Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

D3 dependencies vulnerability #2470

Closed
the-marolie opened this issue Nov 21, 2023 · 13 comments
Closed

D3 dependencies vulnerability #2470

the-marolie opened this issue Nov 21, 2023 · 13 comments
Labels
security

Comments

@the-marolie
Copy link

the-marolie commented Nov 21, 2023
edited

Not exactly a bug but twas wondering if the d3-scale-chromatic version used in @nivo/colors can be updated to v3.0.0 , the latest version. This would update the d3-color dependency which is currently at 2.x to 3.x which patches a vulnerability.

The version has already been updated to v3.0.0 in @nivo/core@0.84.0 but not in @nivo/colors@0.84.0
image
@sseide
Copy link

sseide commented Nov 24, 2023

d3-scale must be updated too to latest version 4.x. Currently used 3.x depends on vulnerable version of d3-color too.

d3-scale@3.3.0 -> "d3-interpolate": "1.2.0 - 2" -> "d3-color": "1 - 2"

@radikrisffnext
Copy link

Same issue here, npm audit vulnerabilities are still flagged

@m-salman-afzal
Copy link

What is the progress on this? Kindly update

@DaveCole
Copy link

DaveCole commented Dec 12, 2023
edited

+1 - Here's the npm audit:

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @nivo/bullet@0.55.0, which is a breaking change
node_modules/d3-scale-chromatic/node_modules/d3-color
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-scale-chromatic/node_modules/d3-interpolate
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/axes  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/scales
        node_modules/@nivo/axes
        @nivo/bullet  *
        Depends on vulnerable versions of @nivo/axes
        Depends on vulnerable versions of @nivo/colors
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/legends
        Depends on vulnerable versions of @nivo/scales
        Depends on vulnerable versions of @nivo/tooltip
        node_modules/@nivo/bullet
        @nivo/colors  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        Depends on vulnerable versions of d3-scale-chromatic
        node_modules/@nivo/colors
          @nivo/annotations  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/annotations
            @nivo/network  *
            Depends on vulnerable versions of @nivo/annotations
            Depends on vulnerable versions of @nivo/colors
            Depends on vulnerable versions of @nivo/core
            Depends on vulnerable versions of @nivo/tooltip
            node_modules/@nivo/network
        @nivo/legends  >=0.56.0
        Depends on vulnerable versions of @nivo/colors
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        node_modules/@nivo/legends
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip
      @nivo/scales  *
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/scales
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale-chromatic

@michelacerro
Copy link

Hi, same issue here.

For my project I need to install @nivo/core, @nivo/line and @nivo/geo, and all three report vulnerability issues.

By installing only @nivo/core, the npm audit report is:

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
No fix available
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip

By installing only @nivo/line, the npm audit report is:

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @nivo/line@0.55.0, which is a breaking change
node_modules/@nivo/colors/node_modules/d3-interpolate/node_modules/d3-color
node_modules/@nivo/colors/node_modules/d3-scale-chromatic/node_modules/d3-color
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/@nivo/colors/node_modules/d3-interpolate
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/axes  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/scales
        node_modules/@nivo/axes
          @nivo/line  *
          Depends on vulnerable versions of @nivo/annotations
          Depends on vulnerable versions of @nivo/axes
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of @nivo/legends
          Depends on vulnerable versions of @nivo/scales
          Depends on vulnerable versions of @nivo/tooltip
          Depends on vulnerable versions of @nivo/voronoi
          node_modules/@nivo/line
        @nivo/colors  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        Depends on vulnerable versions of d3-scale-chromatic
        node_modules/@nivo/colors
          @nivo/annotations  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/annotations
          @nivo/legends  >=0.56.0
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of d3-scale
          node_modules/@nivo/legends
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip
        @nivo/voronoi  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        node_modules/@nivo/voronoi
      @nivo/scales  *
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/scales
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/@nivo/colors/node_modules/d3-scale-chromatic

By installing only @nivo/geo, the npm audit report is:

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @nivo/geo@0.55.0, which is a breaking change
node_modules/@nivo/colors/node_modules/d3-interpolate/node_modules/d3-color
node_modules/@nivo/colors/node_modules/d3-scale-chromatic/node_modules/d3-color
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/@nivo/colors/node_modules/d3-interpolate
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/colors  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        Depends on vulnerable versions of d3-scale-chromatic
        node_modules/@nivo/colors
          @nivo/geo  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of @nivo/legends
          Depends on vulnerable versions of @nivo/tooltip
          node_modules/@nivo/geo
        @nivo/legends  >=0.56.0
        Depends on vulnerable versions of @nivo/colors
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        node_modules/@nivo/legends
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/@nivo/colors/node_modules/d3-scale-chromatic

@avocardio
Copy link

Any fix for this?

