deps: adapt to d3 version 7
#8
Comments
|
I (unfortunately) have a fair amount of experience upgrading D3 visualizations from d3v3->d3v4->d3v5->d3v6->d3v7, and to be honest it's often enough of a hassle that I've ended up re-writing things from scratch. Each new version of D3 has caused some major headaches with migrating. Maybe I don't have permission to see security reports in this repo? The link gives me a 404, and going to the security tab doesn't list anything. pacta.portfolio.report does have |
|
Regarding not being able to see the notifications: I (unfortunately) had a feeling it might be a pain in the butt... that said, I think it's pretty critical, so might be something we need to look into doing unfortunately... Apparently the severity of the vulnerability is "high" whatever that means. Not something to tackle today, but I'll leave this issue open and maybe something we can explore next sprint |
|
FYI... this issue doesn't seem to be all that "severe" to be honest, and is not relevant in our use case since we're never parsing user input as color info. |
|
Ok thanks @cjyetman that's good to know. |
It seems that old versions of
d3, in particulard3-color, have a pretty severe security dependency.Unfortunately, we can't just update directly to
d3@7as some of the breaking changes to affect and break out code here.Will need to consider carefully the version bump, and determine how to adjust the VolTraj and TechMix plotting code to adapt to this new dependency.
Relates to #5, #6, #7 and https://github.com/RMI-PACTA/pacta-dashboard-svelte/security/dependabot/1
FYI @cjyetman @AlexAxthelm this might also be an issue in https://github.com/RMI-PACTA/pacta.interactive.plot and https://github.com/RMI-PACTA/pacta.portfolio.report but would never be caught as there is no
packages.jsonfile in that repo for dependabot to check automatically.The text was updated successfully, but these errors were encountered: