Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

d3-color high severity vulnerability #148

Open
duecknoah opened this issue Sep 30, 2022 · 4 comments
Open

d3-color high severity vulnerability #148

duecknoah opened this issue Sep 30, 2022 · 4 comments

Comments

@duecknoah
Copy link

react-d3-cloud depends on a version of d3-color that is vunerable to reDOS: GHSA-36jr-mh4h-2g58
Any version of d3-color <3.1.0 is vunerable to this. Please update the package.json to get a later version of react-d3-color

(env) duecknoah@Noahs-MacBook-Pro dashboard % npm audit
# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install react-d3-cloud@0.6.0, which is a breaking change
node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      react-d3-cloud  >=0.5.0
      Depends on vulnerable versions of d3-scale
      Depends on vulnerable versions of d3-scale-chromatic
      node_modules/react-d3-cloud
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale-chromatic

5 high severity vulnerabilities
@ghost
Copy link

ghost commented Oct 17, 2022

Hey, any updates on this issue?

@chentsulin
Copy link
Collaborator

These packages are released as ESM, so we can't easily bump them without introducing a bundler or releasing react-d3-cloud as ESM too.

@AlexSwensen
Copy link

@chentsulin I would recommend using something like parcel or vite in library mode. That will take care of the bundling and requires a minimal amount of setup. Moving forward (most) everything will be in ESM anyway, so you will be ahead of the curve on that regardless. Vite is almost all ESM under the hood anyway.

It's an example of a painful migration in the Node/js ecosystem, but it does get easier with time. Most modules I am working with "just work" once I have a proper bundler included. For this reason I recommend Vite as its setup is far less complex than Webpack or Turbopack.

@morganney
Copy link

Use overrides (or resolutions) in your package.json.

"overrides": {
  "d3-color": "^3.1.0"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@morganney @chentsulin @AlexSwensen @duecknoah