@cythrawll
Copy link

Hi can we get this in? The vulnerability scan we are required to do is starting to cause issues.

@cythrawll
Copy link

Looks like there is a PR for this: #2466 can we get this in?

@clemich
Copy link

clemich commented Jan 17, 2024

Please include the non-vulnerable d3 packages on nivo, it would be very nice

@LeAnsman
Copy link

LeAnsman commented Jan 24, 2024
edited

+1

Dependencies :

"dependencies" : {
    "@nivo/bar": "^0.84.0",
    "@nivo/colors": "^0.84.0",
    "@nivo/core": "^0.84.0",
    "@nivo/pie": "^0.84.0",
    "@nivo/radar": "^0.84.0",
    "@nivo/radial-bar": "^0.84.0",
    "@nivo/sunburst": "^0.84.0"
}

Npm audit report :

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @nivo/radar@0.55.0, which is a breaking change
node_modules/d3-scale-chromatic/node_modules/d3-color
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-scale-chromatic/node_modules/d3-interpolate
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/bar  *
      Depends on vulnerable versions of @nivo/annotations
      Depends on vulnerable versions of @nivo/axes
      Depends on vulnerable versions of @nivo/colors
      Depends on vulnerable versions of @nivo/core
      Depends on vulnerable versions of @nivo/legends
      Depends on vulnerable versions of @nivo/scales
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/bar
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/axes  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/scales
        node_modules/@nivo/axes
        @nivo/colors  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        Depends on vulnerable versions of d3-scale-chromatic
        node_modules/@nivo/colors
          @nivo/annotations  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/annotations
          @nivo/arcs  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/arcs
            @nivo/pie  *
            Depends on vulnerable versions of @nivo/arcs
            Depends on vulnerable versions of @nivo/colors
            Depends on vulnerable versions of @nivo/core
            Depends on vulnerable versions of @nivo/legends
            Depends on vulnerable versions of @nivo/tooltip
            node_modules/@nivo/pie
            @nivo/polar-axes  *
            Depends on vulnerable versions of @nivo/arcs
            Depends on vulnerable versions of @nivo/core
            Depends on vulnerable versions of @nivo/scales
            node_modules/@nivo/polar-axes
            @nivo/sunburst  *
            Depends on vulnerable versions of @nivo/arcs
            Depends on vulnerable versions of @nivo/colors
            Depends on vulnerable versions of @nivo/core
            Depends on vulnerable versions of @nivo/tooltip
            node_modules/@nivo/sunburst
          @nivo/legends  >=0.56.0
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of d3-scale
          node_modules/@nivo/legends
            @nivo/radar  *
            Depends on vulnerable versions of @nivo/colors
            Depends on vulnerable versions of @nivo/core
            Depends on vulnerable versions of @nivo/legends
            Depends on vulnerable versions of @nivo/tooltip
            Depends on vulnerable versions of d3-scale
            node_modules/@nivo/radar
            @nivo/radial-bar  *
            Depends on vulnerable versions of @nivo/arcs
            Depends on vulnerable versions of @nivo/colors
            Depends on vulnerable versions of @nivo/core
            Depends on vulnerable versions of @nivo/legends
            Depends on vulnerable versions of @nivo/polar-axes
            Depends on vulnerable versions of @nivo/scales
            Depends on vulnerable versions of @nivo/tooltip
            Depends on vulnerable versions of d3-scale
            node_modules/@nivo/radial-bar
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip
      @nivo/scales  *
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/scales
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale-chromatic

Thanks in advance.

@OleksandrRakovets
Copy link
Contributor

Must be resolved by #2466. Looking forward to the release.

@plouc
Copy link
Owner

plouc commented Mar 7, 2024

0.85.0 has been released, which fixes the issue with d3-color, but now d3-scale is also an issue.

@plouc plouc mentioned this issue Mar 7, 2024
Closed
@plouc plouc added the security label Mar 7, 2024
@plouc plouc changed the title Updating d3 dependencies D3 dependencies vulnerability Mar 7, 2024
@plouc
Copy link
Owner

plouc commented Mar 8, 2024

Solved in 0.85.1.

@plouc plouc closed this as completed Mar 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests