potential security vulnerability when bundling via an outdated version of static-eval@0.2.4 etc.

[alhugot]

Hi,
First, this is a great lib!
Second this is perhaps not the place to report it, please feel free to close the issue, but:

There is a quite complex dependency chain on static-eval in the package.json which is affected by this security vulnerability:
https://nodesecurity.io/advisories/548

plotly.js@1.34.0 › ndarray-homography@1.0.0 › ndarray-warp@1.0.1 › cwise@1.0.10 › static-module@1.5.0 › static-eval@0.2.4
plotly.js@1.34.0 › gl-plot3d@1.5.5 › gl-select-static@2.0.2 › cwise@1.0.10 › static-module@1.5.0 › static-eval@0.2.4
plotly.js@1.34.0 › gl-plot2d@1.3.1 › gl-select-static@2.0.2 › cwise@1.0.10 › static-module@1.5.0 › static-eval@0.2.4
plotly.js@1.34.0 › ndarray-fill@1.0.2 › cwise@1.0.10 › static-module@1.5.0 › static-eval@0.2.4
plotly.js@1.34.0 › gl-plot3d@1.5.5 › gl-spikes3d@1.0.6 › glslify@6.1.0 › static-eval@1.1.1
plotly.js@1.34.0 › gl-plot3d@1.5.5 › gl-axes3d@1.2.7 › glslify@6.1.0 › static-eval@1.1.1
plotly.js@1.34.0 › gl-plot3d@1.5.5 › glslify@6.1.0 › static-eval@1.1.1
plotly.js@1.34.0 › gl-plot2d@1.3.1 › glslify@6.1.0 › static-eval@1.1.1
plotly.js@1.34.0 › regl-line2d@2.1.5 › glslify@6.1.0 › static-eval@1.1.1
plotly.js@1.34.0 › regl-scatter2d@2.1.17 › glslify@6.1.0 › static-eval@1.1.1
plotly.js@1.34.0 › gl-scatter3d@1.0.11 › glslify@6.1.0 › static-eval@1.1.1
plotly.js@1.34.0 › gl-surface3d@1.3.4 › glslify@6.1.0 › static-eval@1.1.1
plotly.js@1.34.0 › gl-mesh3d@1.3.2 › glslify@6.1.0 › static-eval@1.1.1
plotly.js@1.34.0 › gl-select-box@1.0.2 › glslify@6.1.0 › static-eval@1.1.1
plotly.js@1.34.0 › gl-pointcloud2d@1.0.1 › glslify@6.1.0 › static-eval@1.1.1
plotly.js@1.34.0 › gl-error3d@1.0.7 › glslify@6.1.0 › static-eval@1.1.1
plotly.js@1.34.0 › gl-line3d@1.1.2 › glslify@6.1.0 › static-eval@1.1.1
plotly.js@1.34.0 › gl-heatmap2d@1.0.4 › glslify@6.1.0 › static-eval@1.1.1
plotly.js@1.34.0 › gl-contour2d@1.1.4 › glslify@6.1.0 › static-eval@1.1.1
plotly.js@1.34.0 › glslify@6.1.0 › static-eval@1.1.1

There is already an issue entered for glslify at glslify/glslify#106
We would then need to move up in the dependency chain to the other components

Would also be good to have a security badge with:

snyk: https://github.com/snyk/snyk#badge
or
nsp: see https://github.com/dwyl/repo-badges

Thx
Alex

[etpinard]

Thanks for the headsup!

I think it's important to stress that this potential security vulnerability only affects users that bundle plotly.js source files as glslify and cwise are only used while building plotly.js.

So, folks that use the dist/ or CDN bundles are not affected by this security bug.

[etpinard]

After 48e1124, we have:

So fixing scijs/cwise#19 should do it.

[k-sai-kiranmayee]

Hello,
Sorry but even after this #2386 (comment), I'm still facing a few vulnerabilities like :(