Dependency 'cucumber@^4.2.1' is dangerous

[Tobiaqs]

Current behavior

This package depends on cucumber@^4.2.1 (deprecated) which in turn requires colors@^1.1.2 which - up until recently would have resolved in a sabotaged version of the colors package. NPM have removed the sabotaged version but the publisher can't be trusted.

Desired behavior

Switch to a version of `@cucumber/cucumber'

I know this is in essence a duplicate of #648 and #554 but those issues do not reference the recent development around the colors package.

If there is a way to pin colors to 1.4.0 without updating cucumber, this particular issue would be mitigated, but I don't think it is possible with NPM.

EDIT: Apparently it is now possible to override dependencies' dependencies. https://www.stefanjudis.com/today-i-learned/how-to-override-your-dependencys-dependencies/

[san-slysz]

To add on @Tobiaqs super good feedback, latest release, at npm i, gives us this error message
cucumber@4.2.1: The npm package has moved to @cucumber/cucumber

It seems relevant to update v4 dependencies 🙏.

[badeball]

Due to personal reasons, the previous maintainers of this package are stepping down and handing the reigns over to me, a long-time contributor to the project and a user of it myself. This is a responsibility I'm very excited about. Furthermore, I'd like to thank @lgandecki ++ for all the work that they've done so far.

Read more about the transfer of ownership here.

The repository has however moved and all outstanding issues are being closed. This is not a reflection of the perceived importance of your reported issue. However, if after upgrading to the new version, you still find there to be an issue, feel free to open up another ticket or comment below. Please make sure to read CONTRIBUTING.md before doing so.