Giter VIP home page Giter VIP logo

Comments (10)

cythrawll avatar cythrawll commented on May 24, 2024 3

Looks like there is a PR for this: #2466 can we get this in?

from nivo.

sseide avatar sseide commented on May 24, 2024

d3-scale must be updated too to latest version 4.x. Currently used 3.x depends on vulnerable version of d3-color too.

[email protected] -> "d3-interpolate": "1.2.0 - 2" -> "d3-color": "1 - 2"

from nivo.

radikrisffnext avatar radikrisffnext commented on May 24, 2024

Same issue here, npm audit vulnerabilities are still flagged

from nivo.

m-salman-afzal avatar m-salman-afzal commented on May 24, 2024

What is the progress on this? Kindly update

from nivo.

DaveCole avatar DaveCole commented on May 24, 2024

+1 - Here's the npm audit:

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @nivo/[email protected], which is a breaking change
node_modules/d3-scale-chromatic/node_modules/d3-color
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-scale-chromatic/node_modules/d3-interpolate
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/axes  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/scales
        node_modules/@nivo/axes
        @nivo/bullet  *
        Depends on vulnerable versions of @nivo/axes
        Depends on vulnerable versions of @nivo/colors
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/legends
        Depends on vulnerable versions of @nivo/scales
        Depends on vulnerable versions of @nivo/tooltip
        node_modules/@nivo/bullet
        @nivo/colors  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        Depends on vulnerable versions of d3-scale-chromatic
        node_modules/@nivo/colors
          @nivo/annotations  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/annotations
            @nivo/network  *
            Depends on vulnerable versions of @nivo/annotations
            Depends on vulnerable versions of @nivo/colors
            Depends on vulnerable versions of @nivo/core
            Depends on vulnerable versions of @nivo/tooltip
            node_modules/@nivo/network
        @nivo/legends  >=0.56.0
        Depends on vulnerable versions of @nivo/colors
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        node_modules/@nivo/legends
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip
      @nivo/scales  *
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/scales
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale-chromatic

from nivo.

michelacerro avatar michelacerro commented on May 24, 2024

Hi, same issue here.

For my project I need to install @nivo/core, @nivo/line and @nivo/geo, and all three report vulnerability issues.

By installing only @nivo/core, the npm audit report is:

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
No fix available
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip

By installing only @nivo/line, the npm audit report is:

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @nivo/[email protected], which is a breaking change
node_modules/@nivo/colors/node_modules/d3-interpolate/node_modules/d3-color
node_modules/@nivo/colors/node_modules/d3-scale-chromatic/node_modules/d3-color
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/@nivo/colors/node_modules/d3-interpolate
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/axes  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/scales
        node_modules/@nivo/axes
          @nivo/line  *
          Depends on vulnerable versions of @nivo/annotations
          Depends on vulnerable versions of @nivo/axes
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of @nivo/legends
          Depends on vulnerable versions of @nivo/scales
          Depends on vulnerable versions of @nivo/tooltip
          Depends on vulnerable versions of @nivo/voronoi
          node_modules/@nivo/line
        @nivo/colors  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        Depends on vulnerable versions of d3-scale-chromatic
        node_modules/@nivo/colors
          @nivo/annotations  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/annotations
          @nivo/legends  >=0.56.0
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of d3-scale
          node_modules/@nivo/legends
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip
        @nivo/voronoi  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        node_modules/@nivo/voronoi
      @nivo/scales  *
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/scales
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/@nivo/colors/node_modules/d3-scale-chromatic

By installing only @nivo/geo, the npm audit report is:

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @nivo/[email protected], which is a breaking change
node_modules/@nivo/colors/node_modules/d3-interpolate/node_modules/d3-color
node_modules/@nivo/colors/node_modules/d3-scale-chromatic/node_modules/d3-color
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/@nivo/colors/node_modules/d3-interpolate
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/colors  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        Depends on vulnerable versions of d3-scale-chromatic
        node_modules/@nivo/colors
          @nivo/geo  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of @nivo/legends
          Depends on vulnerable versions of @nivo/tooltip
          node_modules/@nivo/geo
        @nivo/legends  >=0.56.0
        Depends on vulnerable versions of @nivo/colors
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        node_modules/@nivo/legends
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/@nivo/colors/node_modules/d3-scale-chromatic

from nivo.

avocardio avatar avocardio commented on May 24, 2024

Any fix for this?

from nivo.

cythrawll avatar cythrawll commented on May 24, 2024

Hi can we get this in? The vulnerability scan we are required to do is starting to cause issues.

from nivo.

clemich avatar clemich commented on May 24, 2024

Please include the non-vulnerable d3 packages on nivo, it would be very nice

from nivo.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.