalk": "5.6.2", + "chalk": "5.6.0", "debug": "4.4.1", - "supports-color": "10.2.2", - "strip-ansi": "7.1.2", - "ansi-regex": "6.2.2", - "wrap-ansi": "9.0.2", - "ansi-styles": "6.2.3", - "slice-ansi": "7.1.2", - "chalk-template": "1.1.2", - "supports-hyperlinks": "4.1.2", - "has-ansi": "6.0.2", + "color": "5.0.0", + "supports-color": "10.2.0", + "strip-ansi": "7.1.0", + "ansi-regex": "6.2.0", + "wrap-ansi": "9.0.0", + "ansi-styles": "6.2.1", "color-convert": "3.1.0", "color-name": "2.0.0", - "color-string": "2.1.0", "is-arrayish": "0.3.2", + "slice-ansi": "7.1.0", + "color-string": "2.1.0", "simple-swizzle": "0.2.2", - "error-ex": "1.3.2", - "backslash": "0.2.0" + "supports-hyperlinks": "4.1.0", + "has-ansi": "6.0.0", + "chalk-template": "1.1.0", + "backslash": "0.2.0", + "error-ex": "1.3.2" }, "devDependencies": { "@figma/plugin-typings": "^1.50.0",