High risk dependency reported by NPM

[ItamarShDev]

npm audit reports 16 high severity vulnerabilities when using nivo.

# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
No fix available
node_modules/d3-scale-chromatic/node_modules/d3-color
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-scale-chromatic/node_modules/d3-interpolate
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/bar  *
      Depends on vulnerable versions of @nivo/annotations
      Depends on vulnerable versions of @nivo/axes
      Depends on vulnerable versions of @nivo/colors
      Depends on vulnerable versions of @nivo/core
      Depends on vulnerable versions of @nivo/legends
      Depends on vulnerable versions of @nivo/scales
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/bar
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/axes  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/scales
        node_modules/@nivo/axes
        @nivo/colors  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        Depends on vulnerable versions of d3-scale-chromatic
        node_modules/@nivo/colors
          @nivo/annotations  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/annotations
          @nivo/arcs  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/arcs
          @nivo/radar  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of @nivo/legends
          Depends on vulnerable versions of @nivo/tooltip
          Depends on vulnerable versions of d3-scale
          node_modules/@nivo/radar
        @nivo/legends  >=0.56.0
        Depends on vulnerable versions of @nivo/colors
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        node_modules/@nivo/legends
          @nivo/radial-bar  *
          Depends on vulnerable versions of @nivo/arcs
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of @nivo/legends
          Depends on vulnerable versions of @nivo/polar-axes
          Depends on vulnerable versions of @nivo/scales
          Depends on vulnerable versions of @nivo/tooltip
          Depends on vulnerable versions of d3-scale
          node_modules/@nivo/radial-bar
        @nivo/polar-axes  *
        Depends on vulnerable versions of @nivo/arcs
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/scales
        node_modules/@nivo/polar-axes
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip
      @nivo/scales  *
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/scales
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale-chromatic

[brandanking-decently]

This is still the case, any indication on if this will be fixed?

[rhendz]

I'm getting this as well on v0.84.0:

# npm audit report
d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
No fix available
node_modules/@nivo/core/node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/@nivo/core/node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/@nivo/core/node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip

Additionally, it appears d3-scale@3.3.0 contains the vulnerable d3-color sub dependency.

# npm list d3-color
└─┬ @nivo/core@0.84.0
  ├── d3-color@3.1.0
  ├─┬ d3-interpolate@3.0.1
  │ └── d3-color@3.1.0 deduped
  ├─┬ d3-scale-chromatic@3.0.0
  │ └── d3-color@3.1.0 deduped
  └─┬ d3-scale@3.3.0
    └─┬ d3-interpolate@2.0.1
      └── d3-color@2.0.0

[zC4sTr0]

I fixed this issue on our project using override's feature of npm:

Reference: npm's package.json Documentation

  "overrides": {
    "d3-color": "^3.1.0"
  }

[ItamarShDev]

I fixed this issue on our project using override's feature of npm:

Reference: npm's package.json Documentation

  "overrides": {
    "d3-color": "^3.1.0"
  }

great solution meanwhile. thanks!

[plouc]

Duplicate of #2470