Is color-string safe to use?

color-string has no known vulnerabilities on the latest version (2.1.4). DepScope rates its health at 59/100 (high risk).

What is the latest version of color-string?

The latest version of color-string is 2.1.4, released 2025-11-15.

Does color-string have known vulnerabilities?

No known vulnerabilities on the latest version of color-string.

Is color-string deprecated?

No, color-string is actively maintained. Latest release: 2.1.4 (2025-11-15).

What are alternatives to color-string?

Popular alternatives to color-string in npm include: debug, minimatch, ansi-styles, brace-expansion, strip-ansi.

What license does color-string use?

color-string is licensed under MIT.

color-string

npmv2.1.4

Parser and generator for CSS color strings

License MITpermissive42 versions1 maintainers1 deps

Qix-/color-string

/ 100

Health

do not use

Do not install. Package is flagged as malicious (advisory MAL-2025-46973).

Health breakdown0 – 100

15/25

maintenance

0/20

popularity

25/25

security

15/15

maturity

4/15

community

Vulnerabilities

none known

Bundle & TypeScript

📦

Bundle Size

6.8 KBminified

2.5 KB gzipped

1 direct dependencies

side effects

🌟

TypeScript

10/10typed

bundled

⚠ Malicious package

This package is flagged as malicious by the OpenSSF/OSV community feed. Do not install.

Advisory: MAL-2025-46973 — Malicious code in color-string (npm)

Quality signals

OSS Criticality

0.75critical

Download trend

stable(+3.9%)

Publish security

npm signed

Health History

Dependency Tree

License Audit

Dependencies (1)

color-name

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/npm/color-string